Last Updated on July 16, 2019 by Ashok Kumar
The discussion about whether or not private blockchains can be used to protect sensitive data is a complex one, and I’m by no means an expert. The term “blockchain” has become one of those industry buzzwords, yet despite all the hype surrounding the technology, most enterprises are still not sure how to use it to their advantage. I’d like to start by asking a few simple questions…
Firstly, will using a blockchain prevent an employee from sending unencrypted PII or login credentials in an email? Will it prevent an employee copying sensitive data onto a USB drive and then losing it on the bus? Will it prevent an employee installing ransomware on their device? Is it possible for an organisation to terminate an inactive user account or reset a user’s password on the blockchain? As it currently stands, the answer to these questions is, no! Don’t get me wrong, the blockchain is an impressive piece of technology, which provides us with a very secure means of storing an exchanging data, but we must be careful not to view it as some sort of panacea for protecting our digital assets.
The purpose of the blockchain is to achieve distributed consensus, and it is not the only way. Cryptocurrencies such as IOTA use a new type of distributed ledger known as a Directed Acyclic Graph (DAG). Maidsafe, a software company based in Scotland, has recently released the code for an open-source consensus protocol called PARSEC, which many industry experts believe to be far superior to the blockchain. When looking for solutions to protect our sensitive data, we are not really interested in distributed consensus, since distributed consensus mechanisms are only required when there is no centralized authority to verify transactions. In addition to distributed consensus, the blockchain also provides immutability by linking blocks of data in a chain, where each block contains a digital signature of the contents of the previous blocks. Therefore, if someone tried to alter one of the previous blocks, it would break the chain, and thus get rejected. However, this can still be achieved without the blockchain. For example, Git – a code repository used by software developers – has been using a similar strategy since 2005.
Private blockchains may be subject to what is the known as the “51% attack”. If a hacker were to gain control over 51% of the nodes on the network, they could change the contents of the chain. This is not impossible. For example, it has been suggested that it would take approximately $400 million worth of mining equipment to hack Bitcoin. Currently, Bitcoin has somewhere between 3 to 6 million active users and should therefore be far more secure than a private blockchain. Of course, your average hacker doesn’t have that kind of money, but governments do. At the end of the day, there are many complications and drawbacks to using a private blockchain to secure sensitive data. That said, a blockchain would at least demand cryptographically secure login credentials.
But what about ransomware? Surely a secure distributed ledger would render such attacks useless, since there will always a copy of the sensitive data elsewhere on the network. This is true, and a blockchain would certainly help to ensure that all other nodes on the network are storing the same set of data, which will make it easier to recover lost files. But can we do this without using a blockchain? Well, most big companies who store large amounts of sensitive data will already have a means by which to replicate data across multiple servers. Do you think Google stores all of its data on one server? Of course not. These days, most modern open-source database applications use some sort of replication protocol to achieve secure and distributed consensus. The main difference is that these databases are hosted by a centralised authority, which makes sense if you need a centralised authority to manage authentication and authorisation.
I have no doubt that decentralized technologies will play an important role in the future of data security; however, perhaps it would make more sense to focus on leveraging existing technologies and focusing on the immediate threats. Given that the majority of data breaches are caused by either negligent or malicious insiders, educating employee’s and auditing sensitive data should be our priority. If you have no means by which to detect, alert, report and respond to changes made to privileged accounts and critical files, a data breach is inevitable, regardless of whether you are using a blockchain or not.