ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Blockchain Initiatives and Realistic Implementation

Blockchain Initiatives and Realistic Implementation

Sonia Mundra, CPA
| Posted at 3:05 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Sonia MundraThese days, when we turn on the television or listen to the news, we are likely to hear about the latest hot topic in technology: blockchain. Typically, a breathless announcer is giving news of the latest ups and downs of the popular cryptocurrencies, such as Bitcoin and Ripple. Our society seems to be mesmerized with the “Bitcoin phenomenon” and its seeming financial volatility.

We have also heard the stories of Mt. Gox and other scurrilous entrepreneurs who have bilked investors out of their savings. Due to this type of coverage, cryptocurrencies sound to most like a sham and something that has nothing to do with the fundamentals of our businesses. However, nothing could be further from the truth. Blockchain, the technology that powers Bitcoin and other cryptocurrencies, has many different use cases, and has the potential to absolutely transform not just information technology (IT), but also identity management, land management, voting, shipping, records management and nearly every other industry that you can imagine.

Blockchain can essentially be described as the new standard for securing data. Traditionally, data has been stored in a centralized database with a single (human) system administrator or central authority who gives users access to the database and validates transactions. Centralized data warehouse storage is viewed as inferior to blockchain because it has a single point of failure that can be penetrated or hacked.  Databases with a central authority also requires special skills of a system administrator, bank, lawyer or notary, which increases both costs and time to market for goods and services.

Blockchain, on the other hand, can be defined as a distributed, or decentralized, database. Both physical (tangible) and intangible assets can be digitized, and the digital footprint of the asset can be stored on a blockchain. The digital blockchain that is used to represent the asset in question is stored on multiple systems and computers. Each computer system has a designated user, or administrator. If the owner of the digital asset wishes to make a change to the asset (for example, transfer of ownership), then the change must be approved by all system users, for the change to be validated and subsequently transacted. Every change in the asset becomes another block in the blockchain, with each block having its own special key.

Recording of changes provides a clear audit trail for executive leadership and for external audits. Blockchain distributed ledgers provide what is known as “consensus-based permission.” If a hacker attempts to alter one blockchain, secure blockchain technology will not permit the change since all the distributed blockchains must sync, or reconcile to each other, for the change to be considered valid.  Blockchain databases are considered by technology pundits to be nearly hack-proof through their use of SHA-256 encryption and certainly more secure than traditional centralized databases, allowing only owners of digital assets to alter and make changes to the asset.

The implications of a more secure, more efficient way of tracking and storing digital assets and transactions are astounding.  It helps to begin with an example.  One of my favorite movies is “The Thomas Crown Affair.” If you remember the plot of the movie, a very valuable painting is stolen from an art museum. The insurance agent, whose employer does not want to pay the insurance settlement for the stolen painting, is very keen to track down the painting, which is the main asset in question. She proceeds to take a series of different actions to accomplish her mission. First, she tries to retrace the crime by visiting the art gallery. She spends time with the police and watches the surveillance videos. She then busies herself by contacting art dealers, looking for any signs that the asset may have changed ownership - in other words, been sold and changed its state from one asset into another more liquid asset (sold for cash).

Well, that was a lot of work for her, and made for a highly entertaining plotline. However, suppose the painting has been turned into a digitized asset and secured using a blockchain. As soon as the thief attempted to monetize the asset by transferring ownership, the transaction would immediately pop up on the blockchain. Those administrators who have a copy of the blockchain on their system would need to verify and all reach consensus that: (1) the person attempting to make the transaction is a valid or authorized user, and (2) the transaction itself is valid and authorized. In the case of the painting, as soon as that thief went to sell the painting, the authorized parties with the blockchain would know about it and be able to deny the transaction. The attempt to create that transaction, even though it did not actually happen, would be recorded on the blockchain itself. Therefore, the person in question (who was trying essentially to serve as a bad actor) would not be able to later deny her involvement in the attempted fraudulent act.

That characteristic of the blockchain is known as immutability. One might stipulate that if a thief knows that this is going to happen and she won’t be able to monetize the transaction, it might prevent her from stealing the asset, or attempting to make the fraudulent transaction in the first place. The interesting characteristic of blockchain is that this verification happens on the spot, so it’s not a situation where we go back to audit six months or a year later, and see that there has been a bad actor, or find a material misstatement.  At that point, the horse is already out of the barn. Even if something is caught in an audit later, the reputational and financial damage to a company can be massive; just ask anyone who worked at Enron or Arthur Andersen in 2002.

Some might wonder if blockchain is redundant compared to current checks and balances already in place. For example, we already use title and insurance intermediaries to verify asset ownership and provide third party validation, prior to the sale of an asset, such as a house. However, it takes time for title companies to verify titles. It also, like nearly everything in life, costs money. Therefore, we can use other methods besides a blockchain to verify ownership and authorize transactions. However, is our current system the most efficient and effective method of verifying titles?  With the advent of blockchain, the answer is: probably not. When choosing a method of verification, we want to achieve at least one objective: either reduce costs, reduce time or reduce risk. Blockchain is fascinating because it has the potential to achieve all three objectives. In an ideal world using the blockchain, we are reducing time involved in completing the transaction; we are reducing costs by eliminating the third-party verifier; and we are potentially also reducing the risk of fraudulent transactions or major errors much sooner in the business cycle, as opposed to after the fact, like we would with a traditional audit.

However, before we begin our journey into a blockchain-filled utopia, we need to consider the barriers to implementation. Blockchain is a new technology, requires an extraordinary amount of compute power, and is (right now) very expensive. Therefore, when considering whether to implement a blockchain, one must look first at the return on investment (ROI).

Blockchain ought to pay for itself; otherwise there is no point in having one. The most risk-averse way to implement one would be to start with a Minimum Viable Product (MVP) or Proof of Concept (POC) using a sample size of digitized assets – whether those assets are real property, like land or houses, or intangible assets, like patents or intellectual property. By going through this process, it allows us to look at all our data or assets, and decide which is most valuable.  This would be a good practice in any environment, not just a blockchain implementation.

At the end of the day we must secure our data; either through some sort of data warehouse, SharePoint system, cloud or blockchain. Therefore, the first question we ought to always ask is: what are the most valuable data, the “crown jewels” of the organization? Once identified, we need to focus on securing them.  This topic deals more with data security in general, but it is important to touch on it, since it is the foundation on whether an organization should implement a blockchain and for which data. Storing and securing data, via any method, is not cheap. No matter what the organization ends up using, the executives in charge should make sure that the ROI on that security method is high – in other words, that the money they are paying to protect that data is warranted and costs less than the actual value of the data itself.

Editor’s note: Sonia Mundra will present on this topic at the CSX North America 2018 conference, to take place 15-17 October in Las Vegas, Nevada, USA.

Comments

There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.
Email