ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Top 3 Security Governance Practices Not to Miss During Blockchain Implementation

Top 3 Security Governance Practices Not to Miss During Blockchain Implementation

Suhas Desai, VP of Digital Security, Aujas
| Posted at 3:05 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (0)

Suhas DesaiEveryone is talking about blockchain and is curious to know more. In addition to blockchain conversations among cybersecurity and IT professionals, TV programs are discussing the topic, investors are clamoring about it and many people are asking just what the heck it is. Blockchain is the trending topic in seemingly every technology conference, journal and summit.

I recently spoke at one of the famous technical universities in India on digital payments and their impact on the global economy. We explored various technologies around digital payments, including USSD payments, mobile banking/payments, e-wallets and payment devices to debit/credit card with biometrics. I also discussed cryptocurrencies and blockchain technologies. Though the topics were diverse, most of my Q&A session ended up focusing on blockchain, security risks around it, use cases and how to secure it. People want to know!

There are many initiatives in the US, Europe, and APAC driven by governments and technology companies to enable blockchain in multiple use cases covering healthcare, banking and finance, manufacturing, utilities and civil identity programs.

Blockchain in banking
Blockchain is adding value in a bank’s technology stack through enabling efficiency and faster execution, along with secure and robust features. Most banks are preferring private blockchain to implementing these use cases. Private blockchain has its own set of benefits – faster, restricted and authenticated user access control, centralized, and capable of controlling and monitoring transactions.

Blockchain adoption in the banking and finance industry has grown significantly in the past two years. Three use cases are gaining wide acceptance in this industry – international remittance, eKYC (Know Your Customer) and smart contracting:

  1. International remittance. Due to the P2P nature of blockchain, remittance platforms based on blockchain offer fast, cheap and substantially SECURE alternatives to the current banking mechanisms (ATMs, wire transfers).
  2. eKYC. As blockchain is a distributed ledger with the copy of data available at multiple nodes, the KYC requirements of multiple entities, such as cross-institution client verification capability, can be fulfilled without the delay caused by the KYC done with a more traditional approach.
  3. Smart Contracting. Smart contracts help in exchanging assets in a conflict-free way as the transactions are recorded in a distributed fashion, avoiding the middle man. Furthermore, once a transaction or “smart contract” has completed and made its way onto the blockchain or distributed ledger, it is immutable.

4 things that disrupt the blockchain party

  1. Improper Key Management. As blockchain applies the concept where private keys (identities) are directly mapped or tokenized to assets (currencies), improper handling may lead to irreversible loss of assets or ownership inconsistency.
  2. Third-party payment applications and API integrations issues. Multiple parties’ involvement leads to trust issues and data exposure, whether intended or unintended. As a whole, blockchain infrastructure is dependent on keys and certificates. Invalid chains of trust can lead to data leakage.
  3. Improper security controls in blockchain nodes, ledgers and smart contracts. Maliciously or unintended permissions to modify blockchain (add nodes), engage in unauthorized forking, etc., can lead to breached chains of trust.
  4. Security governance around keys, access control, networks and data security. Traditional governance issues like improper access control management (role management in private blockchain), unauthorized data access/modification and insufficient network protection measures lead to nullifying the protection measures provided by blockchain.

Top 3 security practices for secure governance around private blockchain

  1. Secure key distribution and management policies. Policies and processes around crypto keys and their distribution during blockchain implementation helps to manage cryptography functions, key access control, key rotation methods and validations of crypto algorithms’ implementation.
  2. Secure nodes, ledgers and smart contracting implementation and governance. During private blockchain implementations, organizations prefer to host blockchain networks and components at their premises. Security controls validations for security configurations in nodes, ledgers and smart contracts help to strengthen the security. Security frameworks and libraries used in these implementations should undergo detailed audits to verify controls at each layer of the ecosystem.
  3. Secure APIs and Integrations. Third-party remittances, eKYC and smart contracting applications are integrated with blockchain platforms. APIs exposed to third parties should not reveal any sensitive data to hackers. APIs and its integrations should handle authentications, payload security, session management and design security risks.

Author’s note: Ameya Jhawar, Consultant – Digital Security at Aujas, contributed to this blog post.

Comments

There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.
Email