On Nov 11th, I made a presentation at the Georgian Partners annual portfolio conference in Toronto on the subject of the Blockchain and security. “Security first” was one of their themes, and it was fitting to incorporate the blockchain’s evolution into that topic.
The main question I teased the audience with is:
Does the blockchain solve some of the current security issues we have, or does it create new security challenges?
The short answer to both questions is Yes.
The current security and privacy breaches we have seen within large/central corporations (e.g. Target, Sony, Blue Cross, Ashley Madison) are leading us to wonder if the web is really secure anymore? It is obvious that some potential problems are emerging within big databases, where the privacy of customer information and transaction history can be compromised, as companies struggle to get a handle on bigger sets of data under their custody. This has implications on the security of applications data and online identities.
Enter the blockchain and decentralized applications based on it. Their advent brings potential solutions to data security because security via cryptographically secured encryption is a standard part of blockchain applications, especially pertaining to the data parts. By default, everything is encrypted. In addition, by virtue of decentralizing the information architecture elements, each user owns their data, and central repositories aren’t as vulnerable anymore because they might be just encrypted hashes and pointers to distributed storage that is spread across the web. At least, that’s the theory behind this vision, and work is being done to bring it to reality.
But blockchains aren’t perfect. They also introduce security challenges due to their inherent designs relating to 3 areas:
- Consensus engines on blockchains
- Decentralization of computing architectures
- Peer-to-peer clients
Consensus is public blockchains is done publicly, and is theoretically subject to the proverbial Sybil attacks (although it hasn’t happened yet). The trend for decentralized computing architectures requires a new mindset for planning and writing applications that is different than the traditional web architectures. And finally, each time you download a software client that sits on your PC or smartphone and it “listens” to the network, you are potentially opening security risks, unless it’s well implemented, of course. Side point: we need to be aware that IoT connected devices also are subject to potential security breaches; in essence the vulnerabilities are being pushed from the centers to the edges. But let’s not digress on IoT.
Luckily, some solutions are in the works, such as private blockchains, zero-knowledge proofs and ring signatures.
The other piece of good news is we don’t need to re-invent decentralized security, decentralized data and how to write decentralized applications because there are new platforms that provide these basic buildings blocks as part of their core offerings. The novelty now is that the blockchain ledger is a shared resource for your app, and you run business logic (smart contracts) on a virtual network of computers.
Here are some examples (that I mentioned in the presentation) of these emerging platforms; each having elements of decentralized security, secure multi-party computation, sharing without revealing distributed data ownership or user ownership of their own data.
Implications for the future are:
- Secure data in applications
- Decentralize user data to protect it
- Learn Blockchains and Decentralization technologies
- Write smart contracts on new / thin cloud architectures (no servers)
- Rethink identity ownerships for your customers
In a nutshell, security and privacy need to be part of the initial design, not as an afterthought.
Here are the slides:
And there’s a podcast bonus item. Prior to the event, Jon Prial taped a 15 minutes segment with me, discussing the blockchain in more general terms, and this is where I likened the blockchain to a dial tone for trust-based services.