The Security Flaws of Blockchain—And What to Do About Them

ImageXXTheXSecurityXFlawsXofXBlockchainXXXAndXWhatXtoXDoXAboutXThemXX

By Don Boxely – CEO and Co- Founder at DH2i,

Blockchain is big business—but is it really secure? This year, Forbes introduced the “Blockchain 50,” identifying an impressive roll call of major companies including Walmart, Amazon, and JPMorgan that are embracing blockchain technology. But while many in Corporate America continue to jump onto the blockchain bandwagon, some industry pundits are raising red flags about its level of data security.

False Promises?

It’s ironic, since the whole point of a blockchain platform is to boost the level of data protection. But the reality is that some valid concerns have emerged when it comes to pinning down just how secure blockchain really is. Mike Orcutt points out in MIT Technology Review that “the security of even the best-designed blockchain systems can fail in places,” flagging the fact that not only can developers “accidentally” create security flaws, but that people determined to tamper with blockchain can also find “creative ways to cheat.”

Some of these out-of-the-box blockchain hacks identified by Orcutt include:

  • Blockchain subversion. A study by Ittay Eyal and Emin Gün Sirer at Cornell University reported on the security vulnerabilities of blockchain, noting that “Its security rests on the distributed protocol that maintains the blockchain, run by participants called miners.” Yet the researchers point out that while the mining protocol is assumed to be incentivized, it’s actually not incentive-compatible, and that groups of “selfish miners” can develop and expand. As Orcutt explains: “…essentially a ‘selfish miner’ can gain an unfair advantage by fooling other nodes into wasting time on already-solved crypto-puzzles.”

 

  • Eclipse attacks. This happens when someone with malintent disrupts the communication between blockchain nodes. “An attacker who manages to take control of one node’s communications and fool it into accepting false data that appears to come from the rest of the network can trick it into wasting resources or confirming fake transactions,” writes Orcutt.

 

  • “Hot wallet” break-ins. Since, as Sirer emphasizes, blockchain “does not exist in a vacuum,” third party apps, vendors, and software clients can become points of failure within blockchain systems. One example of this is when cybercrooks figure out how to gain unauthorized access to so-called “hot wallets,” which store cryptographic information that’s supposed to be private.

 

Another chink in blockchain’s armor identified by Sirer relates to centralization. The researcher found that one of the premises of blockchain security—decentralization—is not actually the case. “At this point, the Bitcoin [blockchain] system ceases to be a decentralized currency,” Sirer concludes in the study.

Throwing Out the Bathwater

Don’t get me wrong, I’m not suggesting that companies turn their backs on blockchain. There are plenty of excellent reasons why the technology’s popularity rose 11 percent among large enterprises in 2018 alone, and why some analysts call it “bigger than the Internet.” Blockchain offers unique functionality in data accessibility and ideally, immutability, while eliminating the need for verification from a third party.

Blockchain isn’t the problem—but the way that many enterprises are currently approaching data protection for distributed ledgers is. Crossing your fingers or turning a blind eye to the realities above isn’t a smart security solution if you’re among the swelling ranks of organizations that want to harness blockchain’s benefits. The only way to protect your critical information is to take a more proactive approach by incorporating a specific data-protection solution that’s effective for distributed ledger technology like blockchain.

Weighing Your Options

When it comes to this mission of securing your network access to safeguard your sensitive data on a distributed ledger database, in essence circumventing the flaws inherent in blockchain technology, there are really only two games in town. One of these—VPN, or virtual private network—has been played the longest, and because it’s the legacy technology for this purpose, it’s often assumed to be the only viable and reliable option.

But there’s a new kid in town, called SDP, or Software Defined Perimeter. And because the world has changed from an emphasis on physical servers and virtual machines to a much more heterogeneous hybrid cloud and multi-cloud environment, these two solutions don’t offer equivalent advantages.

For starters, VPNs expose too much lateral surface to attackers, and they’re cumbersome for IT to administer. VPN limitations are to blame for countless high-profile data breaches because of the security vulnerabilities that they end up creating. By essentially granting users a “slice of the network” with no ability to minimize attack surfaces, VPNs leave networks largely unprotected.

An SDP, however, allows for application-level isolation via micro-tunnels, helping to secure the perimeter much better than network-level segmentation. Yes, blockchain is intended to be secure and decentralized, but as noted above, this isn’t always the case in practice. Since distributed ledgers are vulnerable and VPNs are too, SDP solutions can offer enterprises a default mode of security. Decreasing the threat of lateral attacks with a software approach that’s both easier to use and less costly than traditional approaches to securing the perimeter? Sign me up.

About the author:

Don Boxley Jr is a DH2i co-founder and CEO. Prior to DH2i, Don held senior marketing roles at Hewlett-Packard where he was instrumental in sales and marketing strategies that resulted in significant revenue growth in the scale-out NAS business. Boxley spent more than 20 years in management positions for leading technology companies, including Hewlett-Packard, CoCreate Software, Iomega, TapeWorks Data Storage Systems and Colorado Memory Systems. Boxley earned his MBA from the Johnson School of Management, Cornell University.

Your e-mail address will not be published.
Required fields are marked*