Blockchain and Risk ISACA Northern UK, April 20 th, 2016 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com
Agenda Mike Small KuppingerCole Trust and Integrity The Bitcoin Blockchain Distributed Ledgers Blockchain and Risk Summary 3
The arrival of a decentralized, distributed, tamper-evident, linear, log the blockchain the integrity of which is ensured by trustless, algorithmic consensus between peers presages monumental shifts in current approaches to cybersecurity. TRUST AND INTEGRITY
Trust Technologies The Accounting Ledger Public Key Infrastructure "Medieval tally sticks" by Winchester City Council Museums The Blockchain 5
Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto https://bitcoin.org/bitcoin.pdf THE BITCOIN
The Bitcoin Problem of Trust How to verify the integrity of a series of transactions that occur over time. How to avoid spending the same money twice. Without a trusted third party?
A Bitcoin History Transaction Owner 1 s Public Key A bitcoin is a piece of data that is cryptographically signed. Owner 0 s Private Key sign Hash Owner 0 s Signature Its history is a chain of signed transactions 8
A Verifiable Transaction Log Transaction Owner 1 s Public Key Transaction Owner 2 s Public Key Transaction Owner 3 s Public Key History Hash Verify Hash Verify Hash Owner 0 s Private Key sign Owner 0 s Signature Owner 1 s Private Key sign Owner 1 s Signature Owner 2 s Private Key 9 sign Owner 2 s Signature Owner 3 s Private Key
Proof a coin not already spent Central Ledger Approach Conventional Approach involves a trusted central system a Single Ledger Clearing House Central Ledger 10
Distributed Ledger Bitcoin is based on a distributed ledger. Transactions are broadcast to everyone Ledger Distributed Ledger Ledger There is then a consensus process to avoid cheating Ledger Ledger 11
Proof of Work Algorithmic Trust #1 Transactions grouped into blocks and timestamped Miners compete to solve a computational puzzle that is exponentially difficult solve but trivial to check Consensus - The first solution approved by others wins a prize of 25 bitcoins Block Previous Hash Nonce Item Item. Block Previous Hash Nonce Item Item. 12
Proof of Work Algorithmic Trust #2 Assumes that the reward is more profitable than cheating Assumes no one can corner all CPU power Block Prev Hash Nonce Item Item. Block Prev Hash Nonce Item Item. 13
Distributed ledgers have the potential to be radically disruptive. Their processing capability is real time, near tamper-proof and increasingly low-cost. They can be applied to a wide range of industries and services. Distributed ledger technology: beyond block chain - Press releases - GOV.UK BEYOND BITCOIN
Kinds of Distributed Ledgers Traditional Ledger Private Shared Ledger Community Shared Ledger Public Shared Ledger Available only to the owner group Integrity Maintained by Trusted Parties Integrity Maintained by Consensus Single Ledger (One Copy Only) Distributed Ledger Multiple Copies
Uses of Distributed Ledger Assured Information Registries/Digital Notaries Financial Announcements Certificate Authority DNS Assured Control Financial Ledger providing assurance against fraud. Assured Rules Assurance that an agreed set of rules will be implemented honestly Smart Contracts 16
Keyless Signatures Since 2007 Estonian citizens can file electronic documents and verify their government records Data Originator Relying Party Hash Function Hash Time stamped Token Verify Hash No Original Data Stored Bad guys Keyless Signature Infrastructure X 17
Digital Notary Hash + Timestamp written to blockchain Hash published in the FT 18
Smart Contracts Smart Contracts that algorithmically enforce agreed rules. Example: Everledger digital passport for diamonds records its provenance, travel, and transactions Ethereum Smart Contract 19
Application to Post Trade Settlement Smart Contracts algorithmically enforce agreed rules Clearing Life cycle management Collateral management and valuation Settlement Custody Smart contracts to automate clearing Real time update of security title Robust monitoring though access by multiple users Increased transparency Real time position update Secure and rapid transfer of assets Lowered cost Smart contracts eliminate intermediaries Fintech 2.0 Paper: rebooting financial services 20
Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference. Ethereum Project BLOCKCHAIN PLATFORMS
Some Distributed Ledger Platforms
Consensus Protocols Mechanism Proof of Work Decentralized Control Low Latency Flexible Trust Asymptotic Security Proof of Stake??? Byzantine Agreement Tendermint Stellar Consensus Protocol KuppingerCole 4/18/2016 On Worldwide Consensus A Stellar Journey Medium
What things need to be agreed on A Classification of Platforms Ownership of onplatform assets Ownership of offplatform assets Obligations arising from an agreement Who do I trust to maintain a truthful record? A Central Authority Central Bank, Clearing Bank Custodian Bank A group of known actors Hyperledger A group of actors, some known Ripple (XRP) Ripple (Gateways) Nobody Bitcoin Coloured Coins Clearing House Eris Ripple (Codius) Ethereum http://gendal.me/tag/hyperledger/ 24
Every every new technology is claimed to offer unparalleled benefits, many of which do not materialise in practice. BLOCKCHAIN RISKS
Risks Mitigated by Blockchain Hazards Prevents unauthorized change Use of digest reduces data leakage Algorithmic trust Control Risks Simplifies integrity controls No need for trusted third party Opportunities Lowers costs and creates new opportunities
Blockchain Risk Overview Advisory Note: Blockchain and Risk 71608 - KuppingerCole 27
Critical Risks Platform Software The integrity of a distributed ledger is determined by the software platform upon which it runs. Targeted Malware The infrastructure which supports the distributed ledger is subject to all the usual threats and vulnerabilities Privilege Abuse Abuse of administration privilege and unauthorized change to the infrastructure 28
Important Risks Compliance Regulations and laws sometimes require the use of certain controls that may not be relevant or possible using blockchain. Liability The legal liability for losses resulting from a failure of algorithmic trust is yet to be determined. Scalability Proof of Work algorithms severely limit scalability and massively increase energy consumption. 29
Risks needing Consideration Identity Proof of the actual identity of participants needs to be assured. (i.e. who owns the keys) Latency The delay between a transaction being registered and the time at which a relying party can trust it based on consensus. Long Term Crypto improvements in computer power and technology may significantly reduce the protection provided by the current encryption technology used. 30
Impact on society First conviction based on algorithmic justice Using irrefutable evidence of suspect s activities Captured by Google and secured by blockchain Barristers in riot at Inns of Court News from 2041 31
Blockchain Distributed Ledgers create both opportunities and risks for organizations. SUMMARY
Summary Identify the opportunities for blockchain distributed ledger technology. Quantify the expected benefits and potential risks from these. Choose an appropriate delivery platform. 33
QUESTIONS
The Future of Information Security Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decisions making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. Kuppinger Cole Ltd. Headquarters Am Schloßpark 129 65203 Wiesbaden Germany Tel +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com
Related Research No. Type Title L. 71601 Advisory Note Blockchain Impact on the Financial Industry 71555 Advisory Note Demystifying the Blockchain 71603 Advisory Note Blockchain and Cybersecurity (coming soon) 71609 Advisory Note Business Process Optimisation Through Blockchain (coming soon) 71602 Advisory Note Information Stewardship in the age of Blockchain (coming soon) 71606 Advisory Note The Blockchain and Life Management Platforms (coming soon) KuppingerCole 36