How much does blockchain impact the CIA triad?
Peer Social advisor Farshad Abasi, Founder of Forward Security, writes about the importance of information security.
In Part 1, we explained the importance of the CIA-triad with information security. So how does blockchain affect it? Let’s find out!
How Blockchain impacts CIA
Now let’s talk about blockchain and how it helps reduce impact to each of the C, I, and A of the triad. Blockchain is a decentralized and distributed digital ledger, which offers a high level of trust. The blockchain architecture does not have central control point.
You can think of it as a distributed database, where a full copy of the entire data set resides at each full-node across a network. Transactions are recorded in a verifiable and immutable manner and put in blocks. Data recorded in a given block cannot be altered afterwards without alteration of all subsequent blocks. Since a hash of each block is included in the next block, an attacker needs to modify all blocks and adjust all the hashes in the chain, making it nearly impossible due to high computational resource requirements.
As a result of the decentralized architecture, there are multiple copies of the blockchain that can be used for verification as well. Even if the attacker modifies all blocks of the chain in one node, consensus will be required by majority of the nodes to accept this modified version, meaning the attacker would need to control the majority. Using a decentralized and immutable ledger, there is no need for a central trust authority to verify and validate transactions.
So how does blockchain impact Information Security’s CIA-triad?
All data stored as transactions in the blocks are signed which provides a high level of Integrity protection. As mentioned, changes to the data in a block are also nearly impossible due to the use of linking via hashes, and the consensus requirement. Also, since a distributed architecture is used, a high level of Availability is provided by design since a full copy of the data resides across several nodes. Confidentiality on the other hand is typically low by default, since blockchain requires the ability of the transaction data to be visible and verifiable by design.
With public blockchains, this may be of concern, since all participating nodes can read this data. If a high level of confidentiality is required, the system needs to provide additional protection such as application level encryption, tokenization, or other means where sensitive data is not directly readable by unauthorized parties. Private blockchains where access control is enforced to limit access to specific users for specific transactions can also help address confidentiality requirements.
It should be noted that the size of the network is important since if data is not well distributed, it may be vulnerable to attacks. In addition, where there are requirements for data to be deleted (such as GDPR), consideration should be given to render the data useless if required since blockchain does not provide the ability to delete transactions by design.
In summary, use of blockchain can improve information security with respect to Integrity and Availability, while also allowing for Confidentiality of sensitive data if required using custom solutions. As with any technology, there is no single solution that solves all problems and where trust, integrity, and availability are top concerns blockchain is a great choice to reduce the related impact.