Blockchain as a Control Mechanism
To better cover the issue of “Information Security in blockchain”, it is worth looking at the blockchain technology not only as a technology that includes and uses control mechanisms of information security, but also as a tool to complex and very effective IB control mechanisms.
According to the classification of control mechanisms, control mechanisms of blockchain technology will typically be control mechanisms from the category [preventive, but also detective, general, technical].
List of applications (or ideas) that may have the nature of control mechanisms using a blockchain technology to improve the ability to protect other information assets can be very extensive. Therefore, the list below should be considered as a basic source of inspiration for others analyzing the potential of blockchain technology in the implementation of control mechanisms of information security.
Reliable storage (“log”) of events from various interrelated sources is a crucial tool to an information security management system (ISMS) through which monitoring is implemented as well as evaluation and escalation of incidents in the field operations of information and communication technologies (ICT) and systems (in particular compliance with relevant SLAs), the behavior of internal and external ICT users (in particular compliance with information security policy), but also the implementation of business or public administration processes (compliance with relevant rules, procedures and legislative requirements).
In addition, a reliable event log must contain all relevant data that must be complete, accurate and existing (i.e. not fictional), such a log must be permanent – unchangeable (there should be no “official” reason for such a change – what happened once is the fact that it has to remain written). For such a task it is very convenient to write event data to the blockchain.
An event log implementation using a blockchain can have the following features:
· only basic attributes are written to the blockchain: when, who, what, to whom, where, why, in what value, etc.
· individual events do not have to be logically interconnected in the blockchain, context analysis and the interpretation of the findings will be performed at the application level (an important role will play a reliable time event tag),
· other possible data (attachments) are stored in the storage outside the blockchain (off-chain), a hash of this Annex that reliably “binds” it to other data of the recorded event, s stored in the blockchain
· blockchain control mechanisms ensure:
– authenticity and undeniable origin (each event inserted in the blockchain is signed by the private key of the “author” and each “reader” of the log can make sure about the authenticity and integrity of the event – has the author’s public key stored in the blockchain),
– time stamp reliability – except for the time attributed to the event by its author (typically the source system), the record is also provided with the time when it was validated (adds an independent – “random” selected validator, witness, or miner),
– the already mentioned consistency (records cannot be modified or deleted) as well as high availability (uninterrupted access to data and their indestructibility).
Note: This case of using blockchain technology can be applied analogously to reliable recording of other types of events (generally any). In the case of public messages – e.g. events related to the processing of agendas in a certain section of the report, especially in cases when the relevant processes concern several (up to many) entities – public administration institutions, but also citizens and entrepreneurs, e.g.:
· events in the field of weapons and ammunition, which are generated by entities such as: Ministry of the Interior of the Slovak Republic, directorates of the Armed Forces of the Slovak Republic, manufacturers arms dealers, arms dealers, shooting range operators, holders of firearms licenses, assessors competence and integrity of holders of ZP (firearms passport) and others) or
· events related to construction and land management, which are generated by entities such as: citizens, entrepreneurs ICE SR, building authorities and several other interested parties who comment on the proceedings
Management of information assets and configurations
Responsible management of information assets and configurations is a prerequisite for success of operation of a modern service – oriented IT organization, whether it provides IT services for internal or external customer. For the efficient provision of IT services in terms of agreed performance and security levels (according to SLA – Service level agreement), it is necessary to work with current and reliable information on the status and interrelationships between items of information assets (service, hardware, sw server, sw application, sw license, operating system, logical node, component technical infrastructure, but also, for example, space containing ICT).
Since the states and relationships between individual information assets are very dynamic and it is important to know in a responsible manner who (or what) and why caused a particular change and also to be sure that between the two justified changes in the situation did not lead to any other changes as well as to be able to trace back which of the overall situation was valid in the given time period – even in this case, a solution is to use a blockchain technology.
· This use case also differs from the Event Log in that the individual records stored in the blockchain will be logically interconnected (modeling of relations between information assets, or links between the record of the event which caused the change and its consequences).
· Information asset and configuration management solutions are also referred to as configuration databases (resp. CMDB – Configuration management database according to the ITIL methodological framework).
· In addition to the mentioned support for the provision of IT services, these solutions also serve other IT processes organizations, e.g.: change management, incident and problem management, software license management, calculation of information risk analysis, etc.
· This case of using blockchain technology can be applied analogously to asset management or messages of other logical or physical interacting objects.
Identity and access management
Similar requirements and needs as the management of information assets and configurations apply to management of user identities and physical and logical access to information assets.
In fact, identity and access management can be part of an extended configuration database information assets (users and access roles to information systems as a separate type of information assets) from which selected data can be managed in a blockchain.
· We do not mean that the data in the blockchain will be used by the authorization mechanism of a specific information system for managing access to its information resources in real time (although even such an implementation may not be unrealistic).
· The sessions between a user-type information asset and other information assets can be according to the type: assigned to (role), owns, operates, administers, uses (e.g. if used in which mode access: reads, writes, deletes, triggers), etc.
Research into the use of blockchain technology in various solutions for identity and access management in order to improve the provision of electronic public and commercial services are currently being devoted a lot of energy:
Attention is also paid to aspects related to relevant regulations such as KYC (Know your customer), AML (Anti-money laundering) and GDRP (General data protection regulation, respectively) with access control.
A very interesting idea in connection with the management of electronic identities seems to be the potential blockchain technologies greatly simplify PKI processes by “relieving” the current complicated and key tasks of certification authorities (concept developed by several authors, e.g., including the authors of this document). At the heart of this idea is the consideration that the user’s public key is embedded in a reliable blockchain under the supervision of the responsible registration authority (RA) no longer needs to be signed privately the key of the certification authority (CA). The authenticity and integrity of this public key can be verified e.g. by calling the appropriate smart contract of this blockchain.