blockchain and risk - isaca · blockchain and risk isaca northern uk, april 20th, 2016 mike small...
TRANSCRIPT
Blockchain and RiskISACA Northern UK, April 20th, 2016
Mike Small CEng, FBCS, CITPSenior AnalystKuppinger [email protected]
3
• Trust and Integrity
• The Bitcoin Blockchain
• Distributed Ledgers
• Blockchain and Risk
• Summary
Mike Small
KuppingerCole
Agenda
TRUST AND INTEGRITY
The arrival of a decentralized, distributed, tamper-evident, linear, log – “the blockchain” – the integrity of which is
ensured by trustless, algorithmic consensus between peers presages monumental shifts in current approaches to
cybersecurity.
Trust Technologies
© KuppingerCole 54/18/2016
"Medieval tally sticks" by Winchester City Council Museums
The Accounting Ledger
Public Key Infrastructure”
The Blockchain
THE BITCOIN
Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto https://bitcoin.org/bitcoin.pdf
How to verify the integrity of a series
of transactions that occur over
time.
How to avoid spending the same
money twice.
Without a trusted third party?
The Bitcoin Problem of Trust
4/18/2016© KuppingerCole
A bitcoin is a piece of data that is
cryptographically signed.
Its history is a chain of signed
transactions
A Bitcoin
© KuppingerCole 84/18/2016
Owner 1’s
Public Key
Owner 0’sSignature
Transaction
Hash
Owner 0’s
Private Key
sign
History
A Verifiable Transaction Log
© KuppingerCole 94/18/2016
Owner 1’s
Public Key
Owner 0’sSignature
Transaction
Hash
Owner 1’s
Private Key
sign
Verify
Owner 2’s
Public Key
Owner 1’sSignature
Transaction
Hash
Owner 2’s
Private Key
sign
Verify
Owner 3’s
Public Key
Owner 2’sSignature
Transaction
Hash
Owner 3’s
Private Key
Owner 0’s
Private Key
sign
History
Proof a coin not already spent
© KuppingerCole 104/18/2016
Conventional Approach involves a
trusted central system a Single Ledger Central
Ledger
Clearing House
Central Ledger Approach
Distributed Ledger
© KuppingerCole 114/18/2016
Bitcoin is based on a distributed ledger.
Transactions are broadcast to everyone
There is then a consensus process to avoid cheating
Ledger Ledger
Ledger Ledger
Distributed Ledger
Proof of Work – Algorithmic Trust #1
© KuppingerCole 12
Transactions grouped into blocks and timestamped
“Miners” compete to solve a computational puzzle that is exponentially difficult solve but trivial to check
Consensus - The first solution approved by others wins a prize of 25 bitcoins
4/18/2016
.…
Item
Item
Block
Previous Hash
Nonce
.…
Item
Item
Block
Previous Hash
Nonce
Proof of Work – Algorithmic Trust #2
© KuppingerCole 13
Assumes that the reward is more profitable than
cheating
Assumes no one can corner all CPU
power
4/18/2016
.…
Item
Item
Block
Prev Hash
Nonce
.…
Item
Item
Block
Prev Hash
Nonce
BEYOND BITCOIN
Distributed ledgers have the potential to be radically disruptive. Their processing capability is real time, near tamper-proof and increasingly low-cost. They can be applied to a wide range of industries and services. Distributed ledger technology: beyond block chain - Press releases - GOV.UK
Kinds of Distributed Ledgers
© KuppingerCole 4/18/2016
Distributed Ledger Multiple
Copies
Traditional Ledger
Single Ledger (One Copy Only)
Private Shared Ledger
Available only to the owner group
Community Shared Ledger
Integrity Maintained by Trusted Parties
Public Shared Ledger
Integrity Maintained by Consensus
Assured Information
• Registries/Digital Notaries
• Financial Announcements
• Certificate Authority
• DNS
Assured Control
• Financial Ledger providing assurance against fraud.
Assured Rules
• Assurance that an agreed set of rules will be implemented honestly
• Smart Contracts
Uses of Distributed Ledger
4/18/2016© KuppingerCole 16
Keyless Signatures
© KuppingerCole 17
Since 2007 Estonian citizens can file
electronic documents and verify their
government records
4/18/2016
Keyless Signature
Infrastructure
Data Hash Function
Hash
Originator Time stamped
Token
Relying Party
Verify Hash
X
Bad guys
No Original Data Stored
Digital Notary
© KuppingerCole 18
Hash + Timestamp written to blockchain
4/18/2016
Hash published in the FT
Smart Contracts
© KuppingerCole 19
Smart Contracts” that algorithmically enforce
agreed rules.
Example: Everledger digital ‘passport’ for diamonds records its provenance, travel, and transactions
4/18/2016Ethereum Smart Contract
Clearing
• Smart contracts to automate clearing
• Real time update of security title
Life cycle management
• Robust monitoring though access by multiple users
Collateral management and valuation
• Increased transparency
• Real time position update
Settlement
• Secure and rapid transfer of assets
• Lowered cost
Custody
• Smart contracts eliminate intermediaries
Application to Post Trade Settlement
4/18/2016© KuppingerCole 20
Fintech 2.0 Paper: rebooting financial services
Smart Contracts algorithmically enforce agreed rules
BLOCKCHAIN PLATFORMS
Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference. Ethereum Project
Some Distributed Ledger Platforms
© KuppingerCole 4/18/2016
Mechanism Decentralized Control
Low Latency Flexible Trust AsymptoticSecurity
Proof of Work
Proof of Stake ? ? ?
Byzantine Agreement
Tendermint
Stellar ConsensusProtocol
Consensus Protocols
4/18/2016© KuppingerColeOn Worldwide Consensus — A Stellar Journey — Medium
Who do I trust to maintain a truthful record?
A Central Authority
A group of known actors
A group of actors, some known
Nobody
Wh
at t
hin
gsn
ee
d
to b
e a
gre
ed
on
Ownership of on-platform assets
Central Bank, Clearing Bank
Ripple (XRP) Bitcoin
Ownership of off-platform assets
Custodian Bank HyperledgerRipple(Gateways)
Coloured Coins
Obligations arising from an agreement
Clearing House Eris Ripple (Codius) Ethereum
A Classification of Platforms
4/18/2016© KuppingerCole 24http://gendal.me/tag/hyperledger/
BLOCKCHAIN RISKS
Every every new technology is claimed to offer unparalleled benefits, many of which do not materialise in practice.
Hazards
• Prevents unauthorized change
• Use of digest reduces data leakage
• Algorithmic trust
Control Risks
• Simplifies integrity controls
• No need for trusted third party
Opportunities
• Lowers costs and creates new opportunities
Risks Mitigated by Blockchain
4/18/2016© KuppingerCole
Blockchain Risk Overview
4/18/2016© KuppingerCole 27Advisory Note: Blockchain and Risk 71608 - KuppingerCole
Platform Software
• The integrity of a distributed ledger is determined by the software platform upon which it runs.
Targeted Malware
• The infrastructure which supports the distributed ledger is subject to all the usual threats and vulnerabilities
Privilege Abuse
• Abuse of administration privilege and unauthorized change to the infrastructure
Critical Risks
4/18/2016© KuppingerCole 28
Compliance
• Regulations and laws sometimes require the use of certain controls that may not be relevant or possible using blockchain.
Liability
• The legal liability for losses resulting from a failure of algorithmic trust is yet to be determined.
Scalability
• Proof of Work algorithms severely limit scalability and massively increase energy consumption.
Important Risks
4/18/2016© KuppingerCole 29
Identity
• Proof of the actual identity of participants needs to be assured. (i.e. who owns the keys)
Latency
• The delay between a transaction being registered and the time at which a relying party can trust it based on consensus.
Long Term Crypto
• improvements in computer power and technology may significantly reduce the protection provided by the current encryption technology used.
Risks needing Consideration
4/18/2016© KuppingerCole 30
Impact on society
© KuppingerCole 31
• First conviction based on algorithmic justice
• Using irrefutable evidence of suspect’s activities
• Captured by Google and secured by blockchain
• Barristers in riot at Inns of Court
4/18/2016
News from 2041
SUMMARY
Blockchain Distributed Ledgers create both opportunities and risks for organizations.
Identify the opportunities for
blockchain distributed ledger
technology.
Quantify the expected benefits
and potential risks from these.
Choose an appropriate
delivery platform.
Summary
4/18/2016© KuppingerCole 33
QUESTIONS
Kuppinger Cole Ltd.Headquarters
Am Schloßpark 12965203 Wiesbaden | GermanyTel +49 (211) 23 70 77 – 0 Fax +49 (211) 23 70 77 – 11
www.kuppingercole.com
The Future of Information Security – Today.KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decisions making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.
4/18/2016© KuppingerCole
Related Research
© KuppingerCole 36
No. Type Title L.
71601 Advisory Note Blockchain Impact on the Financial Industry
71555 Advisory Note Demystifying the Blockchain
71603 Advisory Note Blockchain and Cybersecurity (coming soon)
71609 Advisory Note Business Process Optimisation Through Blockchain (coming soon)
71602 Advisory Note Information Stewardship in the age of Blockchain (coming soon)
71606 Advisory Note The Blockchain and Life Management Platforms (coming soon)