The impact of the CIA security triad on blockchain technology

decorative line

Blockchain on the CIA Security Triad!

Recap

In our first series, we covered the following 5 articles:

 

Note

If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.

 

Blockchain on the CIA Security Triad

In this article, we will be covering the fundamental approach to arranging the components of a native blockchain and Hyperledger in the form of the Confidentiality, Integrity, and Availability (CIA) security triad model. This triad model is one of the oldest and most popular security frameworks connected with the blockchain structure. The CIA triad model is a model that helps organizations structure their security posture. We will understand how these three core elements impact the blockchain technology and how we can organize the optimal use of blockchain with this security model.

In this article, we will cover the following topics:

  1.  What is the CIA security triad?
  2.  Blockchain on confidentiality
  3.  Blockchain on integrity
  4.  Blockchain on availability

 

1. What is the CIA security triad?

CIA is a framework/model that's used to arrange a list of security controls and systems used by the information security (infosec) team. It is also sometimes referred to as the Availability, Integrity, and Confidentiality (AIC) security triad. The purpose of the triad is to deliver a standard framework to evaluate and deploy information security policies, independent of the underlying technology, network, or system.

 

Confidentiality

Confidentiality is a way to keep information hidden from unauthorized people. When information that has to be secret remains a secret, you achieve confidentiality. In this current era of digital connectivity, everyone is aggressive enough to know that information that has been kept a secret. Security agencies are a prime example of a company breaking confidentiality so that they can perform forensics and use surveillance footage. Financially motivated cyber criminals do their best to break into security systems and gather confidential documents that will benefit their business adversaries.

There is a never-ending race between adversaries and defenders. Organizations are spending millions of dollars every year to achieve full-stack confidentiality with cryptography and access control systems. Several methods are tested every day to protect data at rest and data in motion.

 

Integrity

Integrity is a way to protect the unauthorized tampering of information. It is a mandatory compliance for every infosec body. It is also a method to maintain the consistency, accuracy, and trustworthiness of the respective data over its entire life cycle. There has to be complete security for the data, and any unauthorized access to it should be prohibited. Certain measures that aid this include file permission and user access controls.

 

Availability

Availability refers to on-time and reliable access to data. The path from data to information and information to value means that the value will be illegitimate if the information is not available at the right time. Distributed Denial-of-Service (DDoS) and ransomware attacks are some of the most powerful weapons in the hands of malicious actors, and they use these attacks to keep information away from people who have authorized and legitimate access. Organizations make attempts to combat these attacks, including web application firewalls, DDoS protection, content delivery network (CDN), and even disaster recovery.

 

2. Understanding blockchain on confidentiality

Every digitally connected technology comes with the cost of security challenges, and these challenges can be about privacy exposure, confidentiality breaches, identity theft, and much more. Blockchain technology is a computing technology that runs over a digital ecosystem and hence it becomes important to pay attention to its fundamental security challenges. Every size of business connected globally allocates an annual budget for cybersecurity so that they can keep their information and critical assets confidential. Let's understand the extent of confidentiality in the current blockchain model and its future roadmap.

 

Confidentiality in the existing model

As we already know, blockchain technology was introduced with Bitcoin. However, it was never made to be restrictive in nature, as anyone with client software can participate in the block generation process, or mining in the case of Bitcoin. Confidentiality with respect to the blockchain is simply about hiding transaction information from unwanted participants in the network. However, because of the open and permissionless nature of a public blockchain such as Bitcoin, achieving a better confidentiality rank can be extremely difficult.

 

Businesses, blockchain, and confidentiality

When it is about business, confidentiality becomes a critical pillar in the cybersecurity space to achieve better trust between customers and other stakeholders. The permissioned blockchain has gained a great appreciation as it allows only pre-selected participants to access the data in the distributed ledger network. When a business interacts with another business, it is not just about how much information to share, it is also about who should have access to which information under what conditions. While considering Hyperledger Fabric, IBM suggests that certain points should be kept in mind:

  •  With each transaction, it is important to know whether a participant can see the complete information, a part of it, or no information at all. It has to be mentioned under a smart contract.
  •  If the regulator has been assigned, then they must confirm the extent of the data accessed by the regulator.
  •  It is important to understand the nature of your network—static or flexible—as confidentiality parameters may change in the future, based on new participant roles and needs.

 

Achieving confidentiality with Hyperledger Fabric

Hyperledger Fabric provides features to achieve confidentiality with the ease of calling a set of library files:

  •  Attribute-based access control (ABAC): The decision of users accessing a transaction is dependent on its identity. This is possible with ABAC. ABAC can support both chaincode and an entire fabric. The attributes used during transaction deployment have to be passed during Tcert creation by the user. It is an important step to determine whether a user can execute any specific chaincode. The Attribute Certificate Authority (ACA) plays an important role in validating attributes and returning an attribute certificate (ACert). The ACA maintains the database so that companies can store attributes for users and their affiliations.

 

  •  Hyperledger Fabric encryption literary: The smart contract can be configured to encrypt information or a subset of information in the transaction. This information will remain encrypted in the ledger with the key only being available to the peer who is supposed to see and access it. If the endorsement policy needs peers from different organizations, then the information has to be encrypted before including it in the transaction proposal.

 

3. Blockchain on integrity

Even with more money being spent on cybersecurity, many organizations are still reluctant to use public cloud solutions. It is a common practice to apply encryption to the data going to the cloud, but encryption can only provide solid confidentiality against internal attacks; it can't protect data from corruption caused by configuration errors, software bugs, or espionage attempts. Although blockchain technology has its own solid approach to achieving immutability with the hashing algorithm and the Merkle tree model for integrity, we have to try and understand how it would practically work with real-world applications and Hyperledger Fabric.

Integrity in the current blockchain network

Integrity is a way of avoiding any tampering with the data. Blockchain uses cryptographic hashing to ensure that the ledger remains tamper-proof. One of the key characteristics of this hashing function is that it is always one-way, which means it is logically impossible to get the data back from the hash result or from the message digest. It is also difficult to analyze the pattern of the message digest and predict the original data, as even a slight change in the actual message can result in a big difference. All flavors of blockchain use hashing extensively, as follows:

  •  An Ethereum account identifier is created by hashing a public key with the Keccak-256 hashing algorithm
  •  A Bitcoin address is computed by hashing a public key with the SHA-256 algorithm

 

Block arrangement and immutability

As we already saw, each node stores the ledger in the form of connected blocks, and the creation of a new block depends on the hash of the previous block. This stops malicious attempts to disturb, alter, or delete any blocks in the ledger. This helps organizations achieve a new level of cybersecurity integrity and provides a platform on which you can develop a tamper-proof business application.

 

Achieving integrity with Hyperledger

Although Hyperledger Fabric is one more flavor of distributed ledger technology, there are several key properties that separate it from the others. Committing a peer always validates the new block before adding it to the ledger. A situation where a peer is hacked means that the block may get compromised from the ledger. To avoid such a situation, there are certain methods to correct the way a block gets added in the ledger.

Verifying chain integrity

In this method, each peer periodically validates its blockchain and asks the peer to recheck whether a broken block is detected. A function named CheckChainIntegrity() has to be called to keep the integrity check running.

 

4. Understanding blockchain on availability

Business applications are accessible through networks (public or private), and these applications are sets of code that have value until they are accessible, which is when they are needed. Blockchain is a software application running on the cloud that keeps its value until it is not broken or disturbed. For users, the face of blockchain is simply a decentralized application (dApp), and in order to keep it available all of the time, both the frontend and the backend of the system should run seamlessly.

Availability in the current blockchain network

On-time and reliable access to information resembles availability. Cyberattacks such as DDoS cause huge disruption to internet services and result in websites becoming inaccessible, which costs businesses a lot of money. The decentralized nature of blockchain makes it harder to disrupt these applications.

 

No single point of failure

Even if one node in the blockchain goes down, the information can be accessed and used by the rest of the nodes in the network. As all of the nodes keep an exact copy of the ledger, it will always be up-to-date. All of the nodes in the network are logically decentralized from their ledger, and there is zero probability of system failure.

 

Business and availability

When it comes to the blockchain, its availability is determined by valid and successful transactions. For every business, keeping a record of all transactions is a core function, and these transactions could be the entries of business activities, asset entries, supply chain management records, and many more.

 

Summary

In this article, we have studied the impact of the CIA security triad on blockchain technology. Although the Bitcoin blockchain is strong enough to fulfill the CIA security framework, as a blockchain, it is appreciated and adopted by several organizations, and several flavors of blockchain are coming to the market to fulfill specific business models. We have seen how Hyperledger Fabric fits into the CIA security triad and what makes the Hyperledger Fabric system a business-friendly solution.

 

What is Next

If you are interested in exploring more complex yet novel topics on blockchain security, you can read our below articles. If you are new to blockchain technology, taking our Intro to Blockchain Technology (self-paced) course is highly recommended.  

  • Two-Factor Authentication with Blockchain
  • Deploying PKI-Based Identity with Blockchain
  • Blockchain-Based DNS Security Platform
  • Deploying Blockchain-Based DDoS Protection

Resources

Resources- Free Webinars on Blockchain

Here is the list of our free webinars that are highly recommended:

Resources- Free Courses

Here is the list of our 10 free self-paced courses that are highly recommended:

Resources- Self-Paced Blockchain Courses

If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:

  1. Intro to Blockchain Technology
  2. Blockchain Management in Hyperledger for System Admins
  3. Hyperledger Fabric for Developers
  4. Intro to Blockchain Cybersecurity
  5. Learn Solidity Programming by Examples
  6. Introduction to Ethereum Blockchain Development
  7. Learn Blockchain Dev with Corda R3
  8. Intro to Hyperledger Sawtooth for System Admins

Resources- Live Blockchain Courses

If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:

 

Resources- Articles and Tutorials on Blockchain Technology

If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:

Private Custom Tutoring

decorative line

We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.

$90 Regular

$50 Limited Offer

REGISTER NOW