Decentralized Risk Management
Today, most organisations operate hybrid environments where security is managed centrally yet a certain degree of autonomy is granted to internal departments or business units to be able to function efficiently as long as they are operating within the organisation’s information security policy framework while meeting regulatory requirements applicable to their industry sector as well as cyber security standards that are applicable globally.
It is not uncommon that a department or a business unit is unable to meet the complex set of compliance requirements which would put the whole organisation at risk of financial penalties imposed by regulators as well as loss of earning and reputational damage that could also be detrimental to the standing of partnering organisations in that industry sector.
While one organisation may be able to manage their collective internal risks effectively, others may not. Exposure to identified risks and the effectiveness of the controls that are implemented to mitigate them, and in some cases the non-existence of such controls, are confidential matters where partnering organisations may not be aware of each others risk postures, therefore it is a common practice to seek assurances and request evidence of compliance among organisations that operate independently yet are dependent on each other’s data processing practices.
As new regulations are introduced, EU’s GDPR being the most recent one, each organisation implements their own set of controls at their own pace, at varying levels of effectiveness, based on its own risk appetite. Sharing of data among organisations creates multiple data custody chains where the effectiveness of their collective controls is as strong as the weakest link in any of these chains.
As data is typically shared in blocks of varying significance of value and security, depending on the technology and the business processes shared between any two or more organisations, a common communication platform is implemented for the sharing of data. SWIFT is one of the better known platforms for interbank money transfers which was proven to be vulnerable yet it is still in existence as the risk is shared by the participants.
To be GDPR compliant, an organisation must implement additional controls to securely manage the state and movement of data blocks and provide an end-to-end audit trail of its chain of custody. These processes are further complicated by the fact that some of the data may not be owned by the organisation itself, in other words they are either processing the data on behalf of another organisation or as part of a service they provide to their clients or they are just the custodian and probably a combination of the above in the case of a large conglomerate.
Organisations with their traditionally centralised information security controls are facing major challenges and an uphill struggle in their efforts to operate in a decentralised data driven world while the threat level to their centralised information assets is on the increase. Automation is the buzzword used in such organisations but that, on its own, will fail unless there is a common protocol where diverse automated processes are enabled to communicate securely where the chain of custody is part of that shared protocol.
While data management is not a new discipline, the rapid increase in data volumes, the decentralisation of data sources and changes to the ownership model, as mandated by regulators, to a very fine granular level are making the discipline very challenging to follow, let alone enforce.
In the previous section, data granularity was presented in the form of a data block while change of ownership of that data and its transaction history are tracked by a chain of custody. By adding industry standard secure authentication and communication protocols, to control access to the data and track its movement, we obtain what is known today as a blockchain.
A blockchain, in its simplest form, is an implementation of an automated data management tool where access to data is controlled by a unique identity assigned to each participant (data owners, processors, producers and consumers) while integrity, confidentiality and anonymity can be protected if required and transactions are immutable with a builtin audit trail to the very origin of each data block.
The processing of data is automated by the use of smart contracts. A smart contract is a predetermined process written in software/code that a participant calls upon to perform a certain action on the data that is submitted to the blockchain, provided the data owner has granted them permission to execute the smart contract, or run the software code, to process their data.
To give an example, let’s use eHealth while referring to GDPR language, a patient is the owner of their data, while a doctor and a pharmacist are the data processors. The patient has full access to their own data at all times and may choose to grant permission for a doctor to view, alter or retain it. The doctor may then issue a prescription to be served by a chosen pharmacist(s). These processes (view, alter, retain) may be preprogrammed in the form of smart contracts, when executed, the transaction is logged and can be tracked on the blockchain by all participants. Furthermore, the smart contract may submit the transaction details to one or more distributed back-end information systems for future reference if it is programmed to do so.
Given the above use case, some of the advantages of using a blockchain technology may now be obvious of which a short list is given below:
- The complexity of data management processes and data protection controls, as required by regulators, can be isolated from backend information systems.
- Identity and access management controls are built-in and can be applied externally at the blockchain level, rather than at the centrally managed backend information system, providing a universal online, and offline, single-sign-on security to all participants.
- Smart-contracts can be developed to add functionality, or when new use cases emerge, with little or no change to backend information systems, and deployed on the blockchain to be shared by multiple participants.
- Distributed applications developed by, or for, participants may be used to store data locally on end-user devices not requiring connectivity at all times, to access data stored on centralised backend information systems, to operate remotely.
- Distributed applications can communicate with multiple backend information systems simultaneously by the use of Turing-complete smart contracts.
- As some of the functionality and transaction processing is passed to end-user devices, the demand for centralised backend infrastructure hardware resources is lessened, hence lowering the overall and long term cost of owning or leasing hosting infrastructure.
- End-user devices can intercommunicate directly and/or connect to backend systems through multiple blockchain nodes, enhancing availability and lowering the risk of single points of failure.
- Backend information systems can be distributed and/or replicated, based on data segmentation, storage and location requirements, yet accessible as a peer-to-peer network through multiple blockchain nodes.
In summery, a blockchain infrastructure is a network of nodes through which distributed applications connect to the network to send and receive encrypted data that are permanently recorded on the blockchain.
Yet one might ask where is the value in adopting a new technology disrupting plans for implementing a solution that has been worked on for years?
A valid question but that depends on the the vision of the project leads. If the objective is solely to deliver a solution to a problem that was identified a few years ago, then one must press on and continue the good work to deliver on the promises made to the project sponsors. One might also study solutions for similar problems elsewhere so not to repeat some of the mistakes and understand the challenges faced by partners and competitors.
Blockchain technologies have been with us for nearly a decade, they were monetised in the form of cryptocurrencies, proven to be resilient and are being adopted by large corporations. Blockchains are unique in their mixed offering of technology and economics that empowers innovators to commercialise their solutions globally and with little or no initial capital investment.
Blockchain solves some of the most pressing challenges presented to information system architects, to mitigate risks to data confidentiality, integrity and availability, but also introduces new ones such as implementation of GDPR’s Art. 17 — Right To Be Forgotten (RTBF) where Blockchains are immutable by design.
There are already solutions being worked on to make a Blockchain RTBF compliant in the form of “personal” forks, inter-blockchain communications and other hybrid implementations. That is a topic for another day as this article was written to explain the benefits of a Blockchain solution without delving too deeply into its technological aspects and I thank you for reading it all the way to the end.