Applying Blockchain Technology for Securing the EnterpriseSecurity Practitioners weigh in on Their Organizations' readiness for Blockchain
Since the government of India earlier this year emphasized its commitment to blockchain, many Indian companies since then have started to explore this emerging ledger technology. In fact, about 30 banks have formed a consortium - bankchain - a proof of concept of blockchain application for relevance in the financial industry. Even Niti Aayog, a policy think tank for the government of India, is looking at blockchain for distribution of subsidiaries.
See Also: Why CASBs Matter to Cloud Security
The Institute of Development and Research in Banking Technology, in its report titled Application of Blockchain Technology, lists the many benefits of blockchain. "[It] helps in improving the rate of processing transactions by reducing decision making time, thus resulting in reduced cost of processing and enhanced transparency of decisions to all the participating nodes," says Dr A.S. Ramasastri, director at IDRBT. "As BCT brings transparency to the system, availability of audit trails brings in the necessary control and trust to the participating members which may help improve the services through continuous innovation."
Yet, while there is little doubt of the potential use cases of blockchain in the information security space, experts say that many security practitioners have yet to fully understand its applicability. As a result, despite it being touted as a world-changing technology, there are only a few cited use cases of blockchain in the cybersecurity space.
The problem is, despite the hype at security conferences, blockchain isn't the new cybersecurity panacea. "If we look at blockchain, it was designed to solve problems found in cryptocurrencies," says Zulfikar Ramzan, CTO at RSA. "Today people are looking to find its applications outside of cryptocurrencies. Unfortunately people get excited by buzzwords and hype. Many a times the problem with blockchain is people look at the solution [blockchain] and then look at problems to use it. That's a wrong approach."
Instead, practitioners must ask themselves if they should be using blockchain to solve a problem. "I have seen many cases where security practitioners are looking at blockchain to solve a problem without fully understanding if the problem actually needs blockchain as a technology to solve it," says Ratan Jyoti, CISO at Ujjivan Small Finance Bank. "Yes, the technology is at a nascent stage and people will experiment, but using it just to show the world how advanced they are is just not right."
Not the Correct Choice
While there is no denying the fact that blockchain has qualities such as decentralization, public access and immutability, which makes it unique, the fact is there are many applications that do not need these properties at all. "It is a classic case of a technology being used because it is being talked about so much. In fact many companies are merely using blockchain as a marketing tool without understanding its actual applicability," says one IT manager of a services company in India.
For instance, blockchain is often being talked about in securing internet of things, or IoT. However, some security experts don't believe blockchain in its current form is the right technology for IoT.
"Blockchain for me is ideally suited for settings in which you are trying to manage digital identifiers, not physical goods. So when you are talking about IoT and blockchain, you are expecting the technology to manage physical devices," says Ramzan. "What this means is that at some point you have to take this physical device and assign it a digital identifier device and have that blockchain capability manage that digital identifier," he says. "The problem in securing this physical-digital interface can be difficult in real life."
Companies specializing in blockchain solutions and implementation are receiving broad requests for implementation of blockchain. "Many a times we need to educate them on use cases of blockchain. For instance, it makes little sense to use it where there are just two parties involved," says Ashish Agarwal, blockchain head and advisor at Signzy, a blockchain solution and implementation company. "There is a view that the entire government function can be on blockchain. This is far-fetched. While blockchain can definitely be implemented in some areas, to expect all government functions to be on blockchain is impractical, as government entails broader functions which are beyond the scope of blockchain."
There are others who feel that though blockchain can be used in multiple cases, people must not forget that the main aim of any technology is to make things simple. "What I have seen is blockchain is getting used in places where there are other technologies which are much lower in cost and simpler to use," says one Bengaluru-based chief operating officer of a company working on blockchain. "I have communicated to many clients the same, but some are hell bent on using blockchain so that they can show the world they are already ahead in with the technology."
Practitioners say blockchain isn't suitable for small network sizes and requires a large and robust network to capitalise on its benefits.
"Bitcoin, which is one of the well-known implementations of blockchain, is highly resource intensive and processes only seven transactions per second, making it slow and inefficient in usage of resources," says C.N. Shashidhar, founder and CEO at SecurIT Solutions, a cybersecurity consultancy firm.
"Certain implementations of blockchain like bitcoin suffer from a "51 percent attack," which means that more than half the users can manipulate it their way by acting in concert. Hence bitcoin mining activity is carefully watched to avoid this manipulation from taking place," he says. Furthermore, blockchain is not suited for high volume, low value transactions.
"The Telecom Regulatory Association of India is currently evaluating blockchain for various use cases like customer validation, call drop issues, duplication of SIM cards etc," says Agarwal.
But as RSA's Ramzan cautions, we are still in the experimental stages with blockchain. "In due course of time new applications will come about that will be more ideally suited for blockchain. But in the meanwhile, blockchain is often not the right technology to use."