Blockchain governance - Even if Blockchain is secure (often moot), its whole ecosystem needs governance.

Written By:
Content Copyright © 2018 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt

Cryptocurrencies are a bit of a joke at the moment, whatever their longterm future. Fraud, cybertheft, put-downs from the regulators, dodgy use cases (money laundering, ransomeware etc) are bad enough but sometimes exchanges apparently just “lose” cryptocoins: see here.

Blockchain (the technology behind cryptocurrencies), however, is not any sort of a joke. And not just because simply renaming one’s company with “blockchain” in the name seems to markedly increase its value: here.

Friends of mine in the BCS CMSG are convinced that Blockchain has a future – see the PDF here (BCS members only) or book the workshop here – as a distributed asset register for (in essence) Agile or Mutable Configuration Management – mutable CM, that is, that can cope with the rate of change typical of modern automated business environments.

I think that Blockchain governance, which isn’t talked about much (yet) will be key to its success in this role. There is a Japanese girl band that sings about the importance of not losing one’s private key to one’s cryptocoins; I’d be happier to hear them singing about 2-factor authentication and about the importance of policy-managed, controlled access to the Blockchain. Perhaps it’s difficult to make that scan – but I believe that the Virtual Currency Girls themselves may have lost out in one of the recent cryptocoin scandals.

Potential Blockchain issues include the “51% attack” where over half the nodes are induced to agree on a corrupted transaction. Not impossible to arrange, I’d have thought, in these days of botnets and state-sponsored hacking. But there are other possible issues – how do you manage a blockchain that grows without limit; how do you enforce policies for what goes on a blockchain; is latency an issue (how long does it take for all occurrences of the blockchain to come into synch?); “deletion” of transactions in error is a problem (since you can’t delete off the blockchain, how long does it take for a transaction correcting an error to get everywhere?); guaranteed performance would be useful (cryptocoin exchanges have been known to overload); authentication of people allowed to use a blockchain might be a good idea; and, of course, there is the quantum computing issue (Blockchain needs to get into “quantum encryption” before someone works out how to factor large almost-primes easily). Many of these issues are now being recognised and addressed, by companies such as Blocksafe Technologies (see below).

I’m not really interested in public cryptocurrencies here. Most business Blockchain ecosystems will be Private or “Permissioned”: permission is required for a user to read the information on the blockchain and conduct transactions; and nodes that perform the mining are defined by the entity that manages the private blockchain. Here, the biggest issue is probably authentication and the biggest threat the malware (keyboard loggers etc) that infects many desktops and mobile devices, possibly looking out specifically for wallet-type activities.

Whatever the issues with any particular blockchain technology (and the technology will evolve and improve) Blockchain has huge potential for distributed ledger applications in business generally (far beyond just cryptocurrencies). However, in order to be useful to the business, Blockchains will usually be private to that business (“permissioned”) and will be part of a well-governed ecosystem. This ecosystem must control who has permission to put transactions on the blockchain, and must secure the endpoints (digital wallets or whatever) against attack.

One of the chief issues around a secure technology (such as Blockchain is capable of being) is that it becomes trusted – and if someone puts corrupt garbage into it, the garbage that comes out is probably trusted too. BlockSafe CEO Rich Zaziski says: “Our goal is to secure the blockchain ecosystem with a suite of distinct solutions that protect against an array of cyber vulnerabilities. We plan to secure private blockchains with the Blockchain Defender that acts as a gateway to a blockchain and authenticates transactions, scans transaction data for malicious content and mitigates DDoS attacks. We also aim to secure desktop and mobile crypto wallets with Crypto Defender which takes a proactive and preventative approach in protecting crypto wallets, versus a reactive approach, which is usually easy to thwart”. I think that some such governance technology is badly needed, and sooner rather than later.

Blockchain is a big topic and some of its concepts can be complex. There is a useful repository of Blockchain information here. This looks pretty useful to me but always remember that Blockchain is at the top of its hypecurve and even good quality information is usually eminating from someone who has wholly “bought into” the Blockchain and Cyptocurrency concepts and is therefore not exactly disinterested. When hype is around, Buyer Beware takes on a new importance!

For private mutable business applications, you should look for things like out-of-band and token-based two factor authentication services (to help you protect access to the Blockchain); policy management services; and, a rules engine (so you can automate workflows around your blockchain). Without these or similar services, we don’t think that a business will be able to defend a Blockchain ecosystem as “fit for purpose” – but many experimental Blockchain ecosystems today haven’t achieved this level of governance yet.

In summary, I guess, Blockchain has many potential applications (the Blocksafe Alliance – nothing to do with Blocksafe Technologies – seems to be a bit fixated on US gun control, for example) but customers for Blockchain should ensure that their chosen solution supports mutable business and must look beyond Blockchain itself to the whole ecosystem around it and its “good governance” – or otherwise…