No such blandishments, however, have accompanied predictions about the viability of the blockchain technology that underlies cryptocurrencies. Indeed, keen interest in blockchain’s potential has resulted in a beehive of development activity.
The Enterprise Ethereum Alliance now boasts more than 200 members and 17 working groups focused on establishing standards for projects adopting the technology. At the same time, the Linux Foundation’s Hyperledger group counts 231 organizations working on more than 400 projects.
“The theory of blockchain is sound. The cryptography is sound. And the computer science behind it is sound,” Huseby said. “Bitcoin proves that global-scale blockchain applications that are secure can be built. The security models for blockchain, however, are really different from what people are familiar with.”
Enterprise blockchain projects mostly remain in the proof-of-concept stage by early adopters in a variety of industries. Financial services companies, which were among the first to test out the technology, are running pilot programs that focus on interbank clearing of transactions in near real time. The healthcare and shipping industries are testing blockchain technology as a way to track medicine and other goods through the supply chain. Even providers of sustainable seafood are trying their hand at using the blockchain to establish the provenance of the produce they sell.
Yet, the security of applications relying on the blockchain can be complex. One site that tracks such failures, the Blockchain Graveyard, has documented 54 compromises of cryptocurrencies, exchanges, and wallet software.
“There is a lot to be learned from how poorly the implementations have been done,” said Marta Piekarska, director of ecosystem for the Linux Foundation. “The protocols are good and the technology is sound. But what we have been observing is that the implementation and usability have been failing.”
Companies need to not just understand the advantages of blockchain technology, but also disadvantages and the problems that come along with the blockchain technology, she said.
Encryption and Key Management
Unlike the credential-based security—think usernames and passwords—with which most information-security managers are familiar, the blockchain relies on public- and private-key infrastructure and inherits the management issues of that technology.
“This kind of security model has a very difficult user interface and set of problems,” said Hyperledger’s Huseby. “It requires the end user to have to manage their encryption keys, and key material is very sensitive data, and there is a lot of mistakes that people have in dealing with that.”
Managing encryption keys is a difficult problem. That complexity means that getting the security right is difficult, according to Saurabh Shintre, a principal researcher with Symantec Research Labs.
“It is very easy to make a mistake when implementing the technology,” he said.
Public, Private Blockchains and Security Models
While each record in the blockchain is secured by encryption, the way that transactions on the blockchain are verified is determined by whether the blockchain is public or private. Public blockchains rely on consensus to prevent fraud, but require a great deal of processing power, and generally need a currency—such as Bitcoin —to reward the infrastructure owners.
For example, the advertising technology firm, Verasity, uses a public blockchain and a fiat currency called Veracoin to create a way that advertisers can determine legitimate views of the video content. A public blockchain with anonymized information on ad views gives anyone the ability to check
“For advertisers, it is great,” said David Orman, CEO of Verasity. “You can check the ledger and look for anything suspicious or anything that does not add up.”
On the other hand, private blockchains rely on permitted nodes in the network to verify transactions.
The problems will be worked out. But for companies who are joining the early adopters, they need to focus on not just the security of the technology, but on the security of the infrastructure and testing their management and monitoring processes.
Because, even with the uncertainties in security, blockchain is set to grow.
“We are just at the start of the block chain,” said Verasity’s Orman. “Just with existing technology, you are doing something already unique and different. And it is continuing to evolve, so between 18 months and 36 months from now, you will see a variety of new applications and businesses.”