Blockchain definitions vary by source, but at its essence, blockchain is a continually expanding list of digital records of information in the form of “blocks” that are linked in a “chain” by using cryptography.
To break it down further, each block has a unique cryptographic signature (hash) and includes a timestamp and detailed transaction data. This data provides an unmodifiable audit trail of evidence that the transaction existed when the block was created (hashed). When a block reaches its storage limit, the block is closed and then linked to the previously filled block. This forms the “chain” with each block containing the previous block’s data. Nodes communicate on networks and validate each new block and this verification is available in a digital distributed ledger.
Due to this cryptographic linking, blockchains are resistant to modification because the data in any block cannot be altered without altering every single block in the chain. This makes the blockchain technology very desirable due to its cryptographic complexity, which is why Bitcoin and cryptocurrency is the first thing to come to everyone’s mind when discussing the topic. Bitcoin uses blockchain technology to maintain a secure record through decentralized digitized transactions guaranteeing the integrity of the data. More recently, blockchain technology is famously (infamously) used as the backbone for NFTs (nonfungible tokens) acting as a digital receipt for purely digital one-of-a-kind assets.
Types of Blockchain:
Over the past few years, blockchain technology has evolved (and continues to evolve) into different types. Common types include:
Public – Permissionless. Anyone on the internet can access the blockchain and create new blocks of data and validate blocks of data. Distributes the transactions to all nodes, and all nodes have equal access rights. Fully decentralized.
Private – Permissioned. Allows only selected and verified users to access the environment. The Security Admin can restrict users regarding what users are permissioned to see. Nodes don’t have to be equal, as the Security Admin can restrict access rights.
Hybrid - The best of both worlds. Allows for specific permissions to be allocated to specific users but certain transactions require oversight by the public blockchain.
Business use cases:
Supply chain management – provide a secure platform for all parties and reduce errors.
Financial transaction, data recording and trading – faster processing and reduced risk of error.
Loans utilizing digital assets – use cryptocurrency as collateral for loans.
How can I secure my blockchain environment?
Just like any other digitally maintained environment and/or application, good controls need to be in place to prevent internal and external bad actors from performing malicious actions. While blockchain itself is a secure technology, proper access management, change management and risk management (including monitoring) controls are needed for managing blockchain systems. Without adequate controls, hackers could gain access to supporting systems and create business disruptions and data integrity concerns. To help prevent this review the following:
Ensure that Zero-Trust Framework and Smart Contracts and Cryptographic Keys are properly configured.
Ensure that highly privileged access is tightly restricted.
Ensure that proper user access, logging, monitoring, alerting, incident and breach response controls are in place.
Ensure that your existing policies and procedures include your use of blockchain.
Ensure that staff are trained on blockchain and blockchain security best practices.
Ensure that you’re testing for positive and negative results prior to production rollout. Regularly perform regression testing to ensure continued operating effectiveness and detect any vulnerabilities early and often.
Ensure that regularly reoccurring penetration testing is performed.
How can I ensure that my blockchain environment is secure?
1. SOC Report – Have an independent external third-party review of your environment.
Schneider Downs employs a unique approach to System and Organization Controls (SOC) reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we effectively deliver on our clients' needs and expectations for the SOC report – including our expert understanding of blockchain environments and controls. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
About SOC 2 Reports
With SOC 2 reports, organizations decide which categories to include in the scope of the SOC examination. This flexibility means that reports are unique to each organization, while also providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.
2. Cybersecurity Penetration Testing – Have an independent external third-party perform penetration testing.
About Schneider Downs Cybersecurity Services
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
Schneider Downs Digital Forensics and Incident Response teams are available 24/7/365 at 1-800-993-8937 if you suspect that you have been hacked or you are experiencing a network incident of any kind. Call 1-800-993-8937 immediately for intervention and diagnostics. Or for best practice, plan ahead or understand your options in case of a cybersecurity breach: Digital Forensics and Incident Response
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.