​Blockchain, IOT pose risk and security headaches if privileged accounts aren’t controlled

Blockchain distributed-ledger technology is opening up new frontiers for financial services and other companies, but security specialists are pushing for early action on both blockchain and related account-management technologies to avoid the punishing security breaches being seen due to Internet of Things (IoT) shortcomings.

Despite its inherently secure design – blockchain is the core mathematical mechanism at the heart of the Bitcoin virtual currency – businesses seeking to employ the distributed-ledger tool for other uses need to tightly control access to those ledgers, CyberArk APJ senior director of presales Jeffrey Kok told CSO Australia.

“One of the key changes that people have overlooked is the protection of who gets to write to the ledger,” Kok explained, noting that writing to the ledgers is protected by a digital certificate or private key.

“If you don’t have the right protections around those, then the wrong people can get to the transactions and cause problems. The ledger is about the people who have the key to amend the ledger – but this is currently not well protected.”

Application access needs to be equally protected, since much of the activity in any blockchain deployment will be managed without human intervention. Yet businesses are struggling to apply the necessary discipline across their environments, with one study finding that 83 percent of businesses faced challenges in fixing http://www.cso.com.au/article/589085/organizations-sloppy-about-securing-privileged-accounts/" target="_blank">sloppy practices around privileged-account security and another recent survey suggesting that 52 percent of responding CISOs http://www.cso.com.au/article/603994/businesses-failing-secure-privileged-accounts/" target="_blank">gave themselves a failing grade on enforcement of proper privileged account controls.

Blockchain’s legitimacy as a business tool has grown quickly this year – particularly http://www.computerworlduk.com/it-business/how-technology-will-transform-banking-in-2016-blockchain-digital-banks-iot-3631853/" target="_blank">in the financial services industry – with Deutsche Bank recently http://www.cso.com.au/article/602045/deutsche-bank-moves-blockchain-project-proof-concept-stage-voices-concerns-distributed-ledger-technology/" target="_blank">moving a blockchain project out of the proof-of-concept stage and Chicago’s Cook County this month https://bitcoinmagazine.com/articles/chicago-s-cook-county-to-test-bitcoin-blockchain-based-public-records-1475768860" target="_blank">committing to test blockchain-based property title transfers.

With automated tools readily available for improving the account-management process, businesses hoping to tap into the potential of blockchain or IoT environments must first get on top of their access controls or risk endangering the integrity of the core financial processes they are seeking to revolutionise.

Gartner recently recognised the risks that the new technology creates, with research director Jonathan Care noting in http://www.gartner.com/smarterwithgartner/blockchain-combines-innovation-with-risk/" target="_blank">a recent thoughtpiece that “it is difficult to construct a detailed threat model on which to perform a risk assessment” over blockchain. Lack of standards, regulation and oversight presented additional risks that CISOs and corporate risk managers would need to address in any application of the technology to the core business.

With privileged-account management practices still wanting within most organisations, Kok highlighted the potential role of behavioural analytics to complement security practices around blockchain and IoT. By simply detecting when a particular user accesses blockchain-related systems, he says, behaviour could be flagged as an anomaly and appropriate action taken before serious problems develop.

“You need to think about a new layer of defence,” Kok explains. “Predominantly, the IT security paradigm believes in blocking protection. But you need to assume that your perpetrator is inside the network and how else you can protect against this rather than the traditional ways. If some malicious criminal has gotten entry to a machine, someone should know about it.”