Blockchain governance – Even if Blockchain is secure (often moot), its whole ecosystem needs governance.

BlockchainCryptocurrencies are a bit of a joke at the moment, whatever their longterm future. Fraud, cybertheft, put-downs from the regulators, dodgy use cases (money laundering, ransomeware etc) are bad enough but sometimes exchanges apparently just “lose” cryptocoins: see here.

Blockchain (the technology behind cryptocurrencies), however, is not any sort of a joke. And not just because simply renaming one’s company with “blockchain” in the name seems to markedly increase its value: here.

Friends of mine in the BCS CMSG are convinced that Blockchain has a future – see the PDF here (BCS members only) or book the workshop here – as a distributed asset register for (in essence) Agile or Mutable Configuration Management – mutable CM, that is, that can cope with the rate of change typical of modern automated business environments.

I think that Blockchain governance, which isn’t talked about much (yet) will be key to its success in this role. There is a Japanese girl band that sings about the importance of not losing one’s private key to one’s cryptocoins; I’d be happier to hear them singing about 2-factor authentication and about the importance of policy-managed, controlled access to the Blockchain. Perhaps it’s difficult to make that scan – but I believe that the Virtual Currency Girls themselves may have lost out in one of the recent cryptocoin scandals.

Potential Blockchain issues include the “51% attack” where over half the nodes are induced to agree on a corrupted transaction. Not impossible to arrange, I’d have thought, in these days of botnets and state-sponsored hacking. But there are other possible issues – how do you manage a blockchain that grows without limit; how do you enforce policies for what goes on a blockchain; is latency an issue (how long does it take for all occurrences of the blockchain to come into synch?); “deletion” of transactions in error is a problem (since you can’t delete off the blockchain, how long does it take for a transaction correcting an error to get everywhere?); guaranteed performance would be useful (cryptocoin exchanges have been known to overload); authentication of people allowed to use a blockchain might be a good idea; and, of course, there is the quantum computing issue (Blockchain needs to get into “quantum encryption” before someone works out how to factor large almost-primes easily). Many of these issues are now being recognised and addressed, by companies such as Blocksafe Technologies (see below).

I’m not really interested in public cryptocurrencies here. Most business Blockchain ecosystems will be Private or “Permissioned”: permission is required for a user to read the information on the blockchain and conduct transactions; and nodes that perform the mining are defined by the entity that manages the private blockchain. Here, the biggest issue is probably authentication and the biggest threat the malware (keyboard loggers etc) that infects many desktops and mobile devices, possibly looking out specifically for wallet-type activities.

Whatever the issues with any particular blockchain technology (and the technology will evolve and improve) Blockchain has huge potential for distributed ledger applications in business generally (far beyond just cryptocurrencies). However, in order to be useful to the business, Blockchains will usually be private to that business (“permissioned”) and will be part of a well-governed ecosystem. This ecosystem must control who has permission to put transactions on the blockchain, and must secure the endpoints (digital wallets or whatever) against attack.

One of the chief issues around a secure technology (such as Blockchain is capable of being) is that it becomes trusted – and if someone puts corrupt garbage into it, the garbage that comes out is probably trusted too. BlockSafe CEO Rich Zaziski says: “Our goal is to secure the blockchain ecosystem with a suite of distinct solutions that protect against an array of cyber vulnerabilities. We plan to secure private blockchains with the Blockchain Defender that acts as a gateway to a blockchain and authenticates transactions, scans transaction data for malicious content and mitigates DDoS attacks. We also aim to secure desktop and mobile crypto wallets with Crypto Defender which takes a proactive and preventative approach in protecting crypto wallets, versus a reactive approach, which is usually easy to thwart”. I think that some such governance technology is badly needed, and sooner rather than later.

Blockchain is a big topic and some of its concepts can be complex. There is a useful repository of Blockchain information here. This looks pretty useful to me but always remember that Blockchain is at the top of its hypecurve and even good quality information is usually eminating from someone who has wholly “bought into” the Blockchain and Cyptocurrency concepts and is therefore not exactly disinterested. When hype is around, Buyer Beware takes on a new importance!

For private mutable business applications, you should look for things like out-of-band and token-based two factor authentication services (to help you protect access to the Blockchain); policy management services; and, a rules engine (so you can automate workflows around your blockchain). Without these or similar services, we don’t think that a business will be able to defend a Blockchain ecosystem as “fit for purpose” – but many experimental Blockchain ecosystems today haven’t achieved this level of governance yet.

In summary, I guess, Blockchain has many potential applications (the Blocksafe Alliance – nothing to do with Blocksafe Technologies – seems to be a bit fixated on US gun control, for example) but customers for Blockchain should ensure that their chosen solution supports mutable business and must look beyond Blockchain itself to the whole ecosystem around it and its “good governance” – or otherwise…

David Norfolk

My current main client is Bloor Research International, where I am Practice Leader with responsibility for Development and Governance. I am also Executive Editor (on a freelance basis) for Croner's IT Policy and Procedures (a part-work on IT policies). I am also on the committee of the BCS Configuration Management Specialist Group (BCS-CMSG). I became Associate Editor with The Register online magazine – a courtesy title as I write on a freelance basis – in 2005. Register Developer, a spin-off title, started at the end of 2005, and I was launch editor for this (with Martin Banks). I helped plan, document and photograph the CMMI Made Practical conference at the IoD, London in 2005 (http://ww.cmminews.com). I have also written many research reports including one on IT Governance for Thorogood. I was freelance Co-Editor (and part owner) of Application Development Advisor (a magazine, www.appdevadvisor.co.uk, now defunct) for several years. Before I became a journalist in 1992, I worked for Swiss Bank Corporation (SBC). At various times I was responsible for Systems Development Method for the London operation, the Technical Risk Management framework in Internal Control, and was Network Manager for Corporate group. I carried out a major risk evaluation for PC systems connecting across the Bank’s perimeter to external systems and prioritised major security issues for resolution by the Bank’s top management in London. I also formulated a Security Policy for London Branch and designed a secure NetWare network for the Personnel Dept. Before 1988 I was an Advisory Systems Engineer in Bank of America, Croydon in database administration (DBA). on COBOL-based IMS business systems. Before 1982, I worked in the Australian Public Service, first as a DBA in the Dept of Health (responsible for IMS mainframe systems) and latterly as a Senior Rserach Officer 2 in the Bureau of Transport Economics. Specialties: I have the ability to extract the essence of significant technical developments and present it for general consumption, at various levels, without compromising the underlying technical truth.

Have Your Say: