FEATURE: BLOCKCHAIN
occur outside of the business logic itself.
Let’s start with this basic diagram and
simplified workflow:
1. The application’s business logic approves
an entry into the blockchain. Without
any additional PAM protection, the entry
would occur through Transport A and
potentially could be tampered with since
no additional validation is present.
2. The business logic of the application
instead requests a one-time password
or key from the PAM solution. This
//////////////////////////////////////////////////////////////////////////
7. Password Safe then resets the user’s
write-able account to a scrambled and
unusable password or key by any other
application to prevent rogue entries.
Only the business logic can request a
valid key or password, securely, for the
next valid transaction.
While this workflow assumes a high-level of
confidence in business logic and an application
from tampering, it prevents a threat actor from
maliciously reading and potentially writing to
a blockchain. Since blockchains are inherently
AS THE BUSINESS COMMUNITY
BEGINS EMBRACING BLOCKCHAINS
FOR BUSINESS APPLICATIONS, THEN
SECURITY MUST BECOME PARAMOUNT
CONCERN DUE TO ITS REPLICATION AND
ABILITY TO ACCESS LEDGER ENTRIES.
not a high-volume storage medium, you would
only expect a few transactions per second and
lag times are not critical to this process. This
is nothing like the millions of transactions a
second you would expect from an Oracle, IBM,
or Microsoft database.
The security of the workflow is therefore
managed in two parts – the business logic
to approve an entry and the password safe
technology to provide authentication for
a new entry. Both must be satisfied for a
write (or even a read if implemented) to
secure the contents of the ledger. As the
business community begins embracing
blockchains for business applications, then
security must become paramount concern
due to its replication and ability to access
ledger entries. Basic cybersecurity hygiene
for privileged access management and
password management can help make
implementations secure above and beyond
traditional database implementations,
since once something is committed to the
ledger, it will always be present. This twist
on security is why securing your blockchain
implementation is different than anything
we have implemented in the past. n
credential is valid for only one
transaction (insertion or read) and
can have additional access control
parameters specified:
w w Source of blockchain ledger entry
w w Time to Live
w w Linkage to external logging or
other applications
3. The privileged password
management solution (Password
Safe) then sets a one-time password or
key in the blockchain application that
has permission to write into the ledger.
This could be a privileged user with write
permissions but its password or key is
managed by the password safe itself.
Once it is used, it is reset or invalidated.
4. The key or password, once set for the
blockchain user, is then sent back to the
business logic.
5. The business logic then uses Transport
A with the one-time credentials to insert
the ledger entry.
6. Once complete, the business logic
informs the Password Safe the task
is complete and that the one-time
password should be terminated.
62
INTELLIGENTCIO
www.intelligentcio.com