KuppingerCole Report
Advisory Note
By Mike Small

Blockchain and Risk

A blockchain is a data structure, originally used by bitcoin, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. This technology is seen by many as the basis for creating distributed ledgers for a wide range of applications. This report considers the risks associated with the use of this technology and recommends an approach to managing these risks.

1 Management Summary

A blockchain is a data structure, originally used by bitcoin, that maintains a growing list of transaction records in a way that is extremely resistan ...

Login Free 30-day Select Access Get full Access

2 Blockchain and Distributed Ledgers

A distributed ledger is essentially a record of transactions that can be shared across a network of multiple physical locations and organizations. Al ...

Login Free 30-day Select Access Get full Access

2.1 Blockchain

The technology that underlies distributed ledgers is the blockchain which was invented to support the Bitcoin digital currency. The key objectives of ...

The Bitcoin blockchain exploits three previously existing ideas to create a transaction log that is trustworthy and is very resistant to tampering.
...

Login Free 30-day Select Access Get full Access

2.2 Kinds of Ledgers

The blockchain technology makes it possible to create a ledger that can be distributed across many locations and organizations but there are different ...

Traditional Single Ledger – A ledger is a record of transactions. A traditional ledger these records are held in a single book. The entities whos ...

Login Free 30-day Select Access Get full Access

2.3 Beyond Blockchain

Blockchain, as applied to Bitcoin, is relatively inflexible but the idea can be extended to include the ability to include programs in transactions. ...

Login Free 30-day Select Access Get full Access

3 Blockchain and Risk

Blockchain and the underlying technologies provide protection against certain kinds of risks. In the case of Bitcoin, the objectives were to enable a ...

Login Free 30-day Select Access Get full Access

3.1 What is Risk?

The word risk is in common use and means different things to different people. In its common use the word risk is related to “exposure to danger” ...

Login Free 30-day Select Access Get full Access

3.2 Types of Risks

There are various kinds of risk faced by organizations; To help to understand the different categories of risk ISO Guide 73:2009 identifies three type ...

Login Free 30-day Select Access Get full Access

3.2.1 Hazard Risks

A useful way to consider hazard risks is by looking at threats and vulnerabilities. This process starts by identifying assets (i.e. things of value) ...

Blockchain and the underlying technologies are designed to protect against a variety of hazard risks. However, like any new technology it may be susc ...

Login Free 30-day Select Access Get full Access

3.2.2 Control Risks

When running projects, implementing changes or outsourcing activities there is an inherent element of uncertainty. For example: the project may run o ...

Login Free 30-day Select Access Get full Access

3.2.3 Opportunity Risks

Opportunities provide the possibility of benefits but usually come with risks. For example: there may be uncertainty around the exact level of the be ...

Login Free 30-day Select Access Get full Access

4 Risks Mitigated by Blockchain

Blockchain and its underlying technology is designed to protect against a variety of risks.

Login Free 30-day Select Access Get full Access

4.1 Hazard Risks Mitigated

Hazard risks which are specifically addressed by controls in this technology include:

  • Unauthorized change - The digital signature on the record of ...
Login Free 30-day Select Access Get full Access

4.2 Control Risks Mitigated

Many of the controls that can be used protect the integrity of data are so complex that it is not practical to apply them to low value low frequency t ...

Login Free 30-day Select Access Get full Access

4.3 Opportunity Risks

As previously noted blockchain technology provides a new approach to old problems and creates new opportunities. There is a risk that organizations w ...

Login Free 30-day Select Access Get full Access

5 Blockchain Risk Analysis

The information security risks associated with the use of technology starts with an understanding of the assets that may be put at risk. Assessing th ...

Login Free 30-day Select Access Get full Access

5.1 Overview of Risks

The risks identified in this analysis are plotted on a heat map to show their estimated relative likelihood and impact. This illustrates a number of ...

  • Critical risks – with a high likelihood and a very high impact have the potential to disrupt transaction processing or damage integrity. The sys ...
Login Free 30-day Select Access Get full Access

5.2 Asset at RIsk

Blockchain technology can be used for a wide range of applications and the information assets put at risk by its use depend upon nature of the applica ...

Login Free 30-day Select Access Get full Access

5.3 Threats

Wherever there is valuable information there will be a threat to steal or misuse this information. Threat agents may be external such as cyber crimin ...

Login Free 30-day Select Access Get full Access

5.4 Policy and Compliance Risks

This section provides an assessment of the information security risks with a focus on those that are specific to the policy and compliance impacts fro ...

Login Free 30-day Select Access Get full Access

5.4.1 Compliance Failure

Many of the potential applications of blockchain technology are highly regulated by industry bodies and laws. The way in which those regulations and ...

Login Free 30-day Select Access Get full Access

5.4.2 Loss of Governance

Many organizations have invested heavily in processes and technologies to govern their IT systems and related processes. The use of blockchain techno ...

Login Free 30-day Select Access Get full Access

5.4.3 Loss of Business Reputation

Most organizations depend upon information being available, processed correctly, used appropriately and its confidentiality being preserved. Failures ...

Login Free 30-day Select Access Get full Access

5.4.4 Identification of Participants

Public, or un-permissioned blockchain, provides a pseudo-anonymity for the participants performing transactions. This may not be acceptable for certa ...

Login Free 30-day Select Access Get full Access

5.5 Technical Risks

This section provides an assessment of the information security risks with a focus on those that are related to the technical aspects related to the u ...

Login Free 30-day Select Access Get full Access

5.5.1 Software Platform Vulnerabilities

The integrity of a distributed ledger is determined by the software platform upon which it runs. Any vulnerabilities or errors in that platform could ...

Login Free 30-day Select Access Get full Access

5.5.2 Verification Latency

There is delay between a transaction being registered and the time at which a relying party can trust it. This is due to the aggregation of transacti ...

Login Free 30-day Select Access Get full Access

5.5.3 Cryptography Implementation Weaknesses

Blockchain technology depends upon three cryptographic functions: Hash or Digest functions, Nonce or random number generators and Asymmetric Encryptio ...

Login Free 30-day Select Access Get full Access

5.5.4 Long Term Cryptographic Strength

The retention period for the log of transactions held in a blockchain may be very long. For some kinds of regulated data retention periods of decades ...

Login Free 30-day Select Access Get full Access

5.5.5 Loss or Compromise of Keys

The integrity of a blockchain transaction is guaranteed by it being signed by the sender and can be verified by anyone through the use of private / pu ...

Login Free 30-day Select Access Get full Access

5.5.6 Falsification of Identity

Where it is necessary to identify the actual participants (people or entities) in transactions there needs to be a way to bind the keys used with thos ...

Login Free 30-day Select Access Get full Access

5.5.7 Malware and Targeted Attacks

The infrastructure which supports the blockchain technology is subject to all the usual threats and vulnerabilities7 including malware and targeted ...

Login Free 30-day Select Access Get full Access

5.5.8 Change and Administration

The infrastructure which supports the technology needs to be administered and is subject to changes both of these areas have been the source of proble ...

Login Free 30-day Select Access Get full Access

5.5.9 Scalability

The proof of work involved establishing trust new entries using the Bitcoin blockchain approach involves guessing a value for a Nonce that yields a Di ...

Login Free 30-day Select Access Get full Access

5.5.10 Denial of Service

The infrastructure that is used to run a blockchain can be the subject of a Denial of Service Attack and thus render it unable to process transactions ...

Login Free 30-day Select Access Get full Access

5.5.11 Forensic Investigation

A blockchain Ledger inherently provides a way to trace the transactions based upon the public keys used. It does not inherently bind these keys to in ...

Login Free 30-day Select Access Get full Access

5.6 Legal Risks

This section provides an assessment of the information security risks with a focus on those that are specific to the legal aspects relating to the use ...

Login Free 30-day Select Access Get full Access

5.6.1 Data Privacy

Many jurisdictions place specific requirements on the handling of data that can identify living individuals together with legal sanctions for the brea ...

Login Free 30-day Select Access Get full Access

5.6.2 Geographic Location of Data

In a Public Distributed Ledger, the data will be replicated across all of the servers and these may be located in different geographies. Some jurisdi ...

Login Free 30-day Select Access Get full Access

5.6.3 Data Retention

The data relating to different forms of transactions may need to be retained for specified periods of time. These periods may be for decades or longer ...

Login Free 30-day Select Access Get full Access

5.6.4 Liability

The liability for the use of blockchain technology must be clear. This needs to cover liability for failures in the integrity of transactions as well ...

Login Free 30-day Select Access Get full Access

6 Recommendations

Blockchain Distributed Ledgers create both opportunities and risks for organizations. For this reason, KuppingerCole recommends that organizations sh ...

Login Free 30-day Select Access Get full Access

6.1 Define and Quantify the Opportunities:

The use of blockchain technology and distributed ledgers creates a range of opportunities. These are described in KuppingerCole research on this subje ...

Login Free 30-day Select Access Get full Access

6.2 Choose Delivery Architecture

As described in this document there are a number of forms of distributed ledger. Choose the one which is most appropriate to the opportunity:

  • Priv ...
Login Free 30-day Select Access Get full Access

6.3 Evaluate the risks

With the use of new technologies come new risks. Review the risks identified in this document to decide:

  • Whether or not each risk applies to the ...
Login Free 30-day Select Access Get full Access

6.4 Implement Assurance

If you decide to go ahead with the opportunity, make sure that you define an ongoing assurance process to monitor and manage risks. It is equally impo ...

Login Free 30-day Select Access Get full Access

7 Glossary

Term Definition
Blockchain A linear data structure that maintains a growing list of transaction records in a way that is extremely ...
Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top