Blockchain technology was perhaps the most controversial topic at last week’s RSA Conference in San Francisco. It’s fitting, because distributed ledger technologies are also hotly debated in conversations about enterprise technology. For most organizations, the idea of blockchain is suspended somewhere between hype and disappointment, realism and naked hope. The perspective all depends on who you’re talking to.

Twitter is a fairly good barometer to gauge how these competing viewpoints played out at RSAC 2018. Some participants in the discussion asserted that blockchain is the key to achieving General Data Protection Regulation (GDPR) compliance, while others questioned the technology’s scalability. Some RSAC attendees were unfamiliar with blockchain altogether.

If we’ve learned anything from the cybersecurity threat climate, it’s that speed should never be sacrificed for security. Hype around any emerging technology puts pressure on developers to innovate. If a technology is inherently flawed or a poor fit for the use case, speed is not a good thing.

Over the past several days, some of the brightest minds in the industry put their heads together to determine where blockchain technology truly fits into the enterprise, how technological weaknesses can be exploited and whether the risks outweigh the benefits.

When Hype Obscures the Status Quo: Who Won the Production Race?

While there’s significant discussion about blockchain’s potential and the challenges related to its adoption, there’s a lot less data about who actually won the race to production. It’s never easy to get a pulse on a fast-changing market, but recent research has revealed that the majority of enterprises are not in production. As of July 2017, 6 in 10 enterprises had deployed the technology or planned to do, with most implementations slated for late 2018.

Another survey found that 3 percent of enterprises have blockchain apps in production. It also noted that:

  • 28 percent of organizations are actively testing blockchain.
  • 20 percent are in the discovery or evaluation phase.
  • 4 percent are testing or piloting the technology.
  • 2 percent are in testing or development.

Meanwhile, 67 percent of enterprises investing in blockchain had already spent over $100,000 by the end of 2016 and 91 percent planned to spend at least that much in 2017. This trend suggests that organizations see value in blockchain technology and are willing to continue to invest in research to unlock its potential benefits.

Creating a Secure Enterprise Baseline for Blockchain

So, should enterprises proceed with innovation, given the fact blockchain is still shrouded in hype, uncertainties and risk? The conversations that took place at RSAC 2018 suggest that blockchain could be part of the solution, but it really depends on what type of blockchain you’re talking about and how you approach it

In the Tuesday session titled “Trust as a Service — Beyond the Blockchain Hype,” representatives from Verizon talked about how the telecommunications giant spent a decade creating a billion-event solution to big blockchain problems such as integrity, attribution and provenance. On Thursday, two Samsung engineers shared specific techniques for writing smarter and better code in the session titled “An Overview of Blockchain-Based Smart Contract Security Vulnerabilities.”

David Huseby and Marta Piekarska of the Linux Foundation emphasized the importance of establishing baseline questions for conceptualizing security innovation in their Tuesday session, “Blockchain — The New Black. What About Enterprise Security?” They also explained the difference between private and permissioned blockchains.

Once organizations understand the benefits of using a private approach to bitcoin, they can address important topics, such as flexibility, security and industry-specific regulations, before they begin the proof-of-concept phase.

Considerations for Enterprise Blockchain

Blockchain is still a gamble, but enterprises can build upon the foundations of others. Standards, industry-specific best practices and an increasingly rich ecosystem of insights enable organizations to understand how industry leaders are addressing the foundational nuances of distributed ledger technology and using it to their advantage.

Cathie Yun, a software engineer at Chain, spoke about considerations — not necessarily weaknesses — for enterprise blockchain use during the session titled “Foundations of Bitcoin, Blockchain and Smart Contracts,” a replay of which is available via RSAC onDemand. She noted that organizations should address the following areas when gathering requirements:

  • Trust model;
  • Administration;
  • Identity; and
  • Confidentiality.

Blockchain Is Not Pixie Dust

“Blockchains are often viewed as security pixie dust,” asserted Ron Rivest, MIT professor and cryptographer. “If you add them to your application, they magically make it better.”

During “The Cryptographers’ Panel,” which opened the conference, Rivest talked over key topics with fellow cryptography experts Adi Shamir of The Weizmann Institute in Israel, researcher Paul Kocher, Moxie Marlinspike of Signal and Whitfield Diffie of Cryptomathic.

“Blockchain is an interesting tool, but it’s not a business,” agreed Kocher. “It’s just an interesting thing you can use to build a system like a log management tool.”

Blockchain, according to Rivest, offers “interesting properties, [including] decentralized, public access.” As Marlinspike highlighted, the problem with capitalizing on the value of blockchain technology is that there are relatively few apps that value it.

While their analysis of blockchain and its potential was critical overall, Marlinspike said he interprets the hype as a sign of hope. Distributed ledger technology may not be pixie dust, but it could indicate that what Marlinspike called the “multitrillion-dollar problem” of security is being taken seriously since it’s a foundation-level approach to solving issues of data, access and identity in drastically new ways.

The consensus among the speakers at RSAC was that blockchain is no magic bullet. Rather, as Piekarska put it, blockchain is more like a “very advanced screwdriver.”

Understanding the Blockchain Backlash

There’s a root cause behind this backlash against blockchain technology, and it has very little to do with the fact there are no enterprise use cases for the technology. There are many success stories about blockchain in production, and many organizations are making their way toward full production by end of 2018, from the proof-of-concept stage to testing.

For the 45,000 cybersecurity professionals on the ground at RSAC 2018, this past year was the most challenging in the history of cybersecurity. A recent Ponemon study found that 45 percent of chief information officers (CIOs) fear that they’ll lose their jobs as a result of a data breach in the year ahead, and 67 percent believe that such an incident is likely to occur.

The backlash against blockchain is thus largely a revolt against the hype — and that’s not an entirely bad thing. Security professionals aren’t buying the suggestion that there’s a magic bullet or an out-of-the-box blockchain solution that can solve all their security woes. CIOs generally take a cautious approach to emerging technologies, especially something as shrouded in hype as blockchain.

As enterprise solutions and use cases of distributed ledgers emerge across industries, this technology is still in the early stages of evolution. If this year’s conference is any indication, it’s safe to say that blockchain will be a trending topic once again at RSAC 2019.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today