The value of Confidentiality, Integrity, and Availability

According to Wikipedia, “A blockchain, originally block chain, is a growing list of records, called blocks, which are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data (generally represented as a Merkle tree).”

What is the CIA Triad?

Before we get into the details of how blockchain can improve information security, let’s talk about the CIA triad. No, not the government agency, but the one related to Confidentiality, Integrity, and Availability. These three are the key attributes when it comes to information security and determining the impact of an attack involving some data, as well as the controls required for its protection.

C  is for Confidentiality.
Confidentiality is about keeping sensitive data inaccessible to unauthorized parties and is typically achieved through methods such as encryption, hashing, masking, or access control.

I is for Integrity.
Specifically, integrity is about assurance that data has not been modified by unauthorized parties. This can be achieved by using signatures or Message Authentication Codes (MAC).

A is for Availability.
Last but not least, availability is about having the data available at all times when required, and the resulting impact from lack of such availability. A Denial of Service (DoS) attack often impacts this attribute. Having back-ups, redundancy, and a disaster recovery plan can help mitigate threats that impact availability.

Each of these CIA attributes should be considered when assessing the impact of an attack on a given piece of information.

CIA in action

For example, let’s say you own a retail store, and have your address listed on your public web site. Since this information is public, there is no confidentiality requirement or impact of exposure.

However, you do not want an unauthorized user to edit that address to direct your customers to a competitor. In this case, there would be a high level of impact to your business due to compromise of integrity of the address.

Availability is also a concern, since some of your customers who cannot find your address if your web site is down may shop at an alternate store. However, this does not apply to all customers, some of which will visit your site at a later time and continue to shop with you. Based on this, the impact due to lack of availability is moderate.

How Blockchain impacts CIA

Now let’s talk about blockchain and how it helps reduce impact to each of the C, I, and A of the triad. Blockchain is a decentralized and distributed digital ledger, which offers a high level of trust. The blockchain architecture does not have central control point.

You can think of it as a distributed database, where a full copy of the entire data set resides at each full-node across a network. Transactions are recorded in a verifiable and immutable manner and put in blocks. Data recorded in a given block cannot be altered afterwards without alteration of all subsequent blocks. Since a hash of each block is included in the next block, an attacker needs to modify all blocks and adjust all the hashes in the chain, making it nearly impossible due to high computational resource requirements.

As a result of the decentralized architecture, there are multiple copies of the blockchain that can be used for verification as well. Even if the attacker modifies all blocks of the chain in one node, consensus will be required by majority of the nodes to accept this modified version, meaning the attacker would need to control the majority. Using a decentralized and immutable ledger, there is no need for a central trust authority to verify and validate transactions.

So how does blockchain impact Information Security’s CIA-triad?

All data stored as transactions in the blocks are signed which provides a high level of Integrity protection. As mentioned, changes to the data in a block are also nearly impossible due to the use of linking via hashes, and the consensus requirement. Also, since a distributed architecture is used, a high level of Availability is provided by design since a full copy of the data resides across several nodes. Confidentiality on the other hand is typically low by default, since blockchain requires the ability of the transaction data to be visible and verifiable by design.

With public blockchains, this may be of concern, since all participating nodes can read this data. If a high level of confidentiality is required, the system needs to provide additional protection such as application level encryption, tokenization, or other means where sensitive data is not directly readable by unauthorized parties. Private blockchains where access control is enforced to limit access to specific users for specific transactions can also help address confidentiality requirements.

Further Considerations

It should be noted that the size of the network is important since if data is not well distributed, it may be vulnerable to attacks. In addition, where there are requirements for data to be deleted (such as GDPR), consideration should be given to render the data useless if required since blockchain does not provide the ability to delete transactions by design.

In summary, use of blockchain can improve information security with respect to Integrity and Availability, while also allowing for Confidentiality of sensitive data if required using custom solutions. As with any technology, there is no single solution that solves all problems and where trust, integrity, and availability are top concerns blockchain is a great choice to reduce the related impact.