The key to keeping data safe is to constantly verify its integrity. And that's properly done through hashtag cryptography and a private, scalable blockchain-based solution.
Comedian Bill Maher recently remarked: “Taking your work home with you used to mean that you were stealing office supplies.”
He was joking about the extent to which 21st century American office workers don’t take enough time for themselves. But he was also saying something profound about the relationship between business, physical space, security, and trust.
Security Without Integrity: A Cautionary Tale
I once worked at a big technology company where employees often built up and tore down their work computers on the fly. At the time, giving workers that much freedom with their machines was seen as part of being agile and creating a productive space for creative people. The hallways had special recycling bins for computer parts. Someone would collect the parts, and they would go back into the company’s main supply. Meanwhile, many employees were going to work with their own laptops or other peripherals. Various machines and parts were moving in and out of the building at all hours.
One day, word of a scandal broke out. An employee had been digging through the special recycling bins, pulling out spare parts, taking them home, assembling them into full computers, and then selling those computers online. The guy was fired and prosecuted, but the damage he caused went considerably beyond the value of the parts he stole.
Developing A Security Solution Using Data Integrity
The CEO had egg on his face. His friendly, progressive atmosphere had backfired. Plus, he now faced a tortuous choice. On the one hand, if he cracked down on the free flow of machinery in the building, the whole tone of the workplace would take a turn for the worse, and many of his best engineers would quit. On the other hand, the problem simply could not be permitted to happen again.
If we set aside what were, at the time, limits of expense and scale, a solution presents itself. All computer components, and their position and use within the building, could have been tagged and tracked. For example, a DIM module sitting in a recycling bin is understood (within a component tracking database) to have been taken from a computer in an office down the hall. It's where it should be. A hard drive that is leaving the building in an employee's pocket (we know this through radio-frequency identification, or RFID) is understood to have been brought into the building through the employee entrance the week before.
This deployment may run into obstacles of scale or privacy, but the point for our purposes is that it was hard to find a solution, because the problem was being considered only in terms of a traditional security paradigm. That is, should we trust people less, or should we trust people more? Should it be easy to enter and exit through our perimeter, or should it be difficult?
The Integrity Of Data vs. The Integrity Of A Perimeter
But that’s the wrong approach. The focus should not be on the question “How can we prevent the theft of our components?” Of course, that prevention is the long-term goal, but focusing on it too much in the short term can obfuscate the real solution. The question to ask is “How can we accurately track our components’ location?”
This story takes place at the peak of the .com bubble, in the late 1990s. Most of us wouldn’t hear the term “cloud computing” for a long time, but the advent of cloud would bring a renewed emphasis on what’s become known as the “CIA triad” of information security: confidentiality, integrity, and availability.
Our example is concerned with changes in the location of physical objects, as opposed to the unauthorized use of those objects. In information security, this translates to the “integrity” part of the CIA triad: the assurance that there have been no unauthorized changes in the data. It goes to the very fundamental question: "Do you trust your data?"
Using Hash Cryptography To Ensure Data Integrity
Letting confidential information (or costly sophisticated components) get into the wrong hands is bad. Allowing your data to be altered can be much worse. Not even knowing it has been altered is worse still. We’ll go into some examples in the next blog post. For now, let’s focus on how to prevent it.
The basic method for validating data integrity is very simple. You make a hash of your data. Then, a bit later—let’s just say an hour later for our example—you make a hash again. Are the two hashes exactly the same? If not, then your data has been compromised.
Great, so you use hashes. That’s something your organization can probably do on its own, right? That’s right. As soon as you answer these questions:
Where do you store the hashes? And how do you make sure they aren’t compromised?
Blockchain Technology And Integrity Assurance
Unless data security and infrastructure are your core business, you’re going to need partners who know the terrain. Below is a general discussion about how one potential blockchain-based solution can work. (Note: This explanation is deliberately reductive.)
In this approach, your data gets hashed and it also gets time-stamped. The time-stamped hash then gets stored in a calendar blockchain. This blockchain is a distributed database, meaning that there are thousands of copies of it across a secure network. (Remember that these are copies of the hash, not your data.) Because there are so many copies, the blockchain can’t be compromised. All the computers that hold the blockchain are constantly checking up on each other, verifying that they all have the same data. A malicious actor would have to magically change every copy of the blockchain at once, which has never been done. Reverse-engineering the hash is also impossible, even for quantum computers. (Note: There is currently no such thing as a functioning quantum computer. We’re just thinking ahead.)
The end of the cycle is that your security partner sends the hash from the blockchain back to you, where it is compared to the newest hash of your data. The whole cycle could take less than a second.
You now are in a position where you can continuously verify the integrity of your information. If needed you can prove to yourself, a user, or a third party such as a regulator or court that the information has not been tampered with. You can have absolute trust in your data. And the same approach can be applied to applications or your infrastructure.
Private Blockchains And Scalable Enterprise Solutions
It's worth considering that the solution described above can't be set up in a garage. While the concept is simple, implementation details are important. For example, in an enterprise situation, there is the question of scale: thousands or even millions of objects, which can be extremely large (up to petabytes) have to be hashed and time-stamped every second. The blockchain that your organization uses needs to be agile enough to reflect this. Public-facing blockchains like the one used by Bitcoin are actually inefficient by design. In order to ensure that the computers making up the blockchain—the miners—are operating in the best interests of all participants, the miners are required to perform complex calculations that aren't directly connected to the hashing process. With a private blockchain, that's not a problem. All the miners are controlled by your security partner, so they work together quickly and efficiently.
The world of enterprise security has evolved, and it’s no longer about passwords and perimeters. So, do you trust your data? Are you confident in the methodology used to verify your data’s integrity?