There’s a scene in the original 1978 Superman movie where the Man of Steel swoops skyward to save Lois Lane from falling to her death.
Superman tells the astonished Lois, “Don’t worry ma’am, I’ve got you.” Ever the skeptical journalist, she retorts, “You’ve got me? Who’s got you?”
For an increasing number of enterprises, cloud has swooped in as the latest superhero of IT security.
At the recent SecTOR conference in Toronto, Cloud Security Alliance (CSA) CEO Jim Reavis outlined why organizations are adopting cloud-centric cybersecurity:
- cloud enables delivery of security to all other IT systems via security-as-a-service
- cloud for security enables continuous deployment, serverless computing and a software-defined perimeter
- cloud is becoming the leading platform for AI and data science-based approaches to cybersecurity
“We really feel cloud is a better, more systemic approach to cybersecurity and it just has the reach everywhere,” Reavis told the audience.
To which Lois Lane might reply: “Cloud is making all of IT more secure? What’s making cloud more secure?”
In other words, if we’re going to rely on cloud for IT security, shouldn’t we make sure the cloud underpinning it all is super secure?
Absolutely, says Reavis, and he sees blockchain as the key.
Blockchain for cybersecurity
Reavis believes the same blockchain technology that can enhance security for, say, cryptocurrency or supply chain management—an immutable, shared, transparent ledger of authenticated ownership, identity and transactions—will also revolutionize cybersecurity.
He predicts that, just as a handful of large providers now dominate cloud services, a few public blockchains will emerge as “standardized utilities” for cloud security.
The CSA reiterates this on its website as follows: “We believe that a few well thought out blockchains that function as trusted public utilities will change how we protect information while sharing it in an unassailable and truthful manner.”
That hypothetical scenario obviously won’t become reality next week. But researchers are starting to explore blockchain for cloud security.
How it might work
In a 2017 paper, Korean researchers concluded blockchain could be used to authenticate a user’s identity (and thus grant secure access) within the cloud while keeping their identifying details anonymous. That anonymity means the user’s privacy could be protected even if their data was breached in the cloud.
The Koreans did note one potential risk, however. In the same way a ‘blockchain wallet’ stores and manages cryptocurrency transactions, they suggested an ‘electronic wallet’ could use blockchain to securely control transactions in the cloud. (In cloud security terms, ‘transactions’ aren’t financial transactions but things like commands, modifications and access privileges.)
“If the electronic wallet is not properly deleted [after each blockchain cloud transaction],” the researchers warned, “the user information can be left behind…[and] could be used to guess the user [identity].”
To prevent this, they recommend a model that would not only install a new electronic wallet for each blockchain transaction in the cloud, but delete that wallet after each completed transaction. (The practicality of generating a new wallet for every transaction isn’t addressed in the paper.)
Another group of researchers, from the European Union’s Cooperation in Science and Technology (COST) program, makes a more specific case for applying blockchain to cloud security. In a 2018 report, they posit using “blockchain proof of concept algorithms for secure data and task scheduling in the cloud.”
Since I have neither the expertise nor the space to paraphrase the technical details of that here, you can find out more in their report, complete with diagrams. The COST team does tout its idea as a “totally new concept,” however.
Next steps for blockchain
Getting back to Reavis, his organization, the CSA, has formed its own working group on research and technical development specs for blockchain security applications in the cloud.
(On a side note, Reavis is also trying to create OpenCPEs, a blockchain-based system to grant, track and validate skills, credentials and certifications for IT professionals across the global IT industry.)
Today, most people equate blockchain with cryptocurrency. Tomorrow, blockchain may be used as kryptonite against hackers, repelling and weakening them when they try to breach cloud security.