Each of us uses 10 to 15 applications every day for personal or business purposes. We also use a certain number of software, websites, online services and mobile apps which require us to register. In the digital economy, authentication has already become a natural part of our lives, and registering your social account on Google or Facebook via OAuth protocol is understandable and familiar. If in private life we risk only our own data and information about customer preferences, when we enroll our business in similar systems, the stakes become much higher. If our company data is exposed, the loss from both a financial and reputational perspective could be huge.
Cybersecurity lags behind cybercrime innovation
When forced to choose between convenience and security, most users will go for the former, despite numerous warnings from cybersecurity experts that security should be neglected at their peril. Statistics show that the majority of users who are confronted with a password requirement will use either a simple combination or come up with three or four which they will recycle everywhere. More advanced users invent complicated passwords, but then may weaken these by noting them down on a sticker positioned close to their work desk, which also raises questions from a security point of view.
In the corporate environment, smart cards and biometrical access are used, with the cheapest and most common solution being public key infrastructure (PKI), which is based on digital certificates. Unfortunately, the technology itself, despite its prevalence, is not fully optimized for withstanding cyber attacks and hackers’ cracking abilities.
Some examples of cyberattacks on CA include the Comodo hack in 2011, Adobe system hack in 2012, and Kaspersky Lab hack in 2015.
What you require to offer an alternative to centralized solutions
There are three fundamental things that the corporate sector wants to see to solve the problem of secure authentication: simplicity, accessible and understandable to all employees who interact with it; the credibility of the system, which will be responsible for the safety and security of access; and the price that must be paid for this decision.
In the first case, the key issue is the human factor. We must ensure that whatever the user does, this does not make the system significantly vulnerable. Experience in cybersecurity training activities suggests that the average user is not able to withstand an experienced hacker and we must eliminate vulnerabilities at this first level.
In the second case, we are saying that we should certainly be able to trust large organizations and corporations that sell us security, thanks to their gigantic capacities and popularity. But can we really trust them? When it comes to millions of access keys stored on centralized servers, the likelihood of leakage, loss of control, or all sorts of other attacks is quite high. These centralized authorities, case by case, have proven their inability to effectively cope with advanced teams that aim to gain valuable information.
In the third case, we are talking about the fact that each company has a limited budget for cybersecurity and follows established practices, so a potential solution must be appropriate for them to start using it.
Smart and self-regulatory storage as a guarantee of security
Often, blockchain is suggested as a solution simply for PR or where there is no potential for its mass application. However, in the case of cybersecurity and the safety of corporate data, it is evident that the cost of system maintenance and improvement for traditional PKI solutions is both justified and necessary. From a technical point of view, you can see the implementation of such a solution in the REMME open source.
Blockchain consists of four significant components: cryptography, consensus, ledger, and business model. Cryptography provides privacy, integrity, and authenticity of stored data. The consensus is a protocol that stimulates a decentralized network to support blockchain functionality and protects against potential collusion or malicious actions to compromise a network. Ledger includes the smart contract logic and data specification that can be stored by the network — the blockchain architecture itself — which ultimately must be reliable and convenient storage for this type of information. Business logic is what unites all the components together and allows a decentralized network to function stably for a long time while maintaining data in an unaltered state.
The key feature of a blockchain-based solution is the addition of a distributed and independent network, which guarantees that certain information will not be altered or falsified at one of the stages of data exchange.
The primary additional value to be gained from a traditional PKI using blockchain for security reasons are:
- Operated by a decentralized authority;
- High availability;
- No or reduced DoS possibility;
- Resistant to unwanted modifications;
- More opportunities for customizations (custom attributes);
- Quasi-anonymity since identities are represented as numbers.
Conclusion
Any innovation that aims to become an alternative secure access solution for business should meet several requirements: it should be simple and accessible to users, an independent cybersecurity audit should confirm its reliability, and the price should match the business’s readiness to adopt it immediately.
For those who use passwords, you need to think about 2FA, and it is better to begin the process of a gradual transition to solutions that allow you to authenticate without them.
PKI, despite a large number of accumulated vulnerabilities for hackers, continues to be the most proven tool to improve corporate cybersecurity. The combination of this technology with a decentralized network for public keys allows us to solve many issues that are related to CAs.