SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
I’m your new host, Servaas Verbiest, and today, I'm joined by Matt Parsons, Director of Network and Security Product Management at Sungard. And we're going to be talking about blockchain network resilience.
How're you doing today, Matt?
MATT PARSONS (MP): Good. Thanks, Servaas. How are you?
(SV): Good, good. It’s a pleasure to have you on the show. So before we get started, let's kind of lay the groundwork and establish what blockchain really is, right? Because a lot of people talk about it but not many people really define what blockchain is. A blockchain is a distributed database that’s shared among nodes of compute on a network.
Now as a database, blockchain stores information electronically in a digital format. And usually when you're talking about blockchain, you're really focused on cryptocurrency, but there are other industries that have used blockchain technology to collect information across wide area networks in really remote places or even catalogue details of information in science and in medical appliance development that have really innovated the industry. But the bottom line is when you're going to talk about blockchain, you're probably going to be talking about crypto.
And when we think about crypto, you know, the whole premise of it is it's a decentralised, deregulated currency, which means the platforms that are typically used to trade and acquire crypto aren't governed by a lot of the same controls and regulatory requirements that we would see in other financial institutions. And that's played out in the news recently in the form of a few outages like the Solana blackout, the Coinbase outage and even an outage that was experienced with Binance.
Now with that said, if you look at the platforms for regulated currencies and standardised trade, and the securities that they have in place and safeguards that they need to maintain, what are some of the things that might be missing Matt?
(MP): Yeah, thanks Servaas. When you think about it, when you look at the PCI industry or even HIPAA. PCI, for example, there are 12 main PCI requirements and, of those, 251 sub controls. What are they really protecting? It’s payment card information so if that were to get taken, there are a lot of checks and regulations where it's pretty easy to flag that your card number has been stolen or it's trying to get used elsewhere and a lot of times that could get credited back to you.
Even HIPAA, what are we protecting? Just medical information. I know nobody wants it to get out that they had a nose job last year, but when you look at all of those controls around card numbers and health information and what's at risk there versus these coin exchanges, really, what's at risk there? It's your wallet. You know, it's money - thousands, potentially millions of dollars that are at risk. And the fact that there are no regulations is really, really scary and risky for any user of any of those online exchanges.
When we look at some of the security controls, you know, I think we have to look at it very similarly to how you look at financial industries, the PCI and the HIPAA industries and it really is not just one or two things. There's no magic bullet that can solve it all. It really has to be a comprehensive model, a zero trust model with a defence in depth type strategy, where essentially you're deploying those security controls at every layer, from physical security - whether that's cages, locks, card readers, biometrics, cameras - to your hardware and logical components behind that, so your firewalls, IDS, IPS, file integrity monitoring, web application firewall, your antivirus endpoint detection, your EDR/MDR type stuff, user behaviour analytics. And all of that backed by a centralised logging with AI (artificial intelligence) and machine learning, backed by a person like a SOC component behind it as well.
(SV): Interestingly enough, right, we know that we see those components on banking sites or with a large transaction technology, like what VISA uses. The argument is, crypto technology is based on blockchain. And you know, when things like bitcoin networks grow larger, because there are more disparent methods of authentication, they get more secure.
What typically gets overlooked is the level of security that a Bitcoin holder has - just for example using that cryptocurrency in this case - is just based on what they do with their Bitcoin. So you know, it's recommended by security personnel that if you want to protect your cryptocurrency, you're better off keeping it in a wallet on a USB drive versus an exchange. And that's because they're not regulated like you had said before. We're really kind of basing what happens with those exchanges on the measures that they choose to employ based on the risks that they potentially want to mitigate. So if we compare, you know, a crypto exchange to a regular banking platform, do you think they have a lot of the same risks and a lot of the same black hats trying to employ ways to steal those units of currency?
(MP): Oh, absolutely. I'd say with blockchain and cryptocurrency that the risk is higher because if that digital currency is stolen, it's gone. There is no insurance or federally backed funds that are going to get that back for you. And you know, even with the controls in place, you hear stories of internal users. You'll get a group of brothers to start some cryptocurrency, blockchain type storage system, get millions of dollars on there, and then all of a sudden, nobody can access the system. Nobody can contact the owners. These guys have jumped ship and left the country. So it is very, very risky. And it's like, you know, from a banking standpoint, going to ‘Bob’s shack’ down the road and storing thousands of dollars in his shack in the backyard and hoping it’s safe.
(SV): Well, I mean, inversely, I think - and you can tell me your opinion on this - if you do the right research and you validate to the best of your ability the controls that are in place with the platforms that you're making these exchanges on, there's probably some upside, right? It's not like the entire world is doom and gloom if you want to leverage cryptocurrency, correct?
(MP): Yeah, there are going to be platforms out there that are better than others. You know, definitely do your research and find resources out there that have been in place a while. I wouldn't do anything that's new or a startup. You know, choose a company that's been around a long time, that's established. Generally lower fees and less cost to get in on those newer platforms means they're probably cutting corners somewhere, potentially with security or other areas. So yeah, I’d absolutely look at any documentation they have as well with regards to security and underlying platforms and how their system is built.
(SV): Okay. And if you were going to - and you don't need to tell us if you do - but if you were going to look for a platform to do an exchange and really jump into the crypto market. I know you highlighted some of the things we want to look at, but what kinds of questions would you ask?
(MP): I think it really depends on your requirements. Certain exchanges offer certain features in terms of what types of coin or cryptocurrency they can exchange to and from so there's just the underlying: what are your requirements? What are you trying to get out of the platform? Specific to a security standpoint, it's tough to say because a lot of companies don't like to give out their security posture, what they have in place or don't have in place, because it is inherently a security risk just to even give out that information.
I guess I'd be looking for kind of their core values, how long they've been established, any testaments or articles they've got with regards to any type of certification. So even though they're maybe not in the HIPAA or PCI type industry, if they were to say they've got controls in place that meet or exceed PCI standards, I think that would make me feel a lot better about the platform.
(SV): And I imagine over time, as the market becomes more saturated with these exchanges, we may see organisations who facilitate these kinds of transactions touting certain levels of security or resilience as a selling feature, right?
(MP): Yeah, I would absolutely use that as a value add if I were in the company running these. Having a resilient system that was scalable that could withstand massive, massive influxes of data and transactions with resiliency so if something worst case were to happen - a fireball hits the data centre - you can failover. You've got a plan to keep the business running and the ability for users to access their money.
(SV): Well yeah, and finally, as we know, the other thing to take into consideration is just because we use the word blockchain doesn't mean there are other components of technology that don't support the process that need to have resilience. So, you know, blockchain, at least in my opinion, functions much like the way a core banking system would for other financial institutions. So it's probably good for them to ensure that those ancillary components that allow users to access that graphic user interface to facilitate the transaction are resilient and secure as well, right?
(MP): Yeah, absolutely. There's going to be components at the web application database tier, as well as with all the security around it and I think you absolutely have to plan for the worst case scenario. There are always going to be zero day exploits out there. You know, the SolarWinds, Trojan horse type things where even with all the security controls in place, you're going to have ‘Bob’ click a bad link in an email and now you've got something in your system. You have to plan for that worst case scenario. If you were to absolutely get locked out or there's some type of ransomware incident, you could cleanly recover your data in an isolated kind of sandbox environment, to restore, clean everything up and get the business back up and running for your users.
(SV): Well you know what, Matt, I really appreciate you taking the time to speak to us today and really go over some of the core components from a security perspective on how these exchanges should really be evaluated and things that they need to take into consideration as they become more of a focal point of our economy moving forward as more entities start to use and exchange cryptocurrency. So I really appreciate you dropping by.
(MP): Thanks, Servaas. Thanks for having me.
(SV): Matt Parsons is the Director of Network and Security Product Management at Sungard Availability Services.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on the podcast platform of your choice to get new episodes as soon as they become available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Servaas Verbiest, and until next time, stay available.