Blockchain for Organisational Data Security
Table of Contents
Title
Organisational Data Protection: A Blockchain Approach
Aims
To create a conceptual design of a blockchain based data security and access management system. To ensure confidentiality, accountability, non-repudiation and integrity of data in an organisation by using blockchain technology to manage data.
Introduction
In an increasingly digital world, the importance of data cannot be overstated. Individuals and organisations alike make significant investments to assure the security of their data and information assets and protect them from the threats of breaches and leakages.
However, in recent times, there has been a rise in the number of cyberattacks targeting the data of organisations (Jung2021), with over a thousand US firms reporting data breaches involving millions of customer records (Foerderer and Schuetz, 2022), highlighting the need for robust infrastructure to ensure the security of data held by organisations. Data breaches as it relates to organisational data can occur through a number of means including malware attacks, ransomware attacks, insider attacks etc. Insider threats can manifest itself in one of two ways; the unaware insider who renders the organisation vulnerable due to ignorance through means such as loss of devices, abuse of internet access and email, falling victim to social engineering attacks inappropriate use of devices e.g., USB drives etc (Sakar, 2010). Jeong and Zo (2021) points to malicious insiders as the other source of threats from within, citing monetary gains and retaliation against perceived injustice as potential motives for their malicious actions. This type of threat can manifest in the form of collusion between two or more insiders to attack an organisations system, steal data or commit fraud (Yousop and Abawajy, 2014).
A report by the Verizon Data Breach Investigations Reports (Langlois, 2020), asserts that over 50% of incidents on organisations were a direct effect of the actions of insiders in the organisations. The term insiders is a broad one encompasses a range of people from employees, contractors and vendors, to auditors and ex-staff (Safa et. al., 2018). The common factor with these group of users is that they have legitimate access to an organisations systems and therefore require minimal effort to access target systems as there is an implied trust present in the relationship between them and the organisation.
Ou et. al., (2022) asserts that the exposure of confidential and sensitive data is directly linked with losses incurred by an organisation. Ayaburi and Treku (2020) are of the opinion that data and privacy breaches have a negative impact on consumer trust in a brand. Studies show that a lack of trust is directly linked to a reduction in users of a service (Antoci et. al., 2019).
Consequently, there is a need for organisations to ensure that the risk of data loss due to breaches is prevented in order to preserve the trust of their customers and stakeholders. The main research question therefore is -How can the blockchain technology be used to drive the security of and access to data in an organisation?
Literature Review
In recent years the problem of accountability has been tackled by researchers using new and innovative systems. One of the most noteworthy of these is the Bitcoin system that allows the secure transfer of currency using an open ledger that is openly verifiable by the public. The advent of Bitcoin was in 2008 (Nakamoto, 2008). From that time onwards, there has been research spanning a range of academic fields (Ali, 2015; Bohme et. al., 2015; Harlev et. al., 2018). This popularity could be attributed to its unique and disruptive attributes such as decentralised control - centralised control is vulnerable to a single point of failure in the case of a cyber-attack or other technical breakdowns(Puthal et al., 2016), anonymity and distributed consensus over decentralised networks, as well as a potential to reduce the risks of data breaches as it utilises threshold data encryption and the use of public key infrastructure, requiring the participation of multiple parties to perform decryption of data (Zheng et. al., 2018). blockchain also prevents server hacking and falsification or modification of permissions (Cui et al., 2018). Subsequently, other projects have demonstrated other various applications requiring trusted computing and auditability (Zyskind, Nathan, and Pentland, 2015).
Kaaniche andLaurent (2017) carried out research on A blockchain-based data usage auditing architecture with enhanced privacy and availability aimed at tackling the issues around data breaches compromising users privacy by combining identity based cryptographic mechanisms with blockchain infrastructure using smart contracts. Their work was touted to provide data access control in a transparent fashion while allowing the sharing and processing of data in a way that secures the data from processing by unauthorised actors. In addition, it provided tamper-proof evidences for auditing purposes.
Furthermore, research into a blockchain based personal health data sharing was carried out (Zheng et. al., 2018) where the challenges of data security and data sharing associated with centralised data storage were highlighted. Hence, a conceptual design for sharing data in a transparent and secure manner using blockchain technology in collaboration with cloud storage was explored by the authors. An important part of this research was that it took into consideration, GDPR compliance while enabling commercial data consumers collect high quality personal data for research and commercial purposes. This study utilised the blockchain module for data sharing transaction validation; two decentralised blockchain application platforms were noted Ethereum and Hyperledger Fabric platforms which allow developers create blockchain applications. In the study, however, the Ethereum blockchain was opted for as the development framework for the system because the Ethereum framework supports the design and issuance of ones own cryptocurrency or a digital token which can be used as a currency. The tokens or currency use standard coin API, making contracts compatible with any wallet, contract or exchange also functioning on the Ethereum blockchain.
Contrastingly, another study (Makhdoom, 2020) developed a blockchain based privacy preserving and secure data sharing framework for smart cities, employing the Hyperledger Fabric application and citing effective data security and privacy preserving capabilities as the reasons for this choice. The approach used to ensure data privacy here was to divide the blockchain network into channels, each comprising of authorised organisations that process a specific class of data, e.g., financial details, health etc. Furthermore, data within each channel is isolated using a private data collection and encryption. Access to data within a channel is then controlled by rules embedded within a smart contract and access to the blockchain is enabled by Representational State Transfer Application Programming Interface (REST API) utilising dual security in the form of an API Key and OAuth 2.0. The mechanism proposed in this study utilises blockchain to carry out authentication, authorisation, and data access control token validation, allowing only data owners or controllers to create, update and withdraw consent to access data and only authorised entities to process data. The proposed system in this study provides protection against internal and external threats, provides secure access to the blockchain network using REST API and provides a transparent network operation.
Neisse, Steri, and Nai-Fovino (2017) explored the use of auditable contracts deployed in a blockchain that are publicly available to increase transparency as regards data access and usage. Two different models were proposed; one in which the data subjects exercise their consent through access control policies for each processor accessing their data embedded in smart contracts on the blockchain, and the other in which the controller defines the access control policies and users have the option to join and leave the contract as it suits their needs. The Ethereum Virtual Machine, a blockchain-based distributed ledger platform was utilised in this study citing its use of a decentralised ledger of transactions using Ether and the decentralised execution of smart contracts as pros of making that choice. The paper also outlines the various options for blockchain adoption i.e., public, semi-public and private blockchains. Public blockchains allow anyone to read, write and participate in the mining process while semi-public/consortium blockchain are moderated by a set of organisations. Conversely, private blockchains have their permissions controlled by a single central organisation. Also considered in the study is the need for off-blockchain communication for which the Ethereum Virtual Machine proposes Swarm and Whisper respectively for blockchain decentralized data storage/distribution and messaging. However, the implementation of these technologies with respect to the solution being developed in the study was not discussed as it was not in scope.
In further research, a data privacy tool named IDPT, designed to provide secure management of the handling and sharing of organisational data has been explored (Hussain et. al., 2021). It takes into consideration three classes of entities i.e., the data subject which is the entity the information is based on, the data controller who is responsible for the collection storage and hosting of the data in addition to being responsible for the enforcing the data access/sharing policies, and finally the data processors who are granted access to the data subjects data. This access is controlled by the policies defined by the data controller. This system uses encryption as a means to achieve data privacy via the adoption of a sensitivity level assignment where the sensitivity level assigned to a data object correlates to the level of encryption applied to it i.e., the higher the sensitivity level, the higher the complexity of encryption applied to it and vice versa.
Additionally, Faber et. al. (2019) developed the BPDIMS (Blockchain based Personal Data and Identity Management System) with an aim of empowering users to get control over the usage of their data while facilitating the request and revocation of said data. The proposed system employs smart contracts as a vehicle to drive its functionality whose main purpose is the control of the flow of data by controlling the associated consents from the user (i.e., the data owner). The system is user centric, transparent i.e., the user knows the location of their data at any point in time as well as how its being used, the user has rights to revoke consent for various data operations at any point in time, and the user data is stored in encrypted form with secure storage of the keys. It makes use of three blockchain layers i.e., a smart contract blockchain, an access, blockchain and an identity blockchain. It also adopts an off-chain data repository, and a user interface.
Finally, Cruz, Kaji, and Yanai (2018) proposed a Role based Access Control system using smart contracts that run on the Ethereum blockchain. The RBAC-SC uses smart contracts and blockchain technology as versatile infrastructures to represent the trust and endorsement relationship that are essential in the RBAC and to realize a challenge-response authentication protocol that verifies a user's ownership of roles. A prototype of the smart contract was deployed and is available on GitHub. The study focuses on a trans-organisational scenario and the secure verification of a users role ownership. The following properties are necessary to achieve this: role issuing organisations should be capable of issuing roles as well as other information such as validity periods, they should be able to transparently modify information, they should be capable of revoking roles/permissions, users should be capable of endorsing other users, a users role should be able to undergo verification through a challenge and response process, all functions performed should be recorded on the smart contract blockchain and readily auditable, and finally, an entity should be capable only of specific actions. This system is touted to be less likely to be subject to double spending attacks and 51% attacks as an adversary would need to control a majority of the hashing power participating in the network to be successful.
The primary objective of this paper is to adapt the use of the RBAC-SC methodology for interorganisational use, with a small sized organisation as a scenario. The proposed solution will incorporate features from the RBAC-SC i.e., Smart contracts and a challenge-response protocol (Cruz, Kaji, and Yanai, 2018). It will also The proposed system will be driven by a private blockchain Hyperledger, for enhanced security.
Scope
The research will focus on a small sized, theoretical organisation consisting of four departments; IT, HR, and Finance
Objectives
- Define and design an organisational structure and outline the inter-departmental data sharing requirements.
- Define data access roles for each user role within a department that map to the roles described in Faber et. al. (2019)
- Create a Role Based Access Control for the organisation using Hyperledger Smart Contract and implement access security to the blockchain.
Methodology
The definition and design of the hypothetical organisation will adopt the work of Khler-Bumeier, Wester-Ebbinghaus and Moldt (2009) where an approach to model formal organisations was presented using a Petri net-based model. The model integrates structural, functional and interactional features of an organisation in addition to providing a formal model of business processes comprising of participants with different roles and contexts. The roles assigned to participants will be based on those discussed in the work of Faber et al., (2019) which include User, Service provider, Data purchaser, Data validator. However, these roles will be suitably modified to fit the use case of the hypothetical organisation. The figure below shows a sample structure:
Fig. 1 Organisational structure (Khler-Bumeier, Wester-Ebbinghaus and Moldt, 2009)
Subsequently, a smart contract will be designed on the HyperLedger blockchain as described in the work of Makhdoom et al., (2020). HyperLedger is the technology of choice due to factors such as faster TX times, increased privacy and security among others as described in Makhdoom et al., (2019). Additionally, the design will incorporate a challenge response aspect coded into the smart contract as described by Cruz, Kaji, and Yanai (2018) as well as an access mechanism enabled by REST API utilising dual security in the form of an API Key and OAuth 2.0 (Makhdoom, 2020). As a proof of concept, the model will be deployed on HyperLedger and validated based on different security and performance attributes using the blockchain benchmark tool, HyperLedger Caliper.
Project Plan
|
S/n |
Tasks |
Deliverables |
Resources Required |
Skills Required |
Start Date |
End Date |
Duration (Days) |
|
1 |
Research development of smart contracts on Hyperledger blockchain using JavaScript (node.js) |
Know-how on the development of smart contracts |
Scholarly articles, journals, and blogs on smart contract development. YouTube videos |
Research, critical thinking and coding. |
02/01/2023 |
15/01/2023 |
13 Days |
|
2 |
Research implementation of API Key and OAuth 2.0 using REST API |
Know-how on the implementation of REST API |
Scholarly articles, journals, and blogs on smart contract development. YouTube videos |
Research, critical thinking and coding. |
09/01/2023 |
19/01/2023 |
10 Days |
|
3 |
Design organisational diagram, data sharing requirements and data flow between departments |
A clear picture of how data moves between the different departments in the organisation and the types of data that are shared. |
Sample organisational structures and organograms; available online |
Research, visual design skills, data flow diagram construction. |
19/01/2023 |
23/01/2023 |
4 Days |
|
4 |
Define data access roles and user roles per department |
A role matrix |
Sample organisational role matrices; available online |
Research, critical thinking skills and data organisation skills |
22/01/2023 |
26/01/2023 |
4 Days |
|
5 |
Code smart contract using JavaScript (node.js) on Hyperledger blockchain |
A conceptual design of the proposed Role based access control smart contract for use in the organisation |
How to guides, tutorials on using JavaScript to code, YouTube videos |
Research, coding skills |
27/01/2023 |
26/02/2023 |
30 Days |
|
6 |
Carry out performance tests |
Reports |
Simulation environment |
Application testing skills |
26/02/2023 |
5/03/2023 |
7 Days |
|
7 |
Write thesis |
Research document |
Test results, related journal, articles and knowledge sources. |
Research, writing, critical analysis skills |
06/03/2023 |
30/04/2023 |
55 Days |
|
8 |
Review, amendments and submission |
Final document |
Draft document, Input from supervisors |
Editing, proofreading skills |
03/04/2023 |
30/04/2023 |
27 Days |
Table 1. Project Plan
Fig. 2 Project Gantt Chart
Risk Log
|
Type |
Event |
Likelihood (1-10) |
Impact (1-10) |
Risk Rating (1-100) |
Mitigation Strategy |
|
Technical |
Inadequate time to complete due to need to acquire new skills e.g., coding |
6 |
10 |
60 |
Adequate project planning and management practices will be put in place and adhered to. Timely start of project. |
|
Technical |
Inability to design required organisational model/inability to write code for smart contract |
4 |
10 |
40 |
Early and extensive requirement and knowledge gathering. Relevant learning sources to be consulted and utilized. |
|
Technical |
Loss of data due to system failure |
2 |
10 |
20 |
Continuous data backups will be carried out through out the project timeline |
|
People |
Unavailability of researcher e.g., due to illness |
2 |
6 |
12 |
Adequate planning and allowances for such eventualities in timeline. |
Table 2: Risks associated with the proposed project.
Key:
75Risk very high- urgent action required
50 < 75>Risk high- action as soon as possible
25 < 50>Risk may be acceptable- more analysis required
< 25>Low risk- no gains expected from extra work
Sources and Use of Knowledge
A number of journals are of interest to the researcher that consider the use of blockchain as a mechanism for the management of data access. Some of these articles are conference articles published on IEEE Explore including the work by Zyskind et. al., published in the 2015 IEEE Security and Privacy Workshops and the work by Zheng et. al., published in the 2018 IEEE 20th International Conference on e-Health Networking, Applications and Services (Healthcom). Other journals of related focus areas consulted for the development of this proposal such as the work by Cruz, Kaji, and Yanai, which served as the main inspiration for this proposal was published in volume 6 of the IEEE Access Journal.
In total, over 10 scholarly works of literature on the utilisation of blockchain in different industries ranging from Healthcare to IoT and Business were reviewed by the researched in the development of this proposal.
Upon completion of the research work, the author identifies the IEEE Access Journal as appropriate for possible publication. The reasons cited are the rapid review process, the multidisciplinary nature of the journal and popularity. However, a drawback to publishing in the journal is the quite significant processing cost and low acceptance rate of about 30%. It is noteworthy to state, however, that this low acceptance rate can act as a spur to drive the author to deliver the research as a higher quality.
Statement of Ethics
Due to the nature of the project being proposed, with no aspect of data collection; the dataset required for the execution of the project would be built entirely from scratch, there is no ground for the processing of personal information. Due care would be observed in ensuring that open sources resources are used in the execution of the project while adhering to laws governing the use of intellectual property and general caution will be exercised to ensure observance of all relevant legislation as well as ethical and professional standards. All references made to information recovered from journals and papers used within this proposal have been properly referenced.
References
Ali, S.T. (2015). Bitcoin: Perils of an Unregulated Global P2P Currency (Transcript of Discussion).Security Protocols XXIII, 9379, pp.294306.
Antoci, A., Bonelli, L., Paglieri, F., Reggiani, T. and Sabatini, F. (2019). Civility and trust in social media.Journal of Economic Behavior & Organization, 160, pp.8399.
Ayaburi, E.W. and Treku, D.N. (2020). Effect of penitence on social media trust and privacy concerns: The case of Facebook.International Journal of Information Management, 50, pp.171181.
Bhme, R., Christin, N., Edelman, B. and Moore, T. (2015). Bitcoin: Economics, Technology, and Governance.Journal of Economic Perspectives, 29(2), pp.213238.
Cruz, J.P., Kaji, Y. and Yanai, N. (2018). RBAC-SC: Role-Based Access Control Using Smart Contract.IEEE Access, 6, pp.1224012251.
Cui, L., Xie, G., Qu, Y., Gao, L. and Yang, Y. (2018). Security and Privacy in Smart Cities: Challenges and Opportunities.IEEE Access, 6, pp.4613446145.
Faber, B., Michelet, G.C., Weidmann, N., Mukkamala, R.R. and Vatrapu, R. (2019).BPDIMS:A Blockchain-based Personal Data and Identity Management System. [online] scholarspace.manoa.hawaii.edu. Available at: https://hdl.handle.net/10125/60121 [Accessed 19 Apr. 2022].
Foerderer, J. and Schuetz, S.W. (2022). Data Breach Announcements and Stock Market Reactions: A Matter of Timing?Management Science.
Harlev, M.A., Sun Yin, H., Langenheldt, K.C., Mukkamala, R. and Vatrapu, R. (2018). Breaking Bad: De-Anonymising Entity Types on the Bitcoin Blockchain Using Supervised Machine Learning.Proceedings of the 51st Hawaii International Conference on System Sciences.
Hussain, A., Lasrado, L.A., Mukkamala, R.R. and Tanveer, U. (2021). Sharing Is Caring Design and Demonstration of a Data Privacy Tool for Interorganizational Transfer of Data.Procedia Computer Science, 181, pp.394402.
Jeong, M. and Zo, H. (2021). Preventing insider threats to enhance organizational security: The role of opportunity-reducing techniques.Telematics and Informatics, 63, p.101670.
Jung, K. (2021). Extreme Data Breach Losses: An Alternative Approach to Estimating Probable Maximum Loss for Data Breach Risk.North American Actuarial Journal, 25(4), pp.124.
Kaaniche, N. and Laurent, M. (2017).A blockchain-based data usage auditing architecture with enhanced privacy and availability. [online] IEEE Xplore. Available at: https://ieeexplore.ieee.org/abstract/document/8171384 [Accessed 21 May 2021].
Khler-Bumeier, M., Wester-Ebbinghaus, M. and Moldt, D. (2009). A Formal Model for Organisational Structures behind Process-Aware Information Systems.Transactions on Petri Nets and Other Models of Concurrency II Lecture Notes in Computer Science, [online] 5460, pp.98114. Available at: https://www.researchgate.net/profile/Michael-Koehler-Bussmeier/publication/220399231_A_Formal_Model_for_Organisational_Structures_behind_Process-Aware_Information_Systems/links/563ce01008aec6f17dd7e198/A-Formal-Model-for-Organisational-Structures-behind-Process-Aware-Information-Systems.pdf [Accessed 21 Apr. 2022].
Langlois, P. (2020).2020 Data Breach Investigations Report. [online] Verizon. Available at: https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2020/07/The-2020-Verizon-Data-Breach-Investigations-Report-DBIR.pdf [Accessed 28 Apr. 2022].
Makhdoom, I., Abolhasan, M., Abbas, H. and Ni, W. (2019). Blockchains adoption in IoT: The challenges, and a way forward.Journal of Network and Computer Applications, 125, pp.251279.
Makhdoom, I., Zhou, I., Abolhasan, M., Lipman, J. and Ni, W. (2020). PrivySharing: A Blockchain-Based Framework for Privacy-Preserving and Secure Data Sharing in Smart Cities.Computers & Security, p.101653.
Nakamoto, S. (2008).Bitcoin: A Peer-to-Peer Electronic Cash System. [online] Available at: https://www.debr.io/article/21260.pdf [Accessed 25 Mar. 2022].
Neisse, R., Steri, G. and Nai-Fovino, I. (2017). A Blockchain-based Approach for Data Accountability and Provenance Tracking.Proceedings of the 12th International Conference on Availability, Reliability and Security - ARES 17, 14.
Ou, C.X., Zhang, X., Angelopoulos, S., Davison, R.M. and Janse, N. (2022). Security breaches and organization response strategy: Exploring consumers threat and coping appraisals.International Journal of Information Management, 65, p.102498.
Puthal, D., Nepal, S., Ranjan, R. and Chen, J. (2016). Threats to Networking Cloud and Edge Datacenters in the Internet of Things.IEEE Cloud Computing, 3(3), pp.6471.
Roy Sarkar, K. (2010). Assessing insider threats to information security using technical, behavioural and organisational measures.Information Security Technical Report, 15(3), pp.112133.
Safa, N.S., Maple, C., Watson, T. and Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations.Journal of Information Security and Applications, 40, pp.247257.
Yusop, Z.M. and Abawajy, J. (2014). Analysis of Insiders Attack Mitigation Strategies.Procedia - Social and Behavioral Sciences, [online] 129, pp.581591. Available at: https://www.sciencedirect.com/science/article/pii/S1877042814028985 [Accessed 3 May 2020].
Zheng, X., Mukkamala, R.R., Vatrapu, R. and Ordieres-Mere, J. (2018). Blockchain-based Personal Health Data Sharing System Using Cloud Storage.2018 IEEE 20th International Conference on e-Health Networking, Applications and Services (Healthcom).
Zyskind, G., Nathan, O. and Pentland, A. Sandy (2015). Decentralizing Privacy: Using Blockchain to Protect Personal Data.2015 IEEE Security and Privacy Workshops.
