To provide data protection and privacy ensuring integrity, accountability and to resolve legal and provenance specific issues, TCS’ Enterprise Security and Risk Management (ESRM) Unit has partnered with Ericsson (KSI Blockchain platform provider) and Guardtime (KSI Blockchain Technology provider) to jointly work towards developing solutions using Keyless Signature Infrastructure (KSI) Blockchain technology.
Mostly, enterprises follow the traditional approach of building a fence around the data, but this approach has following fundamental flaws:
- You can’t be 100% sure whether the fence is working (no instrumentation)
- Supervisors, courts and the public have no transparency
- Cloud computing blurs the perimeter
- Maximum number of electronic fraud is conducted by insiders
Because of the volatile nature of electronic data, any hacker knows how to delete or manipulate logs to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the internet is so difficult. Integrity is the gaping security hole. A loss of integrity is what leads to data breaches, introduced by malware, viruses or malicious insiders.
There is great need for you to know,
- Where is your data?
- Who is accessing your data?
- Has your data changed?
- How can you trust the service provider?
Keyless Signature (KSI) is a Hash-tree based industrial scale Blockchain technology that is part of data security. This technology provides real-time massive scale data integrity validation, time stamping and signature signer identification services. It provides proof of time and integrity of electronic data as well as attribution of origin. KSI uses formal mathematical methods to independently authenticate any type of electronic data, at scale, in real time, without the need of trusted keys, cryptographic secrets, or credentials that can be compromised. Privacy is assured. With KSI, digital assets acquire immutable properties with forensic proof for provenance, security and integrity. The signed data is preserved in KSI Blockchain which later can be verified to know signing time, signing entity and most importantly data integrity. The following image indicates the importance of data integrity.
KSI helps you to continuously verify the integrity of your electronic data to:
- Detect whether data has not been manipulated or tampered
- Alert in the event of detection
- Mitigate, either manually or automatically, in the event of an alert
There are no keys to be compromised or to revoke in KSI. This fundamentally changes the security paradigm. It is important to understand that if data integrity relies on secrets like keys or trusted personnel, when these trust anchors are exploited there becomes an unlimited liability for the data protected by those trust anchors. This occurs because there is no way to determine what has happened to the data signed by those private keys or maintained by those trusted personnel. Evidence can be eliminated; data changes can occur without oversight; and log/event files can be altered. The exploiters can provide the picture they want you to see. Keyless signatures will remedy this problem.
What makes KSI hashtree Blockchain unique?
- Scale-Free : The system can be built out to sign and verify an exabyte per second
- Real-Time : The signatures can be verified in real time
- Offline : The system does not require network connectivity for verification
- Trust Free : Does not rely on key-stores, administrators or trusted third parties
- Indefinite Expiry : The signatures do not have an operational lifetime
- Post Quantum : The system will work even after the realization of quantum computers i.e. they do not rely on traditional asymmetric key or elliptic curve cryptography
- Portable : Data can be verified even after that data has crossed organizational boundaries
- Carrier Grade : The system delivers 99.999% availability
Some use-cases of KSI hashtree Blockchain and how it can help enterprises?
- Provides data security and protection from Insider threats: It will help maintain a known good state and detect unauthorized changes to your data, assets and systems with 100% certainty and accuracy. Provides early warning system into the integrity breaches by constant re-verification of existing signatures, making it possible to discover and remedy any vulnerabilities before large-scale damages can occur and ensure business continuance. It detect privileged users who abuse credentials.
- New way to audit digital assets: It can enable mutual auditability of information systems to allow stakeholders to know the cause of a breach, mitigate the risk of breach escalation in real time and provide indemnification against subrogation and other legal claims
- Zero-day malware mitigation and critical infrastructure audit compliance: Malware detection systems depend on known vulnerabilities and can’t protect against zero-day attacks.
- Solves audit and compliance issues: A user can independently verify which actions they performed, and which ones were performed by someone else. Most importantly, an auditor (or any other 3rd party for that matter) can also determine which actions were completed by which parties. Also, helps regulators to independently verify the authenticity of your data
IoT software supply chain:
- Provides complete tamper evident chain of custody from data capture to storage Authorized to long-term archiving
- Real-time verification of executable code ensure that only valid code is executed, thus making it impossible to inject malware or otherwise tamper with authorized set of instructions
- Reduce data audit and verification complexity, cost and time
- Solves issues related to provenance and ownership of data/assets
- Helps in simplifying service-level agreements, pinpoints liability in the event of accidental or malicious compromise, and indemnifies independent data providers from legal claims.
Authored by Yogesh Kumar Sharma
TCS Enterprise Security and Risk Management