Blockchain has become one of the biggest technological surges of this century. It has been, and still is, primarily used by individuals for unregulated financial transactions. However, if blockchain is going to live on and have a lasting impact, it will need to be adopted by businesses.
In this article we’ll be discussing why blockchains need to become auditable, and how this functionality will promote a wider development of this emerging technology.
As financial transactions are the most popular and intuitive use of blockchain, if businesses intend to use it for such it needs to be able to be audited to ensure the validity and integrity of transactions as well as compliance with regulations.
There are multiple functionalities and features of blockchain that make it capable of being audited, and there are also certain things that stand in the way. There are substantial standards that businesses must meet to in order to be within banking and PCI requirements that must be taken into account when considering blockchain adoption.
Strictly speaking, blockchain transactions can be verified for auditing already.
Here are some features that enable this verification.
All transactions on a blockchain are visible to the nodes in the network (although not necessarily the data in the transactions). Visibility makes it easy for auditors to view and verify transactions almost immediately. Distribution means that all nodes have a copy of the data, so there is no need for auditors to spend time reconciling databases.
Blockchain is based in cryptography, with hash functions linking blocks together and key signing validating transactions. It can also be used to verify files and data. A hash function cannot be decrypted, but encrypted data can be verified. For example, if an invoice was encrypted on a blockchain, to verify that that invoice was the same as in the company’s records, the recorded file could be hashed and that output code could be compared with the code existing on the chain. This keeps data secure but also useful to those entities with the proper knowledge and permission to verify it.
One of the reasons that blockchain is so well suited for virtual currencies is that nothing in the ledger can be altered. If auditors trust the validators of the information on the chain, then there is no need to worry about transactions having been deleted or tampered with.
These are a few features common across blockchains that make them well suited and ready to be audited, however there are other factors that also come into play when auditing for regulation compliance.
If this technology is going to be used for financial purposes it must be compliant with the Payment Card Industry Hardware Security Module (PCI HSM) and Data Security Standard (PCI DSS) requirements. The PCI HSM standards demand measures such as the inability to clean sensitive information from system characteristics (power consumption, electro-magnetic emissions, etc). All cryptographic keys must be used only for one function and random number generators must be unpredictable. Essentially these standards require the hardware in contact with customer card data to be sufficiently secure. The PCI DSS requirements cover 6 areas, some of which are building and maintaining a secure network and systems, protecting data, regularly monitoring and testing networks, and having an information security policy.
These terms of compliance are extensive, and one more thing to think about for companies attempting to integrate new technology like blockchain. Here are factors that make it less than easy for businesses to utilize blockchains and remain compliant.
One of blockchain’s strengths is also a weakness. Because every transaction on the network is visible to all nodes on the network keeping data private has to be done via encryption. The PCI standards are very strict about controlling who has access to sensitive data and the security keeping that data safe, so in order for blockchain to be used in compliance with these standards there’s a lot of work to be done regulating network visibility and access.
While this is fundamental both architecturally and dogmatically to blockchain, it is a weakness when it comes to auditing. It’s easiest to verify and check for compliance when all the information being evaluated is centralized in one place, and that’s not how blockchains work. However, on most blockchains each node contains a complete copy of the ledger identical to that which any other node will have. To explore and verify transactions on large public blockchains there are websites where transfers, contracts, nodes, miners, decentralized applications, and anything else existing on the chain can be viewed. Presuming that these websites were trusted by auditors they could be a useful tool in the auditing process. Decentralized hardware (such as allowing any nodes with the correct hardware to mine on the network) could also be an issue, but if a business was using a proof-of-authority blockchain and had all the mining nodes centralized then the hardware that needs to be checked could all be in one location for easy audit access.
The security in a system or process strongly relates to the confidence in the identity of the people logging into the system and conducting the transactions. In consequence the authentication of users is also an area that needs to be auditable and non-repudiable.
Blockchains share characteristics and functionalities, but they come in all shapes and sizes and there is no standardization of how blockchains are constructed. This includes how blocks are validated, what type of hardware is needed for different roles in the network, and other things that are incredibly important for auditing and checking for regulation compliance. To allow for these checks there will need to be standards which can be tested across companies so that auditors don’t have to learn all the nuances of a new unique chain each time they audit a different company.
As with architecture, the underlying hardware needed for different roles in a distributed network vary. The PCI HSM requirements are extensive, and in order for businesses using blockchain and be compliant there will need to be some industry wide standardization. Without it we will run into the same problems as with the lack of architecture standardization, auditors will have to adapt to and assess hardware on a per company basis.
While blockchain holds a lot of potential for businesses, particularly with finances, we’re still in the experimentation phase of this technology. Banking and PCI requirements are extensive and necessary to keep customer and company data safe, and if blockchain is going to become widely adopted it needs to enable and facilitate auditing to meet the requirements, not hinder it.
This series tries to shed light on important security related aspects of blockchains and discuss some of the currently emerging loopholes. The first article looks at expected developments in the blockchain technology during the next 10 years. In this 2nd article we argue why blockchains will need to be auditable for successful business adoption. The 3rd article discusses how the digital signature regulation eIDAS can help making blockchains auditable.