This chapter provides an overview from DAMA-DMBOK2 on data security (excerpted from pages 217-226), and then covers the additional data security responsibilities needed for blockchain to work well within our organizations.

Overview from DAMA-DMBOK2

Data security includes the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets. The specifics of data security (which data needs to be protected, for example) differ between industries and countries. Nevertheless, the goal of data security practices is the same: to protect information assets in alignment with privacy and confidentiality regulations, contractual agreements, and business requirements.

Risk reduction and business growth are the primary drivers of data security activities. Ensuring that an organization’s data is secure reduces risk and adds competitive advantage. Security itself is a valuable asset.

Data security risks are associated with regulatory compliance, fiduciary responsibility for the enterprise and stockholders, reputation, and a legal and moral responsibility to protect the private and sensitive information of employees, business partners, and customers. Organizations can be fined for failure to comply with regulations and contractual obligations. A data breach can cost a company the loss of their reputation and their customers’ confidence.

As with other aspects of data management, it is best to address data security as an enterprise initiative. Without a coordinated effort, business units will find different solutions to security needs, increasing overall cost while potentially reducing security due to inconsistent protection. Ineffective security architecture or processes can be costly—both through breaches and lost productivity. An operational security strategy that is properly funded, systems-oriented, and consistent across the enterprise will reduce these risks.

A vulnerability is a weaknesses or defect in a system that allows it to be successfully attacked and compromised—essentially a hole in an organization’s defenses.

Examples of vulnerabilities include network computers with out-of-date security patches, web pages not protected with robust passwords, users not trained to ignore email attachments from unknown senders, or corporate software unprotected against technical commands that will give the attacker control of the system.

A threat is a potential offensive action that could be taken against an organization. Threats can be internal or external. They are not always malicious. An uninformed insider can take offensive actions against the organization without even knowing it. Threats may relate to specific vulnerabilities, which then can be prioritized for remediation.

Examples of threats include virus-infected email attachments being sent to the organization, processes that overwhelm network servers and result in an inability to perform business transactions (also called denial-of-service attacks), and exploitation of known vulnerabilities.

Depending on the size of the enterprise, the overall Information Security function may be the primary responsibility of a dedicated Information Security group, usually within the Information Technology (IT) area. Larger enterprises often have a Chief Information Security Officer (CISO) who reports to either the CIO or the CEO. In organizations without dedicated Information Security personnel, responsibility for data security will fall on data managers. In all cases, data managers need to be involved in data security efforts.

In large enterprises, the information security personnel may let specific data governance and user authorization functions be guided by the business managers. Examples include granting user authorizations and data regulatory compliance. Dedicated information security personnel are often most concerned with the technical aspects of information protection, such as combating malicious software and system attacks. However, there is ample room for collaboration during development or an installation project.

Additional responsibilities due to blockchain

Data breaches and thefts often make the front page of newspapers and headlines on all media outlets. This sensationalism, combined with increased regulations on protecting data, such as the General Data Protection Regulation (GDPR), make security functions the most visible functions in IT.

Blockchain mitigates security risks in some areas, such as identity theft. It could also expose additional security risks in other areas, such as fraudulent transactions (frequently called “double spends” in blockchain).

Collaborating across organizations

The first guiding principle of security is collaboration. There are many roles involved within an organization, and these roles must work together to protect the entire organization from security breaches. In blockchain applications, the collaboration most likely will extend outside organizational boundaries and involve IT security administrators, data stewards, audit teams, and legal departments from multiple organizations who will need to work together.

Preventing fraudulent transactions

As mentioned earlier, it is possible for an individual or organization to control enough of the recordkeepers to impact consensus of a transaction. For example, if buying a Tesla requires 60% of the recordkeepers to confirm a transaction, and the purchaser controls at least 60% of the recordkeepers, the purchaser can initiate the transaction without paying, have the recordkeepers confirm the transaction was successful, and have the car shipped without payment.

The information security function will need to ensure the system is not compromised. Additional controls will need to be put in place to reduce or eliminate these types of threats.

Protecting private keys

Additionally, the information security function must do what can be done to protect personal and organization private keys.

We often hear about it in the news when mass quantities of credit card numbers or social security numbers are stolen. Imagine someone’s private key being stolen. A private key may have access to money, deeds, intellectual properties, accomplishments, and much more. If someone obtains someone else’s private key, it would be the most extreme form of identity theft. It would also be anonymous; for certain types of theft, there is very little chance of catching a perpetrator.

In addition to protecting private keys via software, information security professionals may conduct training sessions to educate employees on security concerns with blockchain.