Written by: Stephen K. Ryan, CCSFP
Blockchain is making waves in almost every industry, and it’s becoming more important for organizations to consider how the use of blockchain can introduce new risks into System and Organization Controls (SOC) audits. Obtaining a SOC report is a crucial way for organizations to assure customers and stakeholders they have appropriate controls in place, and that those controls are operating effectively to address security, availability, processing integrity, confidentiality, and privacy principles.
The American Institute of Certified Public Accountants (AICPA) recently released an article discussing what service auditors should consider when issuing a SOC report. The article focuses on controls regarding integrity and non-repudiation and how they apply to the three different types of a blockchain:
- Permissionless Public Blockchain – Anyone with internet access can join the blockchain to read, write, and send transactions
- Permissioned Private Blockchain – Only permissioned users can join the blockchain to read, write, and send transactions
- Hybrid Blockchain – Access to information recorded in the blockchain and other functionality may be restricted to specified participants, while access to other information is available to all
There are specific types of controls expected for blockchain technologies, and organizations must consider these requirements when designing a control environment or preparing for a SOC audit.
Blockchain Security Risks
There are many new and challenging risks blockchain presents to organizations. The following risks and mitigation controls aren’t all-inclusive, and are designed to serve as a foundation to consider when designing and implementing controls. There may be additional risks relevant to the unique circumstances related to a particular organization’s environment.
Access Management Risk and Controls
Access control mechanisms are one of the biggest risks on blockchain. No matter the type of blockchain being used, a lack of adequate access controls increases the risk of unauthorized transactions or disclosures of confidential business or personal information. Additionally, unauthorized or unauthenticated participants may have inappropriate read or write access to transactions recorded in the blockchain.
Access to the blockchain is granted through the use of cryptographic keys, which act similarly to user credentials in traditional systems. An organization should develop controls to address strong cryptographic key provisioning and de-provisioning, similar to how organizations grant access to various systems already in use. Hardware security modules (HSMs) are widely used in information technology (IT) environments to handle cryptographic key management. Designing SOC controls for these specialized hardware components is vital for any blockchain related application. Once keys are administered to users, the organization should have controls in place to perform ongoing oversight on their use. The organization should enable audit logging to record and identify suspicious or unusual access and behavior regarding the keys.
All alerts and logs should be periodically reviewed and investigated to detect and respond to unauthorized or suspicious activity quickly. An organization should also perform periodic reviews on who can manage HSMs, and the keys themselves, to ensure access is still appropriate and is based on the principle of least privilege.
In addition to user access rights administration and ongoing monitoring, the company must create controls regarding the design and development of the cryptographic key. Controls should be focused on a strong key lifecycle in alignment with industry best practices. The lifecycle should focus on:
- Design and development
- How the cryptographic key architecture was tested and the test results
- Whether the cryptographic keys have been split into multiple parts (shards), where a subset of those parts is used to recover the original cryptographic key; the names and titles of the individuals to which the shards have been distributed
- If multi-signature cryptographic keys are used and the titles of the parties who must agree before a transaction can occur
- Key generation
- The date the cryptographic key architecture was implemented and the keys generated
- Where and how the keys are stored and whether access to the keys is restricted to only authorized individuals and systems that need access to perform their job duties and functions
- The inventory of cryptographic keys maintained by the service organization, including the names and titles of individuals with access to the keys and controls over the inventory’s completeness and accuracy
- Retirement of the keys
- The removal of the key’s ability to access the blockchain and the secure disposal of the keys
Consensus Mechanisms and Protocols
The integrity of the blockchain can become compromised because of the consensus mechanisms that it’s built on. This can be done via a “51% attack” (an attack on a blockchain by a group of miners who control more than 50% of the network’s computing power), compromise or failure of the consensus mechanisms or protocols, or weak hashing methods.
The main way to prevent a “51% attack” is to increase the number of nodes with access to the blockchain. Having fewer nodes gives each individual node more power. This will also mean that fewer nodes will have to agree to conduct a successful transaction.
Besides the addition of more nodes, an organization should conduct a periodic review of transaction activity to make sure all transactions are appropriate and in alignment with organizational policies. If a transaction is incorrect, the organization should develop a process to investigate the transaction and invalidate it if necessary.
To mitigate the risk of a mechanism failure of obsolescence, the organization should create strong development practices for consensus mechanisms that align with industry best practices. A strong change management process should be present for any changes that need to be made to the consensus mechanisms and underlying protocols to ensure only authorized, appropriate, and tested changes are pushed to production. Finally, the organization should have strong hashing methods to reduce the risk of unauthorized changes, destruction, or disclosure of information.
Smart Contracts and Oracles
Smart contracts are lines of code stored on a blockchain that automatically execute when predetermined terms and conditions are met. Smart contracts are fed information through the use of Oracle. Risks associated with smart contracts and Oracle include:
- Coding errors
- Failure of the governing law and jurisdiction specified in the contract to recognize and enforce the rights and obligations of all parties to the transaction
- Financial losses to one or more of the parties on the transaction, or in a misstatement of the user entity’s financial statements
- Inadequate testing of smart contracts resulting in transactions being processed out of the intended sequence
To diminish risk posed by smart contracts, organizations should monitor their development and amendments. During the creation of the smart contracts, strict development procedures should be followed to ensure coding errors and inadequate testing of the contract are mitigated to prevent transactions from being processed out of the intended sequence. Once a contract is created, it should be reviewed by an independent third party to ensure it functions as intended, and the rights and obligations of all parties on the transaction are recognized and enforced by the specified governing law and jurisdiction.
Once appropriately developed, tested, reviewed, and implemented, the organization should follow a stringent change control process to prevent unauthorized changes to smart contracts, which may affect the processing of transactions. All changes to the contract should be authorized, tested, and approved prior to implementation.
General Environment Controls
There are general system controls to consider when designing a control environment for a SOC report. An organization should have strong communication channels and integrity checks to make sure all data has been captured, and that data hasn’t been switched in transit with information that’s being transmitted from the chain to other external systems. Additionally, the organization will need to implement controls to monitor the blockchain to ensure transactions have occurred. This can be done through reconciliations from the blockchain.
An organization will also need controls around the participants and privacy of their data. In regards to participants, the organization must clarify that there are no conflicting interests among the participants, members, and users of the blockchain. This can be accomplished with a strong onboarding process that includes background checks and interviews with new employees. Ongoing monitoring of employees should be conducted so new conflicts don’t arise.
For privacy, an organization must review applicable laws and regulations related to the purported immutability of records, such as the right to be forgotten. To align with laws and regulations, the organization should develop procedures to correct, amend, or redact personal information previously added to the blockchain when the consensus mechanism doesn’t allow changes to records. The best way to mitigate this risk will be for an organization to implement strong training, policies, and data loss prevention mechanisms so personally identifiable information is never added directly to the blockchain. This will align user privacy with applicable obligations and make sure the blockchain has the correct information.
Although this isn’t a complete list of blockchain technology risks an organization will face during implementation or preparation for a SOC certification, it encompasses the foundational controls the company should build off to ensure the security, integrity, confidentiality, availability, and privacy of the blockchain.
Prior to engaging a SOC audit, all blockchain organizations should undergo a SOC Readiness Review. This will allow an organization to identify any control gaps, and will give them the proper time needed to remediate these gaps before engaging a SOC audit. Having a good relationship with an audit firm that understands SOC requirements and how your blockchain works is strongly encouraged.