The APQC Blog

Blockchain Security: Insights from XChain2

Blockchain for business: It is no longer just a concept; organizations are actively creating solutions. There is currently a great deal of experimentation and investment in this emerging technology. Even hosting and cloud vendors (e.g., Amazon Web Services) are now moving to offer blockchain.

However, while there is increasing interest, many enterprise leaders are still tentative. During the first day of XChain2: Blockchain for Supply Chain and Logistics Forum, leading blockchain thinkers and early adopters discussed some of the major hurdles to implementation.

Not surprisingly, one of the biggest areas of concern about blockchain is privacy. Several of the speakers from organizations including ChainLink Research, Accenture, Deloitte, Hyperchain Labs, and Context Labs discussed concerns about the risk of using a public blockchain (aka a “permissionless” blockchain that is fully decentralized) due to the sensitivity about sharing trade secrets and data with other unknown parties. Without getting into all the technical details, “permissioned” or private blockchains have been developed to minimize this friction between parties via a trusted network.

The two main reasons for using a private (or permissioned) blockchain, as articulated by Chris Gabriel of Hyperchain Labs, are to:

  1. Reduce costs to improve margins, and
  2. Achieve better regulatory compliance/safety.

As organizations seek to take advantage of the benefits of permissioned blockchains, governance—especially “identity proofing”—becomes critical. A central authority (e.g., one of the key players in the blockchain or a trusted third party), must authenticate and approve participants as a means of controlling access.

Not all players need access to the entire blockchain so role-based access and role-based storage can address that concern. Other vital considerations include the need to be compliant with data privacy regulations such as GDPR. Therefore, the XChain2 presenters caution organizations to avoid putting any personally identifiable information (PII) or personal health information (PHI) on the blockchain; it should only include operationally required data.

As discussions continue about scaling up this new technology on the second day of the XChain2 event, the advice from Brendan Abbott of Deloitte resonates: “Think big, really big. Start small, very small.”