Startups move quickly and continuously evolve to maximize their capability to innovate for their customers and to create value for their investors. To do this, startups rapidly build products, release new features often, and deliver these to customers to accelerate the growth. This business model requires a plethora of third-party systems and tools for communication, planning, document exchange, and accounting. Throughout these systems and applications, information security should be the primary concern, yet it is often deprioritized because of the constant pressure from customers and investors to do more faster.
This might be a good short-term strategy, but the long-term success of startups depends on their customers’ trust. That means startups must protect customer data as it moves through their systems and tools, and might need to be transparent about how, when, and by whom customer data gets updated. And although some startups use secure third-party data storage, others prefer the cost savings of building their own in-house storage systems, thereby increasing their personal responsibility.
What does it mean for data to be secure? The three tenets of information security are confidentiality, availability, and integrity. Confidentiality means that data remains private and can be accessed only by authorized users. Data encryption and strong access control policies ensure confidentiality. Availability means that data is accessible whenever and wherever it is needed, meaning that data storage systems must be resistant to failure and attacks to provide maximum uptime. Availability is provided by data replication to multiple, separate locations and by network-based solutions for data recovery and for the prevention of distributed denial of service (DDoS) attacks. Finally, Integrity means that data is stored as-written and cannot be surreptitiously manipulated by hackers or employees. Replication and access controls can be combined to make manipulation more difficult, but the only provably correct method for the protection of data integrity is derived from the widely distributed consensus of blockchains. As pointed out by James Clapper, the former Director of National Intelligence, “cyber operations that will change or manipulate data” will undermine confidence in stored data. In effect, what Clapper is saying is that nearly all the world’s data is subject to integrity loss — and resulting confidence loss — since no data is perfectly secure from manipulation.
Using the distributed consensus mechanisms of public blockchain, providers can ensure that customer data, such as cryptocurrency transfers, cannot be retroactively modified once they are recorded on the blockchain. This immutability of blockchain data creates opportunities for companies to guarantee data integrity and build trust with their customers. Provable data integrity can be used to build valued features like file notarization, trustless document signatures, and protection from and detection of illicit data manipulation.
Collaboration on shared files is a key benefit of cloud storage and backup. As more companies incorporate collaborative workflows into their daily business processes, storage systems need to support multiple users interacting with shared data and common user access controls. Users must be able to make data-driven decisions not only by sharing data with one another, but also by being able to trust the integrity of the data.
In blockchains, trust is based on certificates that allow users to verify:
- Who created a file and when
- Who modified a file and when
- No hostile actors, hackers, or employees manipulated the data in the meantime.
By making it possible for users to create certificates for (or “notarize”) individual files, providers give users confidence in the integrity of their stored data. Companies can also extend this simple notary service to cover additional data, such as file change logs.
It’s the immutability of the data recorded on blockchains that enables storage systems to include file-notarization features. Here’s how immutability works. When a user signs a file on a blockchain, a certificate is created which covers the content of the file and its metadata, such as the signer;s identity and a timestamp. Then, when a user shares a file (and its certificate), the recipient can verify the integrity of both the data and metadata and be completely sure that the file has not been manipulated while it was in storage. Additionally, once a certificate is created, subsequent changes to the file, signatures,and approvals can be recorded on the blockchain. And by creating a provably correct change log through immutability, companies are supporting their customers’ increasingly complex business processes — and differentiating their storage products from their competitors’.
Trustless document signatures
As more companies engage in nationwide and worldwide business, the need to exchange PDFs with partners and customers to obtain signatures increases. Unfortunately, PDF signatures are vulnerable to several attacks, such as universal signature forgery, signature exclusion, and incremental update abuse. These attacks allow document contents to be modified after the document was digitally signed, without invalidating the cryptographic signature. When companies rely on the electronic signing of legal documents, they must be able to prevent the manipulation those PDFs and provide proof of the e-signature’s integrity.
This integrity issue can be resolved using the immutability of public blockchains to ensure that PDFs are not manipulated after they are signed. By notarizing a PDF on a blockchain, a company can demonstrate to their partners and customers that the PDF has not been manipulated after it was signed. In cases where a party might have reason to dispute when a document was signed in relation to other events, the capability to prove information and signature integrity is particularly important. For example, when two companies hold separate documents providing them with competing rights to a digital or real-world property, the signing date of each of these contracts becomes very important. These signatures are called “trustless” because they minimize the trust required by the involved parties to believe that the PDF and signatures therein have not been manipulated.
Protecting from data manipulation
Every day, more businesses are collecting and storing data and using that data to make important business decisions, often using artificial intelligence to make those decisions faster and with greater accuracy. However, those same AI systems can be mislead by bad actors manipulating the source data, causing the AI to make bad decisions. So, even though data backup and replication technologies make it easy to recover lost data, how can users know when restoration is the correct course of action? How do users know that the backed-up data hasn’t been tampered with and that the restored data is still accurate and uncorrupted? By using blockchain-enabled notarization in combination with data storage, businesses can better trust their data and, by extension, the AI-assisted decisions based on that data, knowing that their data stored in the cloud cannot be surreptitiously manipulated.
The immutability provided by public blockchains promotes users’ trust in the integrity of stored data. Any data update can be automatically notarized on a public blockchain, producing immutable certificates, and AI systems can consult these certificates, detecting unauthorized changes to the working copy of data or, better yet, providing hard evidence that the data has not been changed. In the case of data restoration, AI systems can restore a signed stored replica, ensuring that the restored data matches the last-known working version. And because the data itself is not stored on the blockchain, all of this happens without the data ever leaving its original location in cloud storage, preserving the confidentiality and access controls of the data and storage system while protecting the data integrity.
Detection of data manipulation
In addition to preventing data manipulation, businesses may also want to detect data manipulation and deletion as part of its security review processes. The detection of surreptitiously manipulated or deleted data is an important factor in determining whether a security system has been compromised either by an external or internal attacker. Just knowing that your data storage has been attacked and when it was attacked could be the critical piece of evidence needed to stop an attack early and to limit the damage to company data and, most importantly, customer trust.
Companies can use the immutability provided by public blockchains to detect the manipulation of data. When a company signs all of its relevant files on the blockchain, it creates a one-to-one correspondence between the files and their signatures. If a file is manipulated, the blockchain signature will not match. In the case of deletion, there is no corresponding signature indicating a deletion. Manipulation can be detected by periodically checking the correspondence between files and signatures. By consulting the timestamp of a mismatched signature, companies can establish the earliest possible date for the manipulation. Finally, when files are removed from the system, deletion events must correspond to signatures that record the deletion, and can contain elements to record who deleted the file. In this way, a company may not only detect unauthorized file manipulation, but can also prevent bad actors from deleting files with leaving a trace.
How can BLOCKY help?
At BLOCKY, our mission is to help people trust data. To help achieve this trust, we have developed a client API that signs files on a blockchain and then verifies those signatures. By using our API, startups can sign and verify their data and build trust with their customers by ensuring that the integrity of customer data.
If you want to learn more about building blockchain-based features into your products and services with BLOCKY, visit us at https://www.blocky.rocks/.