Abstract

Abstract—As permissioned blockchain becomes a common foundation of blockchain-based applications for current organizations, related stakeholders need a means to assess the security risks of the applications. Therefore, this study proposes a security risk management framework for permissioned blockchain applications. The framework divides itself into different implementation stacks and provides guidelines to control the security risks of permissioned blockchain applications. According to the best of our knowledge, this study is the first research that provides a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view. If users can trust the applications that adopted this framework, this study can hopefully contribute to the adoption of permissioned blockchain technologies.

Why choose a private blockchain to define application security requirements?

Compared with public chains, permissioned blockchain have a limited number of participating nodes and it is easier to reach consensus among nodes. The transaction speed of blockchain applications based on permissioned blockchain is generally faster than that of common public chains. Therefore, many blocks Chain applications are based on permissioned blockchain. However, the most commonly questioned thing about permissioned blockchain is: What is the difference between this and a centralized database application? Compared with the application based on a centralized database, the biggest difference between the private chain and the private chain is that the private chain will establish an interactive verification mechanism, which can reduce the feasibility of a single organization to tamper with the data. But how much has the level of safety improved? This is the problem that people often face when building blockchain applications recently.

Information Security Guidelines for Reference

The main purpose of this document is “private blockchain application security requirements”, which mainly describes the “six major types of security requirements” that participants should consider when creating private blockchain applications. For each type of security requirements, this document will provide The proposed control measures are expected to meet the relevant security requirements of private blockchain applications through these control measures. In order to further provide suggestions for the implementation of various control measures, this document also refers to the following information security guidelines:

  1. Payment Card Industry (PCI), Data Security Standard - Requirements and Security Assessment Procedures v3.2.1, 2018
  2. Center for Information Security, CIS Controls v7.1, 2019
  3. ISO/IEC, Information technology - Security techniques - Information security management systems – Requirements, ISO/IEC 27001:2013, 2013:ISO/IEC 27001:2013
  4. ISO/IEC, Information technology - Security techniques - Code of practice for information security controls, ISO/IEC 27002:2013, 2013:ISO/IEC 27002:2013

Updated: