Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really...

1 Blockchain – Behind the Hype – What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker, Executive Director Infosec & Compliance, Indiana University Health

Transcript of Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really...

Page 1: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


Blockchain – Behind the Hype – What is Really Motivating It?

Session 240, February 14, 2019, 11:30 AM -12:30 PM

Mitchell Parker, Executive Director Infosec & Compliance, Indiana University Health

Page 2: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


Mitchell Parker, MBA, CISSP

Has no real or apparent conflicts of interest to report.

Conflict of Interest

Page 3: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Discuss Learning Objectives

• The Hype

• The Reality

• What Problems are we Trying to Solve/Not Solve?

• Why do we Fail?

• What can we do About it?

• Cybersecurity Changes/Defense Against the Dark Arts

• Management Processes

• Putting it all Together

• Summary/Conclusion


Page 4: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Describe the fundamental technologies behind private Blockchains and how they apply in a collaborative environment

• Recognize how customization of Electronic Medical Record and enterprise resource planning systems have led to an inability to share data with peers and easily reconcile data

• Analyze current business processes and systems for opportunities to apply collaborative technologies

• Develop governance techniques to implement private Blockchain technologies effectively using current organizational structures to monitor and maintain the relevant business processes

• Employ collaborative and distributed technologies such as Blockchain to demonstrate organizational improvement

Learning Objectives

Page 5: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• To explain the problems that Blockchain and Distributed Ledger Technologies presume to solve, and how organizations can better prepare themselves not only for collaboration, but to enable new technologies such as Blockchain/DLT

Purpose of Presentation

Page 6: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• This is a technology that has been touted to fix any number of issues, and provides a number of improvements over existing technologies.

• However, there have been a lot of promises that have not been met

• The promise of this technology has drawn people from all over the spectrum to look toward it to facilitate solving critical business problems

• The Business wants to be involved and participate in this innovation and this brings forth many new ideas.

The Hype

Page 7: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Organizations need to make major changes to be able to accommodate new technologies

– Blockchain is just the latest of many new tech innovations

• They have not been good at adopting new technologies and providing effective management or governance

– Cloud

– Electronic Medical Records

– Connected Medical Devices

– Telemedicine

– Smartphones

The Reality

Page 8: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Organizations will need to make fundamental changes to their security programs to accommodate this technology

– Shadow IT is now IT

– The role of the CISO transforms from being an IT role to that of a business enabler

• They will need to provide guardrails for people to help empower them – no longer do the work for them

• Collaboration and innovation is the new way, not the Data Center or the IT Gurus

• We have an opportunity to help guide innovation, but need to provide a solid foundation to do so

The Reality

Page 9: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Frustration with the current state in EMR, ERP, and legacy systems

– Especially recordkeeping and audit logs

– IT vs. Shadow IT vs. Innovation

– Silos do not build the organizational cooperation we need

• It shouldn’t take Millennials to point this out but it does

• Consensus

– Fundamental tenet of Blockchain is consensus and cooperation

• Auditability

• Collaboration Across Non-Trusting Entities

• Interoperability/Data Interchange

What Problems Are We Trying To Solve? Why are we Here?

Page 10: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• We have built these complex environments which have been customized over the years

– Especially with Electronic Medical Records and Enterprise Resource Planning Systems

– We have focused on fitting software to processes, instead of using the software the way it was meant to be used

• We have data locked up and isolated that reduces its usefulness

• We have processes built around customization that are not efficient and have caused inadvertent silos

• We have also increased fragility of systems and inherent risk by continuing to run complex systems we cannot upgrade because they will break the business if we do

What are the major reasons that cause customer frustration?

Page 11: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Distributed Verification and Validation Across Multiple Systems of Record

– Especially Clearinghouses!

• Distributed Accounting/Ledger Recording

• Distributed and Ephemeral Auditing

• A need to standardize

• Supply Chain

• Identity Management

• Credential Verification

• Patient Empowerment/Incentivization

What Problems are we Trying to Solve?

Page 12: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Cybersecurity

• Existing systems

• Poor fits of the technology to the proposed solutions

• Governance

• Leadership and Management

What doesn’t it solve?

Page 13: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,



• Everything is a Nail – using technology to fix issues that require deeper analysis

• Not Following Up

• Legacy Systems

• Legacy Business Processes, Policies, and Procedures

• Undocumented Data

Why do Initiatives to Fix These Problems Fail?

Page 14: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Cybersecurity Issues

• Low Risk Appetite

• Budget

• Culture of No – not a Culture of Innovation

• Our Business Partners

Why Do We Fail?

Page 15: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• We need to prepare the organization to evolve its risk tolerance

– Not increase it, mature it to accommodate innovation and change

– Internalize Risk Management

– Risk management processes and assessments, not technologies

– Risk Management Plans to address identified risks

• Address business needs with an eye toward technology being used to augment processes and improve the organization

– Identified stakeholders that are held accountable

– Continual Following Up

What Can We Do About It?

Page 16: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Security is no longer about the perimeter anymore

• It’s about Zero Trust and protecting each individual system

• Organizations need to evolve to meet the needs of the Cloud

• It also involves deepening knowledge and defenses of several key technologies

Cybersecurity Changes

Page 17: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• In addition to traditional security technologies, we need to add some new ones to our toolsets

• Blockchain (not the underlying tech) systems are especially vulnerable to network hijacks, identity fraud, vulnerabilities, and insider threats

• Anti-virus on a machine behind a firewall is no longer sufficient

• New techniques and tools for toolsets to deploy these systems and manage the risks

Defense Against the Dark Arts

Page 18: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Border Gateway Protocol (BGP) Routing

– BGP Hijacking is a now-common attack used to reroute traffic to rogue servers

– BGP uses Autonomous System Numbers (ASNs) to broadcast networks that a given site can route

– Hijacking involves ASNs routing networks that they should not, and routing traffic to rogue networks

– Used against

– Also used by Russia and China to attack sites

– Since many sites do not monitor BGP, this is highly effective

– BGP Secure (BGPSec) has barely been used because it would shut out large portions of the Internet

What Security Technologies do we need to be proficient in ?

Page 19: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Domain Name Services (DNS) and DNS Secure (DNSSec)

• The “phonebook” of the Internet

• Used to associate Domain Names with IP addresses

• Also used to associate Domains and IP addresses with services offered or resources

– Email Security (SPF, DMARC, MX Records)

– Directory Services (Active Directory)

– Authentication Services (Kerberos, LDAP/S)

– Can even be used for exfiltration of data

• Also can be hijacked to impersonate sites and reroute traffic

• DNS Hijacking has been used to successfully do so

• DNS Secure has seen little adoption – needs to change!

Security Technologies

Page 20: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Public Key Infrastructure (PKI)

• The process by which digital identities based on strong cryptography and an identity proofing process are issued by organizations

• DEA’s ePrescribe for Controlled Substances Rules (21CFR Parts 1300, 1304, 1306, and 1311) require an enrollment process based on the NIST Special Publication 800-63 Series

– SP 800-63-3 – Digital Identity Guidelines

– SP 800-63A – Enrollment and Identity Proofing

– SP 800-63B – Authentication and Lifecycle Management

– SP 800-63C – Federation and Assertions

• Organizations need to focus on having a robust enrollment and federation process to be able to issue and validate digital identities for Blockchain

Security Technologies

Page 21: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• The processes by which a person, machine, or entity has entitlements to resources granted or removed based on defined requirements and/or job roles

• Requires BGP to get a network path to the resources

• Requires DNS to provide a lookup to them

• Requires PKI and associated Federation technologies to assure that the processes used to establish identity and associate them with a provable digital identity

– Also requires DNS to look up and provide a path to the root certificates needed to verify and validate digital identities

• Requires well-defined roles, requirements, and entitlement definitions – especially for dynamic cloud machines!

• Provides the “who did what” for logging, auditing, Blockchain, and other distributed technologies

Identity and Access Management (IAM/IDM)

Page 22: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Due to the reliance on the core technologies of BGP, DNS, PKI, and IDM/IAM, organizations need to monitor each of them for anomalies

• They also need to monitor all of the systems on your network

• Having a System Incident and Event Management (SIEM) system is a requirement for being able to monitor all of these core technologies

Monitoring and Logging

Page 23: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• With the volume of data that modern cloud-based systems can generate, organizations need to look toward cloud-based SIEM systems to be able to store and process the amounts of data required to find anomalies

• Newer threat hunting systems use AI or Machine Learning to sift through the vast amounts of data to find anomalies and potential issues

– Required to scale Blockchain/DLT systems to handle high volumes

– Older technologies will miss data and patterns needed to detect them

Monitoring and Logging

Page 24: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Many of the successful hacks on cryptocurrency exchanges used existing vulnerabilities

• Equifax, amongst others, was breached because of unpatched servers

• It took 2 weeks from Microsoft Patch Release for WannaCry to appear and it is still pestering the Internet

• Berkeley Internet Name Daemon, the #1 DNS server in the market, has numerous vulnerabilities that come out monthly

– So do Linux and Windows

• Networking products, amongst others, also require constant care and feeding

• Organizations need to continually manage infrastructure

• No more Set and Forget – asking to be owned!

Vulnerability Management

Page 25: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Under the HIPAA Security Rule, organizations are required to know where data resides and the data flows

• Organizations immortalizing data by using immutable (for the time being) cryptography need to have a provable path to show that this is valid data

• They also need to be able to demonstrate forward and backward flows of data between Blockchain based systems and existing transactional ones

• They need to have assigned resources who actively develop and manage a program based on identified risks and needs

– Do not try and automate this with tools. They will not understand the context of the data and will fail

Data Governance

Page 26: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Management processes also need to evolve

• Organizations cannot expect to bring technologies in and expect to have them automatically bring organizational change

• They need to manage the technology effectively to demonstrate organizational benefits

Management Processes

Page 27: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Payment Card Industry – Data Security Standards (PCI-DSS) Compliance

– PCI is more than just technical work

– There is a lot of work in segmenting off transactional processing from the rest of the network

– There is also emphasis on compliance monitoring, continual review, and additional security on transactional systems

– Organizations will want to treat systems used in Blockchain processing with the same degree of security

Management Areas To Cover

Page 28: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Review policies and procedures to make sure these additional requirements are covered:

– Cybersecurity

– Continual Monitoring and Review

– Additional Network Security

– Identity Proofing and Enrollment


– Identity and Access Management


– Data Governance


Page 29: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Contract language needs to cover the additional Cybersecurity requirements

• It also needs to cover strict Service Level Agreements to address emerging cybersecurity issues

– Get engineers on the phone that can resolve issues in 30 minutes

• Vulnerability Management is now paramount

– Issues need to be addressed in 7 days

• Right to Audit – organizations in a consortium need to be able to audit each other’s systems used for processing data for vulnerabilities and issues

Contract Language - Consortia

Page 30: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Dispute Resolution – There needs to be governance processes and requirements for this

• Amendments of Records – This is a permanent record, but there needs to be a way to append amendments and changes, and a way to find them that is done at the contract level

• Processing Power – Make sure no one single entity controls a majority of the processing power or compute resources

Contract Language - Consortia

Page 31: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Organizations need a standard intake process that addresses the following gatepoints:

– Clinical or Line of Business Review

– Architecture Review

– Security Review

– Data Governance Review

• Especially for potential international storage of data!

– Tracking of security documentation

– Tracking of outstanding items to resolve

Organizational Governance and Intake

Page 32: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Understand what the standard work processes are

• Document them and understand what people do

• If organizations don’t understand themselves, their processes, and their standard work, they will not be able to see if innovative technologies are a fit in the right place

Standard Work Processes

Page 33: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Measurable Metrics and Monitoring

• Quantify performance and be able to determine where there are opportunities for improvement

• Have goals to achieve and measurable ways to meet them

• Tie them into overall organizational performance and risk measures

• If teams can’t measure them or tie to org goals, don’t do them

M3 - Measurements

Page 34: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• “No IT Involvement” is no longer a fit

• Incoming vendors need to go through the same intake process as everyone else

• They need strong contracts and Business Associate Agreements that enforce service level agreements

• They need to have plans for each incoming application or service to make sure that there is someone accountable, and that there are team members from security monitoring it

• The Security Operations Center needs to monitor even if they do!

Vendor Monitoring/Management

Page 35: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Orgs need to have an effective change management process

• Emphasize Failure Mode and Effects Analysis to address what can potentially go wrong

• Focus on having well-thought-out testing and communication plans

• Be able to roll back with as little impact as possible

• Most important be able to address the impact of the changes across the organization and be able to communicate them

Change Management

Page 36: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Don’t restrict innovation to one organization in the corporate structure

– Example – Wal-Mart vs. K-Mart/ and the latter not addressing Supply Chain issues in Michigan while running their Internet operations in SF

• Openly engage and solicit from others to get their views

• The promise of having technologies like Blockchain has been through inclusive participation and equality

– Restricting innovation or trying to micromanage it is contrary to that

• Use the results from Risk Assessments and the drive to do more with less as a means to encourage innovative ways to improve


Page 37: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• We’re going to take Risk, Cybersecurity, and Management and use them to determine what projects to assess

• Cut past the hype and get solutions that meet business and customer needs

Putting it all Together!

Page 38: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Pick a process to improve (not multiple ones) that has a combination of high risk and opportunity for improvement

– One at a time avoids scope creep

• Make sure it’s a real business need, not a nice to have

• Use the Risk Assessment results and understanding of standard work processes to make the determination

– Don’t pick a low risk process

– Don’t pick something that isn’t understood well

– Don’t pick something that can’t be measured or define success with!

Pick the Right Process

Page 39: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Leverage the internal innovators that want to solve problems

• Solicit for the people that want to creatively solve issues

• Build a solid business case including:

– Risks addressed

– Processes Improved

– Organizational Benefit

– How technology will be managed and secured

• Most important, emphasize cross-organizational cooperation and the implementation of the principles of consensus and cooperation as part of the solution

• IT is not going to be the primary solution provider, but part of a team

Get Excellent Support

Page 40: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Set goals of increasing engagement and improvement

• Make sure the team members are all similarly committed

• Teams need people who truly want to solve problems and improve organizations

– Consensys, as a company, has done excellent work in promoting collaboration and finding team members who are driven to solve problems

• It is truly important to be inclusive and to look for people who want to do the work and address issues, rather than people who want to look good

• Tech is hard work. Just because there are cool tools doesn’t make it easy. Avoid the people looking for another tool.

Pick the Right Team Members

Page 41: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Success is not guaranteed

• Project components will fail

• There will be cost overruns

• There will be security issues

• Use Change Management and FMEA to plan for failure

• Use Vulnerability Management as a process for prototyping responses to issues

• Always practice open communication, even when failure happens

Be Prepared to Fail

Page 42: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Share findings and learnings across the organization

• Don’t innovate in a silo

• Be that person that explains these items

• Don’t be afraid to speak at conferences or publish

– This actually helps build credibility

– It also reduces hype and hyperbole


Page 43: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• This technology, like many others, has incredible potential benefit

• However, it’s been significantly hyped

• We need to defuse that hype by taking a practical risk-based approach

• We need to manage the new cybersecurity threats

• Management needs to be innovative

• We need to pick the right problems to solve with the right people

• We need to be continual and be prepared to fail and recover repeatedly

In Summary

Page 44: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Questions?

Thank you!

Page 45: Blockchain Behind the Hype What is Really …...1 Blockchain –Behind the Hype –What is Really Motivating It? Session 240, February 14, 2019, 11:30 AM -12:30 PM Mitchell Parker,


• Please complete your online session evaluation!

• Contact Info:

• Mitchell Parker

• Executive Director, Information Security and


• Indiana University Health

• Email: [email protected]

• Twitter: @mitchparkerciso

• LinkedIn:


• Cell: 215 519 1053
