CSA Official Press Release
Published 06/28/2021
New Cloud Security Alliance Research Evaluates Hyperledger Fabric 2.0 Security, Provides Guidance Mapped to NIST Cybersecurity Framework
Report and checklist provide data compromise mitigation strategies for financial services industry
SEATTLE – June 28, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the Hyperledger Fabric 2.0 Architecture Security Report and accompanying Security Controls Checklist, the latest research from the CSA Blockchain/Distributed Ledger working group. The report and checklist, which align with NIST Cybersecurity Framework’s Controls, seek to help security and risk management leaders and regulators in the financial industry mitigate the negative consequences surrounding a data breach, which could result in the loss of trade, ownership, and trust between business stakeholders.
“Hyperledger Fabric 2.0 has rapidly seen more than 50-percent adoption among the top financial services companies, making it a key component of the industry’s infrastructure. This seminal report is crucial in understanding the risks inherent in Hyperledger architecture, and providing both new and experienced users a straightforward way to address those risks while balancing security and business needs,” said Bill Izzo, Chair of the Blockchain/DLT Working Group.
The researchers, led by Urmila Nagvekar, one of the paper’s co-authors, performed a detailed security review of Hyperledger Fabric 2.0’s architecture in a permissioned environment to identify architectural weaknesses as applied to the financial services industry and recommend security countermeasures to mitigate them. The researchers first identified Fabric 2.0’s architectural risks to cybersecurity attributes (privacy, confidentiality, integrity, availability) when implemented as a permissioned blockchain enterprise network for a trade finance use case in a cloud-based environment, and delivered a fully implementable “Security Controls Checklist” aligned with NIST Cybersecurity Framework’s Controls 2 to proactively prevent, detect, and respond to the identified risks thus mitigating the business impacts downstream to the trade finance business workflow.
Hyperledger Fabric 2.0 was specifically evaluated against Microsoft’s “STRIDE” Threat Modeling Methodology (Shostack, 2014) and Gartner’s Blockchain Security Model (Gartner, 2018), for vulnerabilities that have been the root cause of prior business execution compromises in non-Fabric blockchain environments. Specifically, the Fabric 2.0 architecture was evaluated for compromise to the confidentiality and privacy of both the trade finance business logic, as well as the transaction and its payload and for weaknesses in its operational semantics. The analysis was undertaken to confirm that trade finance business logic embedded within smart contracts can’t be manipulated by adversaries during execution to gain financial advantage.
The group determined that Hyperledger Fabric 2.0’s security architecture was natively secure by both design and default when it came to trade finance business logic and payload confidentiality and privacy. Moreover, it was also robust in preventing adversaries from manipulating trade finance’s business logic during execution.
The group went on to perform threat modeling finding numerous potential threats with a HIGH risk, likelihood and impact rating, across the cybersecurity functional areas, including end device and server security, identity and access management, consensus security, application security, peer security, and data privacy and cryptography. The report details threat mitigation strategy recommendations addressing these areas.
"Hyperledger Fabric is powering significant innovation in enterprise blockchain and has seen keen uptake across a number of market segments, including financial services," said Brian Behlendorf, Executive Director, Hyperledger and Managing Director for Blockchain, Healthcare and Identity at the Linux Foundation. "We commend the CSA for undertaking this work to help users understand the security of the Hyperledger Fabric architecture, test it against industry-standard security models, and provide insights into what users need to consider in their own implementations. It is this kind of work that will further trust in distributed systems, and therefore faster adoption."
The Blockchain/Distributed Ledger working group works to produce useful content to educate different industries on blockchain and its proper use, as well as define blockchain security and compliance requirements based upon different industries and use cases. Individuals interested in becoming involved in Blockchain/Distributed Ledger future research and initiatives are invited to join the working group.
The paper is available at no charge. Learn more about these documents and their use in this pre-recorded webinar or download the full Hyperledger Fabric 2.0 Architecture Security Report.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.