How decentralized storage can help prevent data breaches [Q&A]
According to a recent IBM report the average cost of a data breach is now $4.35 million. If enterprises don't take steps to protect personal data effectively they risk losing not just money but also the trust of their customers.
We spoke to Saswata Basu, founder and CEO of 0Chain, to discuss how decentralized storage can help to address the problem.
BN: Has it become easier for bad actors to get control of sensitive data?
SB: Any centralized system can be hacked especially if the admin is the hacker. A centralized system is a single server endpoint for your files on DropBox, One Drive, Google Drive, or for an enterprise this could be the S3 storage in AWS, Azure, and Google Cloud. Even if the file is encrypted the admin of the server would have those keys and be able to decrypt the data.
Another way a file can be breached is due to a misconfigured S3 bucket by the user, but the question is then why should the system not be fool proof and allow the user to be vulnerable?
Decentralization of systems provides automatic protection in the sense that file authenticity can be verified through consensus of their contents and file hashes. So a malicious actor can breach the server and alter the file content on one server but not others and so they cannot get consensus control.
Also in systems such as 0Chain, Sia, and Storj the fragmentation of data offers first level protection where if one system is hacked, the attacker can only access partial data. Yet another layer of protection is encryption that the user can add since they own and control the data stored on the system.
But sharing of encrypted data is a problem especially for legal, financial, healthcare, and government enterprises. This is solved by 0Chain using a decentralized proxy re-encryption protocol that allows users to share encrypted sensitive data to third parties.
BN: How can decentralized storage help to prevent breaches?
SB: A breach can either result in data manipulated or accessed. In the first case, decentralization itself provides a layer of authenticity that can be verified through other systems on the network and clients simply need to achieve consensus and discard data from bad actors.
In the second case, fragmentation offered by 0Chain, Sia, and Storj provides one layer of security. The way it works is that a file is split into several servers and needs a portion of them to recover the file. If one server is compromised, the attacker can only possess partial information and so there is no data breach. And if the data is encrypted, especially with an easily shareable technology such as 0Chain, then even if the data is breached it can only be accessed by the shared party and owner of the file.
BN: What's the role of blockchain in this process?
SB: The blockchain layer provides incentivization, payment and verification of storage. Each protocol is different.
Token Economics is a big part of the protocol to incentivize people to provide capacity and storage. Filecoin offers more incentive on the capacity side, than on the storage side so the stored to capacity ratio is lop-sided compared to Sia and Storj. Arweave is the opposite and has no incentive other than for stored data. 0Chain emphasizes enterprise-grade performance and scaling, where the provider is incentivized for free reads, faster network and server, stored data and capacity size.
Unlike other protocols, the verification layer has an enterprise quality of service component which forces providers to respond to a challenge within a short period of time. The storage payment for 0Chain providers takes place through passed challenges, and penalizes them for failed ones whether they are due to bad network, datacenter, or server environments, or if the provider discontinues providing service after some time. The emphasis is to achieve enterprise grade quality and serious providers, similar to Uber and AirBnB providers, except the reward and punishment mechanisms are coded in the contract.
BN: How can you ensure the user retains ownership but is still able to process and share information effectively?
SB: Users inherently own all data and they sign them when uploaded to the servers. Sharing public information is simple and all protocols provide a hash content and a path to retrieve it. However, for encrypted data, using a proxy re-encryption protocol offers easy data sharing to third parties.
In the encrypted scenario, the owner of the data encrypts the data with their encryption key and then issues a proxy key to the decentralized storage providers using the public encryption key of the third party receiving the information. The storage provider re-encrypts the information using this key and sends it to the third party; note that each provider has a separate fragment of the data. The data recipient then decrypts these fragments and combines them to form the file.
BN: Does this help with meeting compliance requirements?
SB: Most enterprises do not provide a privacy report on your file and generally this is an expensive and time consuming process and typically involves lawyers.
0Chain offers a full audit tracking of files, and the ability to generate a privacy report for all activities done on a user's file, something required under GDPR policy. The data activities include upload, update, deletion, copy, move, rename, and download of a file. The activities are executed by the user with their signed markers and the storage providers submit them to the blockchain to record data changes in order to receive payment and rewards for their work.
The way the storage protocol works is that each user allocation has a Merkle root which changes when a file is created and/or changed on the user's allocation. The new Merkle root is then recorded on the blockchain with the marker, and the events database keeps a record of all these markers transacted on the blockchain. The markers provide a history and provenance of the file. Other than breach compliance of knowing who accessed the data as part of download markers, the user can use the audit to prove provenance and authenticity of the data.
Image credit: fotogestoeber / Shutterstock