Security Q&A: Javier Paz, DatumArc


The advent of bitcoin and its blockchain has opened the doors wide for organizations to adopt and implement various decentralized technologies. However, can current enterprise security methodologies mesh with the new architectures? 

IntelAlley had a chance to speak with Javier Paz, founder and CEO of industry-research firm DatumArc, regarding how blockchain is changing how the enterprise thinks of security.

What impact has decentralized architecture, such as blockchain, had typical enterprise security model?

Decentralized architecture advances are getting a still modest level of adoption at the enterprise level, but academic interest is growing more robust by the day (MIT, Cornell). The enterprise focus on perimeter defense security as the only or primary way of doing things will evolve to adopt what decentralized architecture has to offer. Blockchain is but one of the decentralized options out there and is not appropriate for all applications.  

How immediate has this change been?

The change described is taking place gradually. The industry still operates with the notion that building a smarter perimeter is still the answer. These firms spend large portions of their considerable technology budgets to safeguard centralized data and identities, not quite grasping the reality that a central depository of anything creates an economic incentive for bad actors to exploit vulnerabilities. At some point, the C-suite tires of subsidizing ever more complex and costly perimeter defense strategies and transitions gradually to more efficient, less costly alternatives, like decentralized architecture.  

Should enterprises look to adopt a decentralized security model? 

Enterprises need to strive to understand how a decentralized architecture could work for them. After that basic crash course on things like Diffuse Trust architecture, Zero-Trust architecture, self-sovereign identities, etc. building a prototype that mimics the secure storage of sensitive information makes sense. Typically, it is only at this latter point of experimentation that key technology leaders experience an ‘Aha!’ moment and gain the confidence to pursue broader implementations of the technology.

What would such a model look like?

There are multiple configurations for keeping data confidential and private in a decentralized world. At DatumArc, we favor a view where our firm acts as the blinded and auditable custodian of sensitive third-party data. We believe that the more agile Fortune 1000 companies will come to adopt confidentiality-as-a-service or privacy-as-a-service operators in line with how they shifted part of their operations and data storage to the cloud, around a few large specialists. The move to the cloud perpetuated the faulty centralized/perimeter defense system, however. 

In a decentralized architecture environment, we envision, data is anonymized before we take steps to safeguard its confidentiality at rest and in transit. This stripping of identity in a decentralized credentialed environment separates the writer from what is written. The steps to architect for confidentiality in this decentralized manner is what is missing today to free up technology budgets away from perimeter defense and towards more productive uses. In the future, a few confidentiality specialists allow non-experts to focus on customer experience and what they do best.  

Why would, or would not, implementing such a security model be a heavy lift for CISOs?

With the adoption of a decentralized security model comes a reduction in the retooling of personnel whom today are dedicated to perimeter defense support. This transition can be a heavy lift, but a hybrid model that gradually shifts personnel and systems from one architecture to the other is both possible and the recommended approach.