Blockchain-as-a-Service (BaaS) :: providers & trust Jat Singh and Dave Michels www.jatsingh.com

Key takeaway BaaS is [increasingly] ‘a thing’ Considering security, privacy and trust? DON’T FORGET THE PROVIDER[S]! DLTs aim at improving trust---- decentralises so trust is in the netowrk. Doesn’t this preclude?

Trust [governance] considerations Overview Nature of BaaS Trust [governance] considerations Intuition about baas [ DEPENDS ]

BaaS & Cloud BaaS: the supporting infrastructure Similar to a ‘cloud’ offering Economies of scale Elasticity Expertise Security + standards Main providers [cloud, contracts] IBM (Hyperledger) Microsoft (Coco Framework [eth] ) BaaS – offers what previous talk described as a service [not ethereum etc]

Why? “Blockchain revolution” DLT applications for business >> BaaS targets this Focus: Established businesses & business networks [ experimentation ]

Modes of uptake (service models) Applications Full-stack solution oriented App with (‘some’ ledger ‘somewhere’) “Software-as-a-Service” (SaaS) Platform-oriented Select, customise, configure components “Platform-as-a-Service” (PaaS) Modular, tight platform integration Business – SaaS or PaaS. Apps dominant

Example from MS – ledger components down the bottom, integration/managemnet services higher Aspects might be confirgured (or integrated). Apps from the topdown Microsoft

Private & permissioned Private: dedicated chain Permissioned: restricted participants Current BaaS focus Established networks, data sensitivity ‘Safe’ experimentation Facilitates tenancy Why not a traditional application/database? # counterparties; autonomy, power & competition; assurance levels; disintermediation Ease of deployment? Recognition: audit is important! Initial applications focus on private/permission chains. Following the business model

Opportunities regardless BaaS-cloud business Opportunities regardless BaaS for open chains? Comes with maturity… B2B >> B2C (or C2C) [“Sharing economy”] If BaaS provider == cloud provider – opportunities all the same!!

TRUST Blockchain => disintermediation Remove trust/reliance on third parties BaaS…!? DLTs aim at improving trust---- decentralises so trust is in the netowrk. Doesn’t this preclude?

transparency & control [[ who did/can do what? ]] GOVERNANCE transparency & control [[ who did/can do what? ]] DLTs aim at improving trust---- decentralises so trust is in the netowrk. Doesn’t this preclude?

Tenancy: participant trust Cloud tenancy Provider  tenant contract Tenants configure & control services; pays… Blockchain – multi-party scenarios Ledger mediates multiple parties Tenancy in a BaaS context? Who controls what? Who pays? Major players? Depends: Organisational structure: consortia vs. federation [governance arrangements] Systems architecture Tenancy is interesting --- regards trust re other participants

Research opportunities? Configations – can set policies over how the network operates, how multi-party workflow tools operate, etc Research opportunities?

Provider trust BaaS => Re-centralisation? Trust those managing the infrastructure “Trusted” re cloud an ongoing issue: Highly-regulated sectors; auditability Providers => better security(!?) Depends: Risk profile Centralised v federated architecture How much does a provider control? How much can participants see? Trust in who manages the infrastructure

Architectures BaaS Provider Organisation Y Organisation X Architecture aspects are important – e.g. these nodes different to Organisation Y Organisation X

Architectures BaaS Provider Organisation Y Organisation X Here whre the organisation doesn’t host the nodes. Then up to what is exposed to them via the provider… Organisation Y Organisation X

Architectures BaaS Provider Organisation Y Organisation X Here whre the organisation doesn’t host the nodes. Then up to what is exposed to them via the provider… Organisation Y Organisation X

Architectures Myriad of possibilities  trust (more than just nodes) BaaS Provider Here whre the organisation doesn’t host the nodes. Then up to what is exposed to them via the provider… Organisation Y Organisation X Myriad of possibilities  trust (more than just nodes)

Architecture, configuration, role of entities, role of provider(s), contracts AFFECT THE THREAT MODEL DLTs aim at improving trust---- decentralises so trust is in the netowrk. Doesn’t this preclude?

Emerging: silicon-based trust Trusted execution environments (enclaves) Hardware foundations for building trust Security: encryption, code isolation, attestation Much promise for DLT Hyperledger Sawtooth Lake & Coco Framework Keys, smart contracts And also cloud in general… “remove provider from the loop” Trusted cloud: Preclude need for BaaS? Threats/risks? Trust the tech? Supply chain? On going work on trusted computing architectures – raise levels of trust in comp in genreal, including cloud

Trusting the outside Interactions with BaaS (1) Parties (2) Data Access controls: identity, permissions Right tenant; right chain (2) Data Oracles: event validity Agreed; consensus; hardware-backed Service providers as validation entities? Depends on application x Trust regarding interactions with the cloud

Concluding remarks BaaS still emerging Similar benefits to cloud Role in emerging systems: we shall see! Direct S&P implications:: threat models Specifics of the application and participants Traditional business-cases? Consumer chains? Nature of systems & DLT architecture Role of the provider, tenants Who governs what? Overlaps with “trusted cloud” (accountability)

me (Compliant & Accountable Systems) www. jatsingh me (Compliant & Accountable Systems) www.jatsingh.com proj (Microsoft Cloud Computing Research Centre) www.mccrc.org