ELEV8 Interview Series With Aaron Klein, BlocWatch Co-Founder & CEO

    Dec 18, 2019 10:27:00 AM / by BlocWatch

    BlocWatch recently spoke at ELEV8CON in Las Vegas December 8-11. The ELEV8 team sat down with Aaron Klein, Co-Founder & CEO of BlocWatch to discuss monitoring and auditing private and public blockchains, auditing blockchains with sensitive information, and more.  Read the full interview below.

    • Thanks for taking the time to sit down with us today, Aaron.  Can you please tell us a little bit about BlocWatch, the solutions you provide and share with us how you founded the company?
    • Sure, BlocWatch provides a monitoring solution that enables enterprise adopters to leverage and optimize their blockchain implementations. Our team has been building new technology monitoring solutions for over 20 years. We applied the lessons that we learned in these adjacent technologies to deliver best-in-class visibility with automated and customizable alerts on operational, configuration, and security metrics.
    • What’s the difference between monitoring, and auditing, a blockchain?
    • At a high level, monitoring is the operational piece of running a successful implementation while auditing is the compliance piece to ensure proper operational and security protocols are followed. To put that in concrete terms, operational teams want to be able to monitor activity and configurations in real-time so that they can identify and mitigate issues as they arise. Conversely, an audit is designed as an after-action inspection to identify potential weaknesses or research the root causes of past issues. Auditability is a key responsibility of compliance fulfillment.
    • How different are the processes and when auditing a public blockchain vs. a private blockchain?
    • When thinking of an operational audit, the core ideas are actually very similar. The main concept being that data and activity needs to be collected, normalized, and presentable. Similarly, for a user, they would still want to monitor their own access, how it is configured, and understand relevant activity. Of course, there some issues that are relevant for private chains are moot for a public chain – and vice versa. For example, broader network permissioning which is critical to a Fabric chain administrator is not relevant to a public Ethereum chain. However, with that caveat, conceptually the idea of collecting, analyzing, and displaying critical information is the same.
    • Similarly, who are some of the typical parties most interested in the monitoring and auditing of a blockchain?
    • When thinking of an enterprise chain, as with any technology, monitoring and auditing is essential to all participants. For example, if you are looking at a supply chain from enterprise A with suppliers B, C, and D on it, all have a vested interest in ensuring that transactions are properly processed. Enterprise A is likely running 10s if not 100s of millions of dollars of transactions on the chain. They are – thus – intensely interested in both performance and security. Failure is either area would have enormous business impact. Similarly, the suppliers may be dealing with smaller transaction amounts, but these are still relevant business concerns. They need to know that the activity is properly tracked, payments are properly processed, and information and that the chain, with its transfer of information, it properly functioning. In essence, using a blockchain is no different than any other technology:  users rely on the technology for their business operations and need to remain vigilant about operational and security concerns.
    • Can you talk about an example of where blockchain monitoring and/or auditing did, in fact, avoid an issue, or would have avoided an issue, on a blockchain?
    • Sure, just last week on-boarded a large client who has a Fabric implementation. The implementation facilitates supply chain operations and consists of a few thousand nodes. This a mission-critical system for the client’s business. Well, shortly after on-boarding, BlocWatch began sending them operational alerts regarding failed node activity. At first, they questioned our alerts. However, our support team convinced them to look closer at their chain configuration and, when they did, they realized that alerts were correct as there was a failure within the configuration. Our alert was able to identify this issue, point them directly to it, and enable remediation within hours. Now, I suspect that they would have eventually discovered this on their own. However, that discovery would have been weeks or months later and would have cost them many 10s if not 100s of thousands of dollars to identify and remediate. 
    • Is it possible to monitor a private blockchain which may contain sensitive data or personal information?
    • We are monitoring the chain operations and who is connected. BlocWatch provides controls on our agent so that customers can restrict what data actually gets sent to us, so they can prevent sensitive data from ever leaving their network. We are looking at the configuration of participants, the permissions granted, the activity from participants, and the operations of the chain. We can track the evolution of smart contracts and their state. All of this ensures that the correct people are accessing the chain – and that bad actors aren’t. It also ensures that the chain is functioning as intended. It does not, however, guarantee that people are not placing faulty data or information within the chain. In short, users should not be dissuaded from monitoring because of the data on their chain. In fact, the opposite is true:  the more critical or sensitive your data, the more reason to employ monitoring to ensure proper operation and security.
    • On which types of data does BlocWatch report in its monitoring tools; what data are BlocWatch users most interested in viewing?
    • We are tracking a multitude of activity data. This includes everything around node health and configuration, to smart contract status, to core transactional statistics, to overall chain activity. Today, we see users most interested in two core pieces:  first, they are interested in configuration security. They want to understand who is connected and what permissions have been granted. This helps them ensure that their chain endpoints are secure. Second, we see users tracking operational statistics. This allows a user to view, in real-time, that their chains are performing as expected. It also allows them to rapidly remediate any issues as they arise – and before they significantly degrade performance or impact business functions.
    • How did you first learn about blockchain technology, and can you reflect on that experience?
    • I hate to admit it, but my first experience was through crypto-currency. That was my initial entry point but, thankfully, not where I stopped. As I dug into what made it work, I began to see the applicability to solve genuine business problems. I think the first use case that really “made sense” to me was verifying the legitimacy of event tickets. In NYC, outside of MSG, I had once bought fake Knicks tickets so this use case really hit home. This was the crucial moment where it became clear that blockchain would evolve beyond a niche technology associated with crypto-currency into a mainstream technology embraced across mainline industries.
    • What’s next on the road map for BlocWatch as we move into 2020 and beyond?
    • The reality is that blockchain technology is immature and evolving. As such, although we offer a sophisticated tool set today, we also expect to continue to evolve and expand our platform as the technology matures. We hope to become more sophisticated around smart contract monitoring, we want to add machine learning to improve our suspicious activity alerting, we want to continue to support new platforms, we want to respond to user needs, we want …Well, you get the picture, there is no shortage of things that are on our road map.

    Tags: Conference

    Written by BlocWatch