December 22, 2021 - NIST outlines in a recent draft research document available for public comment on how blockchain technology can be applied to manage access control of allowed activities of legitimate users and mediate every attempt by a user to access a resource in the system.

The document makes a case for how infrastructural properties of a robust and distributed blockchain network can address limitations of traditional access control systems. The public comment period runs from December 20, 2021 through February 7, 2022.

NIST highlights five key properties as follows:

1. Tamper evident and tamper resistant design prevents access control data and access control logs from alternation and reduces the probability of frauds.

2. Decentralized control of authorization processing and the storage of access control data/logs has no single point of failure, thus providing more system tolerance and availability.

3. The traceability of blocks allows access control data/logs and system states to be seen and tracked.

4. The execution of arbitrary programs in smart contracts allows for controls on distributed access control data and authorization processes.

5. Consensus mechanisms and protocols regulate the participating access control entities/organizations jointly in determining policy rules through blocks or smart contracts.

Furthermore, one can also make a case that the blockchain access control network can potentially yield the following benefits:

1. If implemented as a permissioned private blockchain access network managed through a consortium of members, scalability will become less of a concern as a network can adopt BFT consensus mechanism to rapidly validate transactions to be comparable with transactions in VisaNet.

2. Reduced OpEx and CapEx costs by leveraging operating hardware and software supported by decision nodes distributed across the members of the consortium. All members are incentivized to play their roles to authorize, validate, revoke users to secure the network.

3. Use of smart contracts can provide granular RBAC to end-users including custom access control requirements such as day, time, geolocation, or frequency of access. Smart contracts also provide the capability to rapidly change mode of access to restrict access to a subset of users and or suspending access to users based on predefined conditions. while there may be challenges with managing faulty contracts, smart contract auditing and proper utilization of proxy contract to manage contract deployment, versioning and states can reduce the concerns around smart contract security.

4. One significant advantage of smart contract is that it can allow access control to leverage multisignature (M of N) wallet to authorize and revoke user access from highly sensitive resources. This may be exerted at point of issuance of policy rules to publishing nodes.

5. Monitoring of access can also be leveraged through the consortium at the blockchain access control level allowing more focus monitoring to take place by end-users. This can significantly improve monitoring posture while reducing the amount of resources dedicated to monitoring.

Zero Friction is looking forward to leverage our expertise with blockchain tech and smart contracts to provide NIST with our feedback on this research document.