In the nine months since TradeLens was made generally available to the market, we’ve spoken publicly and with clients, and written about our commitment to security.
One such example is the blog Setting Trade Free with Permissions which touches on the use of a permissioned blockchain to help protect and verify data distributed across the TradeLens platform.
Today, we touch on recent endeavors to stress test the platform in our efforts to deliver enterprise-grade security and resiliency.
In March, we engaged the cybersecurity experts at Coalfire Labs to perform penetration testing. They set loose a team of professional third-party white-hat hackers on TradeLens in an effort to expose vulnerabilities through an intensive validation of the platform’s APIs, application, and network hosted by IBM Cloud.
Penetration testing is a critical process for any hosted cloud application, but especially so for a platform like TradeLens that is now transacting millions of data points every week. The tests are designed to proactively identify and exploit flaws or vulnerabilities that could lead to critical service interruption or the compromise of the systems and data. By providing details on successful attack scenarios and recommendations on how to address these, Coalfire Labs has helped the TradeLens team to protect the platform and ecosystem members from future threats.
After three weeks, the results proved our architecture and implementation practices were indeed serving the needs of those who use the platform every day. It was no small feat, and the results pleased all who have been working so hard to build TradeLens and highlighted the strengths of a couple key design points.
A shared ledger (Hyperledger Fabric blockchain)
We use Hyperledger Fabric, an append-only, distributed system of record-keeping, shared across the ecosystem of industry participants who have permissioned access to document filings, relevant supply chain events, authority approval status, and full audit history; each change results in a new, immutable block.
Use of smart contracts
With smart contracts, cross-organizational business processes can be programmed into the platform and distributed and executed across the network, preventing any member from changing the business logic.
Robust data sharing model
Each TradeLens member, contributor, and user is given appropriate permissions and visibility; transactions are secure, authenticated and verifiable. Cryptography enables permissioned access so only the parties participating in a specific shipment can submit, edit or approve related data.
All transactions are endorsed by relevant participants. Sensitive information, including documents, are visible only to authorized parties to any given shipment. Highly secure access-control permissions guarantee that organizations only have visibility over information that is pertinent to their own business. These standard permissions are available to review in the Tradelens Data Sharing Specification.
Next steps, ISO security compliance
Coalfire’s simulated attacks provide a strong indication that TradeLens is a secure and versatility platform for data exchange. TradeLens is currently in the process of undergoing an audit certifying compliance with the ISO 27001 family of IT security standards, targeted for completion this summer. We’ll post an update here when that work is further along.