The participants of a blockchain ecosystem need to decide what the operating standards will be and what various users will be able to see and do. The design begins with the strategic business model, which includes making decisions about whether the blockchain will be permissionless, and thus available to everyone, or be permissioned (having various levels of permissions). Permissions determine participants’ roles and how they will engage with the blockchain, which can vary from entering information or transactions to only viewing information processed on the blockchain.
The choice of model isn’t automatic; organisations will decide based on design and use case considerations. They will also need to consider the type of network to establish. For example, a private, or closed network, permissionless blockchain might be used to facilitate an internal (company-wide) cryptocurrency. And a public, or open network, blockchain may be used as shared infrastructure to support either a permissioned or permissionless model between organisations.
Plan to add cybersecurity, compliance, and legal and audit specialists to blockchain development teams. Involving risk professionals from the start will enable you to build a framework that regulators and all your stakeholders will trust.
Blockchain needs to fit into enterprise privacy strategies. GDPR, for example, requires that personally identifiable information be erasable. This has to be reconciled with the fact that data immutability is an important characteristic of blockchain.
Traditional organisational processes, such as sales, manufacturing and shipping, are often suboptimal and siloed. Focusing efforts to streamline processes and data flows lays the groundwork for blockchain efforts.
In a permissioned blockchain, the governing body for the blockchain serves as the gatekeeper, determining who will (and won’t) see or interact with information on the chain.
How respondents are implementing their blockchain use cases
Permissionless blockchains, such as the bitcoin blockchain, are made up of a network of public servers (or nodes). Anyone can connect, initiate transactions and view transactions. This model would not be a good fit for many enterprise applications, as the level of access allows anyone with an Internet connection to view and edit information on the chain.
In a permissioned blockchain, various permissions are required to access different aspects of the blockchain. This type of design is more typical for enterprise applications, across industries, with consortia and even within private companies. The governing body for the blockchain serves as the gatekeeper, determining who will (and won’t) see or interact with information on the chain. A company developing a blockchain to manage its supply chain might use this model if it wants to heavily restrict how much information is available on the blockchain, who can see the information and where the blockchain is housed.
Permissioned blockchains typically require two layers of software: one to authenticate and verify users, and one to manage the movement of data into and out of the blockchain. These closed-off blockchains can be well equipped to manage privacy, access to sensitive data and related risks.
Permissioned blockchains can work in conjunction with permissionless ones — provided they are designed to be interoperable. A company might choose this model if it wanted to allow for retail traceability in its supply chain. It would create a permissioned blockchain for supply chain transparency, which its suppliers would use to enter data about raw materials. The company would also create a permissionless blockchain that would offer its customers transparency into the products that they’re buying. Only the relevant data from the permissioned blockchain would be passed to the permissionless one.
Our survey results on how businesses are managing blockchains reveal that companies are adopting both approaches. While 40% are using permissioned blockchains, 34% are working with permissionless chains, and 26% are taking a hybrid approach (meaning the project they are working on uses a mix of permissioned and permissionless blockchains).
Regardless of the approach, you will need a robust governance model, which should be supported by a risk and controls framework for blockchain. Such a framework should address rigorous data governance, provide a tested control environment and involve experienced external partners to review and audit the blockchain and emphasise compliance.