 All right. Well, hopefully everybody had a good lunch, a little energy going right after lunch. I have the first session there. My name is Scott Perry, and I'm very glad to have all of you attend this particular session I have. So one of the reasons that I decided to have this presentation, I presented the same topic at the The Hyperledger Global Forum in Arizona two and a half years ago, and not too many people attended, maybe one or two. And now I have at least some friends in the audience to double that, but this is a larger audience, and it is a larger topic. And this is a lot more meaningful topic, and hopefully you'll get some out of this, and you could take that back to the organizations that are building blockchains and talk a little bit about a topic that's going to be absolutely key in that. So let me just introduce myself. My name is Scott Perry. So I am an IT auditor by trade. I'm a crypto auditor by trade. I'm a certified web trust auditor, and I audit the traditional use of cryptography in the marketplace with certificate authorities. I audit public certificate authorities that protect the web. I audit digital signature certificate authorities that issue higher level security credentials to U.S. government contractors and agencies for their purpose for high level communication. Seven years ago, I started a journey, just like a lot of all of you did, in moving into other uses of cryptography with the advent of Bitcoin. How can we take advantage that, especially in the use of digital identity? How can we solve the user ID password problem on the internet? Because I know that the digital credentials that were issued with traditional PKI didn't scale very well, and it was run by governing authorities that were fairly rigid. And so I wanted to get more involved in the governance side of that, so it's fair and can be more globally introduced. And so my journey eventually led to the Trust Over IP Foundation, where I'm now a steering committee member as part of my new organization, Shellmen, which is a global compliance certification and audit firm. And so if you want to know more about the Trust Over IP Foundation, I'll be talking a little bit about that, but we have a place upstairs on the third floor, and we can more than happy to talk about some of the things we're doing. We're also having a mini summit later this week as part of the open source summit that's going on here in Dublin. And so I've also been involved on this topic for quite a bit, and I've written some things. I've contributed to a book that's on the bottom that was authored, and the main contributor is Drummond Reid, my co-chair at the Trust Over IP's governance stack working group. And so he is speaking at this conference, and so you could also touch base with him. He's also someone very knowledgeable about the topic I'm going to talk about today. But here's the deal. So why is this topic relevant? So you've done all your proof of concepts, and I've been basically a very lonely person in this space. I've been waiting and watching all the proof of concepts and the evangelism taking place on the technology, and I'm waiting for the teeth. And the teeth comes in when governments care, when world-class applications, when they see the tech that's valuable to their jurisdictions and marketplaces, that they have to take notice. And that's a good thing, and that's happening this year. So I've been actively involved in moving forward with accreditation schemes in a number of countries, the US, Canada, the UK, small monarchy in the middle of Asia, and others that have been talking to me about governing authorities and governance and how do you manage the tech here. And so the tech is involved around how do you manage governance, which unique about blockchain is in its decentralized properties you need to cooperate under a governance framework. It is critical. You don't have essential authority dictating certain things. You need to come together and you need to have a process where by which those governance standards make sense and it addresses risk. And then it can be actually you can build in accountability of those that are participating in blockchain networks for risk mitigation. So I'm a risk guy. And we're going to talk a lot about risk in this presentation. So as we look at why this is important, and there's lots of talks about whether it's Web 3 or Web 5 or whatever it is, our internet is evolving. And the risk profile of how we're using the internet is changing. We're moving from just getting information, that's a low risk read-only type of things, to collaborating with a global population and then moving now with actual digital assets of value exchanged. Risk profiles are increasing. We need to manage the risk associated with the issuance of these credentials, the transference of these credentials and the verification of these credentials. Plus, as we move to more verifiable digital identity, we want to have accountability of the transactions that are happening in the marketplace. And those players that are involved in the verification of digital identity have to address those digital identity risks associated with it. So at the Trust Over IP Foundation, our main, we have presentations on what we call the stack. The stack is an architectural model that is broken into two halves, a technology end where you have multiple players in a variety of different layers. One including a data public utility layer that includes blockchain if that's what the option is in the particular area. This is where a blockchain can reside. And then you have the wallet layer, peer-to-peer communication. Then you have the famous triangle, the issuer, holder and verifier within the exchange of digital credentials. And then you have the oversight over ecosystems and how all the governance and all of the participants in this network can play. Now what's nice about this is that the Trust Over IP Foundation is recognized that we have to match all of these layers with governance at each layer because the governance of a public utility is going to be different than the governance of the issuers and the verifiers, okay? Different rules and different structures in order to mitigate risk at different levels. So it's the risk that happens at different places. And you need to match your governance structure to manage and mitigate that risk. Now at the public utility layer, obviously you see that blockchain has a role here. It's not the only role. We can deal with decentralized file systems. What we're trying to do in this particular environment is to get the links out to public keys. And now that we have a new W3C standard on decentralized identifiers, we're going to get there quicker. We needed that endorsement. That's a major movement into endorse this technology. Now we have structures associated with that, but we don't have governance, okay? We don't have standards associated with governance of blockchains or other decentralized file systems. And that's what we're going to talk about today. We need to govern all of the roles associated at this level. I mean, we have governance authority for blockchains. We have stewards and nodes. We have the operation of the ledger. All of these things need to have structure to address risk. We're going to talk about those risks. So let's talk about governance. And let's talk about a governance process because all of you, I assume, is not governance experts. And they're just trying to get knowledge of what is this topic about governance. This is the model that's the most best, I'd say, the most generally accepted model for governance. And it starts with risk. What's risk? Risk are what could happen to your blockchain network or what can happen in IT processing in general? And they're broken up to the likelihood it happening and the impact of it happening. And both need to be considered. And it's a doom day scenario. Forget about any governance requirements or any controls that you have in place or any of the cryptographic controls that even exist in blockchain. You need to consider what could happen in general. The use of blockchain and the reason why I've been so advocate about attending and being involved here is blockchain, the structure itself mitigates risk, which is a great thing. But it doesn't do everything. And that's a challenge that I hear is we could just press automated controls, but automated controls are run by humans. Humans define them. They have to establish those requirements to address the risks so that all participants can address the risk fairly and clearly what their role is in ecosystems in a decentralized network. If the risk is high enough, they may want to build in a trust assurance network where they have third party auditors like my firm going out and verifying that organizations are meeting these requirements. And it happens in many different infrastructures, credit card industry and in healthcare industry and government services. You'll see all of the standards and such that you compliance things that your organizations have to deal with. And that's based on the fact that they want assurance that organizations, participants in a ecosystem are meeting that requirement. Now, if they're not, if there's exceptions to the things that organizations are supposed to be meeting and they come up with nonconformance to the requirements, they need to be reviewed to see, okay, is there outstanding risk? What does that mean? Do we drop a node because they're not participating in the way that we're expecting them to do? This is a collaborative government process. This is a dictatorial as we're dealing with a decentralized governance, but it doesn't change. It needs to follow this process and to move. So my presentation is going to go into some of the areas and we're going to start with risk. So my professional society, ISACA, has looked at blockchain and has identified five categories of risk and I'm not going to go into the details of this. My presentation is available and you can review that, but it starts with governance. How are you managing really all the oversight guidelines of how it works, the choice of consensus algorithms, the acceptance in a permissioned ledger of nodes to the network? How are you managing that? What requirements are you putting on these nodes so that they participate? If it's access rules to add records to the ledger, what are those rules and are those rules transparent and does it effectively manage the risk of the data that's exposed within the blockchain? So governance is key. The infrastructure supporting the activity within the network has risks. How the operation of a consensus mechanism or the management structure or interoperability with other blockchains, as we've talked a little bit at the conference today, is it going against standards and are they operating it? Does all of the nodes have appropriate software vulnerability management in place? Can we trust it? And that's what relying parties and jurisdictions want. They are looking for an organization that is managing their risk and managing the things associated with it. How about the data itself? How is off-chain and on-chain data interacting? And is the data treated as a source of truth for a business purpose? Is there proper evidence in transactions? Some things can be on-chain, some things can be off-chain, but the overall view of both pieces need to be considered. Key management, we're dealing with keys in a blockchain environment. How are you managing keys? As well as since we have the novel opportunity to use automated controls in a smart contract within blockchains, how are these smart contracts operating? We're going to go into that in a little more depth. So in blockchain governance, I'm just going to point out a couple of pieces. We're dealing with another one that's not on the list is that a consensus algorithm is insufficient to detect the protocol and smart contract changes. So these are technical level governance risks that deal with the operation of a blockchain. And these are key. Some of these are, you know, they could be catastrophic, okay, to an organization. If you have a hard fork, that could be catastrophic. So maybe it wouldn't have the likelihood of it happening is small, but its impact will be great and both pieces need to be considered. And as we look at the infrastructure, you know, I focus a little bit more on the permission side because permission in itself is a control and you want things, you want controls associated with giving permission. What are those controls? We're just going to give permission to any entity that wants to operate or do they have to meet certain governance standards? Okay, so the risk is that we're just willy-nilly giving access to an organization that doesn't play by the rules. Okay, and we want to make sure that the, you know, from an infrastructure standpoint, the system is available, it's secure, maintains privacy, things, you know, PII is not included on the chain, so off the chain, and other types of infrastructure risks are a set of these controls. Now from a data standpoint, we look at what's actually on, you know, from a data standpoint, what's on the chain, what's available and is it privacy preserving? And when, you know, since blockchain can put in a source of truth or a permanent unchangeable link, is that data good? Because the key thing in this particular slide is I can sign and put on the blockchain a lie. Okay, just because it's on the blockchain doesn't mean that it's the, that it actually is the source of truth. It, maybe it has an imperfect evidence supporting the data in, and that could be a very key risk in this area. We want to make sure that if we're putting records on an immutable source of truth, that is the source of truth. Okay? And in key management, obviously, you know, as we're dealing with cryptography, the protection of the private key is absolutely critical. And, you know, if we're, if we're extending private keys to people that are not familiar with the careful consideration and management of those keys, that's a high risk. So who we, who we giving control to key management to, and are they knowledgeable in doing that? And we want to make sure that, that they're appropriately managing the risk that they have within this infrastructure and the technology. Finally, within smart contracts, the key things around smart contracts and the risk is the lack of business regulatory and legal enforcement. Governments don't understand smart contracts. They don't know if it's enforceable. And so it's very key to have a transparent need of what are the smart contracts? How does it operate? How is it being controlled? Because the key thing is having smart contracts written and not having, you know, the governmental approval and endorsement of those situations, contracts, agreements, as well as as we, let's say we find errors, we don't want to put smart contracts out without it to make sure we want to have them error free. What are the controls associated with, you know, putting out smart contracts to make sure that they're at least as error free as they can be. And if changes are needed where you have a new contract to be moved forward is, do you have the appropriate change control to manage that change as well? So if we look on the governance side, what is available in the marketplace to give guidance? ISO has put together a technical specification. This is not a standard. I want to be clear about that. Sometimes they have advisory reports, sometimes they have specifications. So ISO has technology governance as part of standards and technical specifications. They, you know, ISO looked at blockchain and set aside some governance considerations around the management. And so if you want to pay I think 280 some odd US dollars, you can go and access. This is a valuable piece of information. But I think if you don't want to pay for it, there are other governance standards and models. So my associate that works with me within the trust over IP foundation is leading the IEEE blockchain governance standard. Her name is Savita Faruki. And Savita, they're just ready to publish a governance document on blockchain. And IEEE is a valued source of information and a body to be listened to. And their focus, as it, you know, we always look at, you know, machine readable governance and all that, deals with the core tenants that I've been sharing with you. It's the people, it's still a people managed process initially, people process, policy and practices. These are the standard set. When you're right, when you're addressing risk, they're driven by that. But what's neat about it, she calls it the four P plus I is there is incentives in a blockchain network, you need to consider how the incentives are built in. The other novel thing that IEEE has done is they've, they've talked about how governance gets applied to the different components of a blockchain. Okay, whether it's addressing ecosystem or life cycle system process system standard, life cycle management, as well as the individual tech. And, and they focus some area around what they call targets of governance. And so as, as the process, the governance standard that they're building will evolve, they'll be focusing. And in the trust over IP foundation, we've taken on this idea of governance targets to look at major aspects that need to have specifications associated with it. Okay. And, and, and we want to add individual rules to mitigate risk of these various areas. And they are a lot of them. Okay. And you look at this and obviously, if you're, if you're developing system, blockchain systems, you're touching all these things and you need guidance. And that's what that standard is driving. Now in the trust over IP foundation, we've come up with a meta model, a governance standard, which is really what I'd say started with a table of contents of things to be considered when you have interoperable trust. When you have a, an ecosystem that others outside of your ecosystem is depending on, you need to identify the key controls and, and, and aspects of what your governance framework is, is, is driving at. So for a governance framework, this is the table of contents. And these are subsequent other pieces of information that need to be considered when you're developing the governance rules. Okay. You know, who's the authority? Who's administering it? What purpose do you have for this? What is the overall scope, the boundaries of control? What are the objectives of the blockchain network? What are the right guiding principles driving, driving its operation? And then what is the general set of requirements and the detailed set of requirements that are set out in different sections that have different aspects that need to be considered for reliance? Now part of this is a risk assessment. Okay. And a risk assessment process is, is something we've, we've in the Trust Over IP Foundation, we've advocated a process and we have templates and, and guides to help you develop a risk assessment using some of the risks that we've, that, that I've mentioned previously, as well as a trust assurance or certification guide. If you want to demonstrate that you're, that you're, you have a process in place to, to hold the players that are participating in this governance framework accountable. And there's also a guidance document to explain the very, the varying means of, of trust assurance. You could self-attest, you could have third-party auditors, you can have a, an ISO certification built in. There are different degrees based on the risk that you're trying to mitigate. So basically at the end of the day, from a governance standpoint, you have a constitution and the constitution needs to be available, transparent, so that those that, that are looking to rely upon it understand its rules. Transparency is key. And that's what I don't see in the marketplace today. I see a lot of very innovative blockchains, but I don't know what their underlying governance is, is trying to move forward. How are they mitigating risk? How, why should I trust it? It needs to be transparent first. And then the, the set of governance documents need to be available in a package to create a constitutional set of rules that organizations can follow as well as a, a certification process. Now this is starting to happen. One of the first things that happened when the UK issued a digital trust framework is they said we need an accreditation stand body associated with it. And we need to institute some cert, a certification bodies and auditors around individual, individual companies that want to add to our identity infrastructure. And so my firm is one of the first audit firms that will be auditing in the UK, the identity proofers, the certificate issuers of, of, of identity as well as those that manage kind of the orchestration layer, layer underneath it. All right, so once you have your governance framework established and you want, and you, and the organization, administrative authority and the governing authority views that there is enough risk in the marketplace that you want to institute a third party risk mitigation strategy, then it needs to organize with audit accreditors that set aside that, that will accredit auditors that will, will audit governed parties, participants in the blockchain network against the governance framework and attest that they are meeting the requirements of the governance framework. And, and for the items that are not, they will be included in a compliance report so that the residual risk that exists from nonconformants can be considered. That's part of the governance project process in a feedback loop that brings back whether the organization is, the, is trustworthy as a whole and is mitigating risk appropriately. So the trust assurance framework, you know, there are variances around that. Well, what is the scope of it? Okay, are we dealing with, you know, what are the roles that would be audited, the players, the nodes of the blockchain network, you maybe self auditing the governing authorities, a jurisdiction wants to make sure that they're having governance processes that are appropriately mitigating risk. Is there levels of assurance that we can provide in tiers? Maybe, you know, we're issuing credentials that have a variety of different, you know, means in the marketplace. For example, a digital identity credential that's used extensively like driver's licenses may be, you know, the level of assurance we need to know about that person, that person's identity is more than a credential issued for a membership at a gym. Okay, so we really need to understand what is the risks associated with, with the issuance of data records on a blockchain associated with a, with an ecosystem around digital trust and are, are the players measured against the level of assurance that, that would meet their needs. And when that is, when that's done, we have governance framework and we have trust criteria that governing, governed parties need to ascribe to, okay. And the marketplace, your companies are dealing with a lot of compliance frameworks and they have to assert that they're meeting certain criteria. That's what that is. You know, if you look at PCI, they have a set of criteria that organizations, you know, you'll have a third party auditor audit against that criteria. And the process of managing, you know, the audit process, you know, getting data from auditors, evaluating the results, feeding back the process to see if, if there are improvements that are required by, by, you know, organizations that are not conforming to certain criteria. The US government is very tough on that. The new, there is a new accreditation scheme called CMMC and it deals with the controlled information from the US government. And there are auditors that are going into government contractors and will, will evaluate how they are managing the, that controlled information. And if there are certain controls that are not being met, there are going to be processes associated with, with fixing that in a, in a, in a quick amount of time or you would not get access to government contracts. I mean, that, that's, that's one instance of a very tightly managed trust assurance framework. So in the marketplace, what guides, you know, the development of IT for the last 30 years has been an organization called COSO or the sponsor, the committee of sponsoring organizations. And they had developed a long time ago internal controls for financial reporting, which was the embodiment to the United States Sarbanes-Oxley controls. Now they did a look at blockchain. They said, well, blockchain is coming up. How does what we have in place within generalized IT management controls apply to blockchain? And so these are the common sets of, of, of activities that is needed for any IT organization. They took a, you know, dissected those and applied that information to blockchain. And so if you Google this, you know, COSO blockchain internal control, I think this is a valuable piece of information guidance and on at least some aspect of things that you can consider in adding and making sure at least from a readiness standpoint, does your blockchain meet these core IT related control sets. Now what I see in the marketplace, there isn't a blockchain standard that you can just, you know, get a trust mark on, but there are other associated compliance schemes that are active in the marketplace that many blockchain organizations are subscribing to. Another one was NIST for cybersecurity. I remember that crypto.com was saying we got NIST for cybersecurity, but these are generally accepted schemes in the marketplace that many blockchain organizations are subscribing to, especially in SOC. SOC doesn't have necessarily specific controls on blockchain. You can take blockchain controls and apply it to the trust services criteria that is demanded in order to get that trust mark. And so CSA STAR is a cloud security alliance standard, high trust deals in the health industry, combination of a number of different standards that hospitals are now demanding of hospital service providers. And certainly you're all familiar with ISO 27001. So all of these can be implemented to demonstrate that your organization is committed to meeting certain trust criteria to address risk. Now, you know, when I did a survey of what could I as an auditor use in the marketplace to help in audits, I came up with a lot of crypto stuff. So in the cryptocurrency marketplace, there has been a demand for tools to be used, interrogation tools on data that's either on chain or off chain. And so that's where a lot of things are. But the conversations that we're having this week doesn't necessarily fall into this. But these tools could be used on that. But I'd like to see better set of tools related to the blockchain environments that you're building. Because this is very focused on the DeFi crypto side. Not happy there. Now on the smart contract audit. So my firm is, you know, I'm developing a smart contract audit service within my firm, Shellman. And right now in the marketplace, if you want a smart contract audit, you get very detailed interrogation of the execution of smart contract audit. And these three are tools that smart contract audit organizations use. I mean, I don't know all of it, but I, you know, I am working with my vulnerability assessment organizations because they get down into the code. And smart contracts, you're going to have to get down into the code. But what I feel that is needed in the smart contract audit space is not only just getting into the technical side, but are we addressing the risk? And we're also doing, you know, the change management appropriately around smart, around smart contract issuance and any change that's needed in the marketplace. So this will evolve as more smart contracts move out. And if there are other risks associated, that is required by governing authorities. So my final slide is this, just a couple of action steps for people in the room and your organizations. So if you, if risk assessment is a new term in your environment, learn about it, take the slides here, contact me, do a risk assessment. If risk assessment drives the accountability and the viability of the, of the services that you're bringing to market. So do that, make sure that risk is appropriately identified and built in within governance frameworks and any trust assurance frameworks that you have. Make sure that if you, you know, if you have governing objectives, make sure that it's meeting your current operations. Okay? Sometimes the people that are running your, your, your network are different from the people operating it. You need to have some synergy around your operations and your governance to make sure that they're both in, they're both consistent with the objectives of each other. So also make sure that all of your, all of the participants are accountable for actions that you expect them to make. What are the measures that you're placing to get assurance that players are accountable for the absolute, the must statements, the requirements that you need within your blockchain network? And make sure that those policies and those procedures are appropriately addressing the risks that you identify. And finally, you know, assess your network practices against your current and existing audit schemes. Do you need a tighter audit scheme? Do you need third party assurance? Because that's going to give you credibility to the jurisdiction that you want to participate in. Basically, it's a demonstration that we have our house in order and we are self managing any issues that address your concern government, the risks that we're taking here. We're managing it for you and this is how we're doing it. And that is a key demonstration to reduce their concerns. Now, if you're executing smart contracts, do a smart contract audit full scale, not just the technical side, but look at, you know, why, you know, what are you trying to accomplish in, in the smart contract audit? How are you making sure that it's legally enforceable or at least enforceable from a, from the standpoint that you're trying to get it executed in? And make sure that you have feedback loops to, to make, to ensure quality goes back in and you're learning from the activity that's going on around your governance process. So I just about have a couple of minutes for a couple of questions. Anybody have a question for me? Yes, sir. Thank you. Thank you. So how can you tie in to the existing, let's say accreditation infrastructure that's already in place? Right. That's already a lot in place in terms of accreditation infrastructure. I think it's good to just tie into that infrastructure. Absolutely. I mean, don't recreate the wheel and part of, you know, if the guidance that I put together in this trust assurance framework does a survey of existing regulations and controls, it is best to tap into them as, as, as best as possible. Most organizations are just going to take that, because then you don't have to recreate a ISO 27001. That, that automatically includes a set of controls that may meet your needs. And how do those existing parties or react to such suggestions? Positively. Are they open to it? Positively. They react to the same way as I'm saying, because they know that those processes are tried and true, as opposed to a, a trust assurance scheme that gets built up, that they don't know if it's even viable. An organization with a certification body and an accreditation body and certified auditors already built in for ISO is something that they, they can trust the trust assurance process, which is very, you know, that's what governments are, are accepting of these days. Matter of fact, the UK government that I'm talking with, I mean, they want more of that. Yes, sir. Yeah. So I got a question for you. You know, one of the slides, yeah. Yeah, we need that because of the virtual people. Sure, sure. So in one of the slides, you know, you had mentioned about those risk, regulated risk and, you know, and the compliance risk that drive the technology, you know, which is the requirement per se. So I'm taking a, you know, step back and another way of looking at the same problem, which is over enforcing the, you know, criteria by any of the regulators in the industry where you are approaching blockchain as a potential solution. So when I say over aggressive or, you know, over demanding, you know, that's, that's one of the criteria typically would happen with the financial term, you know, banks or anything as such, you know, per se. So now the blockchain is a technology which is evolving, you know, it has started with a certain, certain criteria, certain versions and now it has come to a level with that over demand. And if the technology is not able to sustain that demand, in that, in that case, what is your perspective of looking at the problem, you know, and the risk. Well, that's a risk. I mean, it has to be scalable, right? It has to implement. And that's a concern that regulators have, you know, I'm trusting technology for, for, you know, millions of transactions. Is it going to be available when I need it? And certainly, you know, there are controls and requirements that are needed to be that are needed to be put into governance frameworks to prove that out and to demonstrate that you have, you know, satisfy the needs for global commerce. Yeah. Yeah. But, you know, what I'm saying is that blockchain is a different perspective of looking at the problem solution. You know, it's not a conventional system, you know, which, which, which other way would probably address every problem with, you know, bespoke approaches and all that. Blockchain has a certain construct. So I see a gap because, you know, if you put over demands, doesn't mean that, you know, you would end up something into blockchain just to satisfy that demand and then, you know, potentially destroy the technology itself. That was the way I was looking at. Well, the other key thing that, you know, we're dealing with an environment where, where the people overseeing the technology are uncomfortable with the technology. And it's important to have transparency and education. We need to now educate. We've done the proof of concepts. We have a technology that we think can scale and can chain, transform how we act digitally. Now we need to prove that in a transparent way to jurisdictions so that they are comfortable. And that's part of what this process is. So thank you very much for your time today and hope you enjoy the rest of your conference.