AWS: Amazon “We do Everything” Service

AWS (Amazon Web Services) is arguably the most comprehensive cloud and computing services vendor in the market. Amazon offers a portfolio of over 125 services spanning segments including cloud, IoT, analytics, and more.

The most recent addition to their laundry list of services: Blockchain as a service.

Amazon Responding to Enterprise Blockchain Demand

Amazon continues to be known as a customer-centric company, prioritizing their business to meet growing consumer demands. With the business value-add of blockchain technology expected to exceed $3.1 trillion by 2030 (Gartner), it’s easy to see why so many large tech firms are looking into providing blockchain solutions. Amazon recently announced a managed blockchain service in late November during its re:Invent 2018 conference. By doing so, they joined other cloud vendor services providing blockchain nodes as a service for exploration of the technology. Amazon’s entrance is positive news for the blockchain ecosystem.

Previously, Amazon provided blockchain options to its customers by forging partnerships with firms such as R3 to provide templates and ConsenSys-tied Kaleido to offer a full stack blockchain SaaS, in addition to offering its own AWS basic blockchain templates earlier this year. With the announcement of its Amazon Managed Blockchain service, AWS is now taking its blockchain strategy one step further, joining firms such as SAP, ConsenSys, Microsoft, and IBM who have been exploring blockchain solutions over the last number of years.

IBM has developed its solution on top of the Linux Foundation’s Hyperledger Fabric and has been heavily investing in permissioned blockchains. In October, SAP released HANA, a cloud service that is deployed with SAP’s Leonardo blockchain. Another rival, Microsoft, recently released the Azure Blockchain Development Kit which provides click-through deployment templates for simple blockchain nodes and integrates Azure cloud services to help enterprises implement blockchain proof of concepts. In Australia, Microsoft partnered with Webjet to resolve 90 percent of travel bookings disputes using the Ethereum blockchain. The shared platform was able to reduce lost reservations and double bookings while eliminating costly and time-consuming transaction disputes for multiple parties.

Daniel Johnson, CTO and head of innovation at Guardian Life, noted that testing the AWS’ product is part of its ongoing experiment with blockchain systems that they have been conducting since 2015 which has included the development of private blockchain prototypes using ethereum, Hyperledger, and some of the options available on Microsoft Azure.

New Amazon Blockchain Services

The Quantum Ledger Database(QLDB) is a ledger, which monitors transactions and application data to maintain the entire history of those transactions. The QLDB is serverless, meaning customers will not have to manage network throughput, similar to the existing AWS service DynamoDB, Amazon’s NoSQL database service. Finally, Amazon’s QLDB does not require shared consensus, implying there is no consensus algorithm or validation process required between parties. Essentially, the QLDB is an entirely centralized database where users will rely solely on Amazon to verify and maintain a ledger of transactions. This new service appears to be aimed at audit log scenarios rather than full-fledged multi-party blockchain networks.

The second service, Amazon Managed Blockchain is in preview and currently provides Hyperledger templates and node management for parties interested in setting up a blockchain. In exchange for this service, Amazon will charge a fee for all participants of the permissioned blockchain network. AWS has announced its intention to add Ethereum capabilities although AWS has not yet committed to exact dates on when this might be available. The service will likely offer node and data storage services similar to what is provided with AWS’s Hyperledger based service.

While it’s a great sign for the blockchain ecosystem that Amazon is getting louder and going bigger on the market opportunity for blockchain, it’s important to note that managing nodes for blockchains and providing templates for the private chain layer are only a small portion of the total solution. Distributed networks are complex and require a holistic approach in order to create enterprise-ready blockchains.

“Blockchain solutions have tremendous potential to transform business, but creating the blockchain network is typically only about 5–10% of a complete solution.”

–Steve Cerveny, Kaleido Founder and CEO

Enterprises Require Full Stack Services and Tools

Today setting up a website is easy with website builders like Wordpress or Wix, but it wasn’t always so simple. In order to become the internet companies of today, services and features were developed that made using the internet simple. In comparison, blockchain technology is still in its infancy, but these sorts of tools and services are emerging into existence.

There are many services and tools required to interact with the blockchain layer including IPFS (interplanetary file system), hardware wallets, identity registry, key management services, smart contracts, and oracles for off chain data retrieval (not the database vendor). These tools enable enterprises to utilize blockchain technology efficiently.

While Amazon doesn’t offer many of these services, they have partnered with ConsenSys company, Kaleido to provide a full-stack enterprise blockchain platform that supports the full blockchain lifecycle from exploration and proof of concepts to production-ready business solutions. The Kaleido Marketplace offers all of the below-mentioned services and is a one-stop-shop for building complete enterprise blockchain solutions.

IPFS File Storage

Securely storing and sharing large files across multiple nodes is vital for any blockchain network. Because blockchain ledgers are not designed to store and process large files, organizations need some type of shared infrastructure to upload files and quickly retrieve them. Say for instance you have a lengthy contract outlining the mechanics of a syndicated loan. It might be nice to store a reference to this contract on the blockchain, rather than the entire file. IPFS is a censorship-resistant peer to peer file sharing technique that allows anyone to seamlessly upload a file and then retrieve it by referencing a hash, and the file can’t be deleted by any single individual. So IPFS nodes become a powerful supplementary service to the actual chain layer, with smart contracts and transactions only needing to reference the hash of an uploaded file. This keeps transactions lightweight and performant.

Identity Registry

Users of enterprise blockchain networks will require verified on-chain identities that bind them to their respective organization while maintaining a corresponding private address so that consortia members know that their business counterparts in the network truly are who they claim to be. To accommodate this, Kaleido takes advantage of the widely used PKI (public key infrastructure) scheme and allows individual organizations to upload their own digital x509 certificate chains. The rest of the network can then download a fellow organization’s certificate and ensure that it has been signed by a trusted and reputable root authority.

This transparent identity verification is incredibly powerful, but it’s only part of the solution. The end goal is to map these identities to specific Ethereum addresses so that when transactions come into the network, they can be unequivocally bound to a parent organization in the consortium. The Identity Registry at its core is a smart contract that keeps track of organizations, digital certificates, Ethereum addresses, and end-users. Now when a transaction takes place publicly in the network, everyone will know that 0xce4602c27Adf0faD56EB0D5711BefF148D2d71ae is actually alice@email.com who is registered against Bank A.

But what’s to stop another organization from identity theft by downloading another’s certificate and uploading it into the ID Registry as their own? The ID Registry has cryptographic checks built in to ensure that only the possessor of a certificate’s private key has the ability to claim that identity. As a result, consortia members can trust that only the organizational administrators can access the registry and inject identity assertions.

Identity Masking HD(hierarchically deterministic) Wallets

It may seem strange to broach the subject of anonymity immediately after discussing enterprise identity services, but submitting transactions may need to be anonymous to protect the privacy of enterprise information. There are a variety of circumstances where the true actors in a transaction need to be hidden. Say, for instance, a consortia has the full line of sight into frequent transactions taking place between Bank A and Energy Company B. The rest of the financial institutions in the network would have competitive market data and could sweeten their financing bids on future proposals. Kaleido tackles this issue with Identity Masking HD Wallet. HD Wallets are simply a deterministic key tree offering access to an unlimited supply of private signing keys. Using the HD Wallet, transactions can be sent to the network with a random untraceable identity on a need by need basis.

Ether Pool

At the heart of the Ethereum blockchain is an intrinsic token, specifically an ERC20 token, referred to as ether. Ether is used to pay for transactions on the public network and serves as an incentive mechanism for nodes that successfully “mine” blocks. In private permissioned Ethereum implementations, ether is not required to process transactions. However, the presence of a token could add extra versatility and flexibility for certain use cases. As an example, ether could be mapped to fiat and fungible assets, or it could be used to impose costs on certain smart contract functions. Every environment in Kaleido comes provisioned with a pool of one billion Ether for the fellow members of the consortia to disseminate as they see fit.

Eth-Connect Bridge

There are many nuances and complexities involved with the submission of Ethereum transactions. Typically, a heavy client library is leveraged, and applications are coded against Ethereum-compatible APIs. This approach requires deep blockchain expertise and is prone to a wide variety of unforeseen errors. The Eth-Connect bridge is a messaging layer that takes the headache out of transaction submissions. Transactions can be submitted as basic JSON payloads and existing legacy applications can be easily integrated with Kaleido without needing to inject these heavy libraries into already hardened processes. The bridge also handles periodic surges and bursts of transactions by injecting them to the network at an optimal rate.

Integration of Client Services

Blockchain networks require services that provide smart contract, oracle networks, and applications that make blockchains fast, easy, and secure. Open Law is one such application for the creation and execution of legal agreements. It enables parties to automate the creation and management of legal agreements, manage signatures, and transfer blockchain-based assets in a legally enforceable way. Kaleido hosts this service and automatically configures it when deploying a blockchain network. Another client service, Chainlink is an open-source, decentralized oracle which can be used to provide external data to Ethereum smart contracts. Connecting external data allows a contract to have knowledge of real-world external events, APIs, and other blockchains.

Siloed Information

Companies bring their existing relationships to create blockchain networks and with that bring their personal cloud vendor preferences. AWS provides excellent services, such as cloud management and analytics, but it all exists in a silo. Many companies may be unwilling to solely rely on Amazon for cloud management, instead of desiring a more practical multi-cloud strategy. Most legacy firms, such as SAP and Oracle also have siloed services, which create a level of centralization undesired by many enterprises. Shared services will be necessary for consortiums that have some firms that want to utilize AWS for example, while others want to use Microsoft Azure.

Rapidly Evolving Ecosystem

Another notable challenge about BaaS is that the ecosystem and business needs are rapidly evolving for blockchain customers, which makes it difficult for large technology providers to innovative at the rate of the entire enterprise blockchain ecosystem. Customers may rely on close collaboration to adopt this emerging technology, along with a vendor’s ability to iterate quickly and adapt to changing needs. Blockchain requires new skills with distributed peer to peer networks, deep cryptography, new containerization technologies, along with new programming languages and frameworks, which make it difficult for customers to develop on their teams.

Governance

“What really makes blockchain so much harder for companies is the reality that the management of the network is shared by the participants. We call that ‘Shared IT’ and many organizations don’t see it coming until they are way down the path with their project. The challenges can be getting everyone, including competitors to agree on important details such as who will be in charge, how the system will be built, how data formats will work and what happens if someone wants to leave.” –Steve Cerveny, Kaleido Founder and CEO

Arguably the most challenging aspect of constructing blockchain networks is developing governance models and consensus strategies. Obviously, governance is more challenging in public, permissionless blockchains, however, determining governance can still be difficult in permissioned blockchains. Various consortium and companies have widely differing opinions on who and how transactions on a permissioned blockchain network are validated. Adding or removing members from a consortium or network has the potential to create a list of issues unless completed according to defined governance rules. Kaleido: Blockchain Business Cloud has built-in governance tools and workflows to tackle the new ‘Shared IT’ paradigm and help consortia members agree on what they want to do and how. This also helps regulators assure that the systems can operate as planned, and helps to minimize systemic risks.

Amazon + Kaleido = Enterprise Solutions

Kaleido’s Blockchain Business Cloud is a full-stack SaaS for creating, operating and scaling enterprise blockchain solutions. Kaleido offers a click-button deployment process that enables an entity set up a consortium, select the consensus algorithm, anchor to the ethereum mainnet if desired, and determine the preferred level of permissioning for invited members. Kaleido eliminates up to 80% of the custom code required to set up a blockchain solution, compared to other vendor solutions that typically only focus on the chain layer.

Kaleido is available today, runs over 1500 blockchains networks spanning 4000+ nodes generating 150M+ blocks and is already used by 30% of the world’s largest banks and leading companies across various industries. In collaboration with Amazon, Kaleido’s blockchain services are currently free to try through the AWS marketplace or Kaleido website and provides the ability to link any AWS account for seamless use of AWS services.

“Kaleido is working with us across a number of other areas, their focus is bringing their own service to AWS customers,” said Rahul Pathak, AWS General Manager of Big Data, Data Lakes, and Blockchain. Asked if there will be competition between Amazon’s own service for building ethereum-based enterprise blockchains and Kaleido’s, Pathak said he “didn’t believe that was the case. It’s still very early, and there will be plenty of opportunities for customers to work with any of us or both of us,” stated Pathak.

Build with Seamless Integration to AWS Services

The Kaleido platform is available across AWS regions in North America, Europe, and the Asia Pacific. Besides managing your blockchain environment it leverages Private Networking via PrivateLink, Federated Login via Cognito, Data Backup with S3, Log Streaming with CloudWatch and Key Protection with KMS.

Private Networking to Your Node with AWS Private Link

Kaleido nodes API endpoints can be reached from within your own AWS Account via Private Link. This allows you to connect your infrastructure by running all traffic on AWS Backbone leveraging TLS 1.2 encryption without ever sending transactions over the public Internet. AWS Private Link is also compatible with AWS Direct Connect if you have it configured on your account, allowing you to create a private connection all the way into Kaleido from applications and infrastructure running in your own private / on-premise datacenter network.

Additional Key Protection with AWS KMS(Key Management Service)

Key material is generated inside the container, stored on the dedicated file store allocated to your node and encrypted-at-rest. You can now configure an extra layer of security on top of your keys, using a master key locked inside your own AWS Key Management Service (KMS). This allows you to never persist the plain-text key materials such as node signing keys, account keys, and private transaction store communication keys.

Backup Node Data to a Secure AWS S3 (simple storage service) Bucket

Kaleido drastically simplifies running a blockchain network by offering a fully managed service for running and administering your nodes in private blockchains. Backing up the node data allows you to have a complete copy of all the nodes transactions and other data in an S3 Bucket of your choosing. Backups can be initiated on-demand or scheduled via Kaleido REST API.

• The ledger data maintained by that node

• The key materials (encrypted of course if you use a KMS)

• The secure data enclave for private transactions

• The genesis and other configuration needed to run the node

Stream Your Logs to AWS CLOUDWATCH

Diagnosing problems in decentralized applications can be tricky. The new integration with AWS Cloudwatch allows to an individual to diagnose problems quickly, through your application stack, right down onto the chain. Kaleido seamlessly integrates with AWS CloudWatch, to securely stream logs to a Log Group that you specify in your AWS Account. By leveraging AWS CloudWatch you have the ability to forward logs on to Amazon Elastic Search Service (Amazon ES) cluster so that you can build powerful Kibana dashboards correlating events in your blockchain logs, with your application logs.

Enterprise Login and Identity Federation via AWS Cognito

Kaleido is built for Enterprises. So it provides the ability to delegate login to Kaleido to your own AWS Cognito user pool. This puts access management, onboarding, and off-boarding of users for your Kaleido organization fully in your own control. Within AWS Cognito you can then configure Identity Federation to your own identity provider via SAML or Open ID Connect, as well as a rich set of built-in integrations such as to Google Sign-in. So if you have an Enterprise login infrastructure for SaaS solutions, you can plug this into Kaleido and exploit your own Enterprise controls such as:

• Multi-factor authentication (2FA / MFA)

• Integration into your own LDAP user registry

• Custom password management controls

The Future of Blockchain as a Service

“The development of Kaleido could well become one of the more important blockchain stories of 2018 and beyond. It is quite possible that the enterprise use of Kaleido will one day be considered the equivalent of a seal of approval for a network’s blockchain technology.” - J. Frank Sigerson, Born2Invest

Amazon’s new service provides more ways for existing AWS clients to experiment with blockchain technology. It’s a step in the right direction and a large signal to the market that blockchain technology is more than just noise.

However, it’s important to remember that enterprise-grade solutions will require more than templates and node management services — enterprises will need to utilize full-stack enterprise services if they want to adopt blockchain technology faster than their competitors.

If you or your company are looking for an easy, fast and frictionless path to take your blockchain projects from PoC to production, Kaleido’s full-stack blockchain SaaS platform is a turnkey solution that goes well beyond just the chain itself with an array of tools and capabilities including decentralized services, cloud-native integrations, and partner provided blockchain software all offered plug and play.