Professional Documents
Culture Documents
Blockchain ERP Integration and ISO Standard
Blockchain ERP Integration and ISO Standard
- ERP integration
- Control frameworks
- Use cases
7 April 2021
__________
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 2
Agenda
Introduction
ISO standard
Case studies
Q&A
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 3
How it all started back in 2008
PEER TO PEER
CRYPTOGRAPHY
NETWORK
CONSENSUS DECENTRALIZED
MECHANISM LEDGER
Distributed
All network participants have a full copy of the
ledger for full transparency
Programmable Anonymous
A blockchain is programmable The identity of participants is either
(“Smart Contracts”) pseudonymous or anonymous
Secure BLOCKCHAIN
Time-stamped
All records are individually encrypted Transaction timestamp is L
recorded a block
Immutable Unanimous
Any validated records are irreversible and All network participants agree to the
cannot be changed validity of each of the records
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 5
Is it (solely) an architecture?
The concept of a Distributed Ledger (DLT) was synthesized in 1990. Blockchain was introduced as a
distributed ledger platform for the Bitcoin application as the ultimate incarnation of a decentralized
ledger by anonymous consensus.
The spectrum of available distributed ledger technology aims to solve the problems of data
redundancy and costly reconciliation processes with unique organizational models and consensus
procedures.
Application Industry
Integration Web Web Services Digital Network
(TCP/IP, RMI) (http & https) (XML & SOA) (RestFull APIs) Protocol
Block
chain
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 6
Digital Ledger Technologies (DLTs)
DLTS ARE A WAY OF ORDERING AND VERIFYING TRANSACTIONS IN A DISTRIBUTED LEDGER
1 2 3 4 5 6
Initiate Post & Record transaction Validate via Consensus Immutable, encrypted Transaction
Broadcast
transaction to the network and confirm Block completed
— Multiple parties — The transaction is — The ‘block’ is — The network, verifies, — The confirmed block is — Nodes have
transact added in order into a broadcasted to every validates and approves; added in a linear and access to a
network’s ‘block’ and party and their nodes the confirmation is chronological order to shared
— All transactions
are recorded presented in the network broadcasted to the the chain single
including other nodes source of
transaction’s — Entries can be added — Network of computer — That provides a truth
but not deleted nodes verifies, — Consensus (agreed transparent record of
date, time,
parties and validates by running a mathematical transactions; Audit — A
amount wants — Each node in the software which mechanism) is recorded trail; traceable digital completed
to do a network owns a full and provides the basis
continuously fingerprint block gives
transaction copy of the ledger for trust mechanism
replicates the ledger way to the
— Data is pervasive and next block
persistent and creates in the
Consensus Mechanism Applied a reliable transaction blockchain
record
2
3
1 6
4 5
1 Blocks
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 7
How does it work?
1 2
1
4 3
Blocks
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 8
Permissioned vs. permissionless
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 9
DLT Landscape
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 10
What are the main benefits?
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 11
KPMG Blockchain survey
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 12
Sample Cloud-based Blockchain Stack (MS Azure)
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 13
Agenda
Introduction
ISO standard
Case studies
Q&A
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 15
Potential Blockchain risks
Risk
Imperatives
Misconfigured restrictions and Security vulnerabilities in DLT
insecure deserialization for infrastructure and smart
authorized user permissions contracts
Unauthorized control to
Accidental loss or theft of private
network operations to
keys
restrict transactions
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 19
Illustrative control areas for protecting from cyber attacks
Threat modeling to analyze threats and mitigation Secure coding and design principles for writing
in a detailed, granular fashion business logic and smart contracts on top of any
private blockchain
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 20
Why need a Blockchain Control Framework?
• Complete coverage of all key risks / areas
• Structured set of ‘good practices’
• Embedding in PDCA cycle
• Standardized trust levels & achieving Interoperability
• Providing auditing & certification criteria
Community Regular updates Regular updates Not very active Not very active Regular updates Regular updates
FinTech, GovTech
Industry focus LegalTech
Cross-industry Cross-industry Cross-industry Financial services Financial services
Governance The Bitfury Group The Linux Foundation Coinprism Cryptonomex R3 consortium Coin Science
Ledger type Private and permissioned Private and public Private Private and public Permissioned Private
Smart contract
Yes Yes Yes Yes Yes Yes
functionality
Used in projects for Adobe,
Banking app for Postal Arm, Cisco, Comcast,
Land registry and land Banking systems for
Savings Bank of China, GitHub, Harman, Hitachi, Steemit, BitShares,
Best projects cadastre systems for
DLT.sg Singapore HPE, Qualcomm, Siemens, Peerplay
Bangkok Bank, BBVA, Wolfram Resear
Georgia and Ukraine BNP Paribas, HSBC, ING
blockchain apps Sony, Toyota, Western
Digital, and Wind River
ISACA
NOREA
ISO
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 23
Blockchain Control Frameworks
Cloud Security Others
ISACA NOREA COSO ISO Maltese government
Alliance frameworks
1. 2020
Version/ date(s) 2021 (Q3/4) 2019 2022 – 2023 2018 2021 – 2022 (i.o.) Various
2. 2019
• Governance
• Nodes
• Infrastructure • Virtual Financial Assets • More security-
DLT components • Protocols Various, incl.
• Data See next page See next section • DLT Platforms oriented domains
addressed • Private keys cryptocurrencies
• Key management • Smart contracts than DLT domains
• Smart contracts
• Smart contracts
• Governance &
• Functionality & Compliance
Compliance with • IAM & key mgt.
• Pre-implement. • Control Environm.
Regulatory Reqs • Secure coding
• Governance • Risk Assessment
Focus areas • System Ops • Network/Consensus
• Development • Control Activities
(with criteria/ See next page See next section • Organiz. & Mgt. • Metrics Various
• Security • Information &
requirements) • Communication • Data integrity
• Transactions Communication
• Risk Mgt & ToD • Vendor Mgt
• Consensus • Monitoring Activit.
• ITGC / SOC areas • Transactions
• Privacy • Ops & systems
• Maintenance
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 25
KPMG Blockchain/DLT Maturity Model
Consensus &
Compliance
Network
6 5
Interoperability Smart contracts
& integration
Centralization Data
& Collusion management
& privacy
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 26
KPMG Blockchain/DLT building blocks & focus areas
1. Consensus
mechanism & network 2. Cryptography 3. Chain permissions 4. Use case relevance 5. Data management
management & tokenization management & privacy & applicability & segregation
9. Business
7. Input 8. Scalability continuity & disaster 10. Governance, risk
6. Chain defense
& integration & performance recovery & compliance
— Network fragmentation — Integration / interface — Scalability — Business continuity — Definition of roles and
(node centralization) with end user systems — System failure or plans responsibilities
— Network threat (API configuration) downtime — Key recovery — Hard fork governance
monitoring — Data input — Adding extra nodes implementations — Network governance
— Source code analysis — Predefined transaction — Identification of
— Network vulnerabilities types on public concentration risk
as defined in Technical blockchain scenarios
Paper
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 27
Agenda
Introduction
ISO standard
Case studies
Q&A
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 28
The world of standardization
CEN-CLC/JTC 19
Blockchain and Distributed ISO/TC 307
Ledger Technologies Blockchain and
distributed
ledger technologies
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 29
Published Standards
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 30
Influencing the contents of standards
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 31
Influencing the contents of standards
• Participate in ISO working groups through a local standardization committee via
your national standardization body
• Dutch organizations can participate via NEN.
• Influence standards under development.
• Write parts of new standards
• Comment
• Vote
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 32
Focus Areas in DLT Systems Audit in other Global Forums
At a high level, the following areas remain the focal points for DLT Audit in global forums other than ISO
ITUT DLT Audit Focus Areas Roles are designed and enforced as required by regulation;
• Providing assurance on the DLT
technologies • An appropriate governance has been put in place, which defines how the DLT solution
must operate, how to identify, monitor and react to risks and how to manage changes and
• Audit of related off chain corrections in a decentralized environment;
components • Development, tests and deployments take into consideration the specific risk of the DLT
• Auditing transactions on DLT technologies, in particular:
iii) Design, approval, testing, and management of smart contracts; iv) Security of the
network.
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 33
Introduction to AHG02 – Guidelines for auditing DLT-based
platforms (1/2)
Establishing focus areas for securing DLT platforms
This document provides frameworks and
Keeping in mind risks associated with blockchain platforms and evolving attack
guidance on domains and areas which
vector with this emerging technology, we’ll be reviewing in-place controls and
should be considered while performing DLTs across following domains:
audit procedures for DLT systems.
• Pre-implementation: Suitability of DLT platform for the selected use case, architecture
These guidelines are developed with the review
objectives of aiding auditors involved in the
audit of DLT systems (both public and • Implementation & Development – Security by design, vulnerable source code, weak
private ) that describes in the series of endpoints
ISO/TC 307 standards.
• Key ownership and management - Secure storage, maintenance, review and
This guidance is applicable to an array of governance of cryptographic private keys used for authentication and validation by
organizations and is not bound by type or nodes.
size.
• Interoperability & Integration - Consistent communication between multiple
This document will cover the following blockchain platforms and integration with organizations’ enterprise and legacy systems.
types of audits (based on ISO 19011:2018):
• Consensus Mechanism - Blocks in the chain are validated by nodes to maintain a
• Internal Audit single version of the truth to keep adversaries from derailing the system and forking the
chain.
• External Audit
• Third party Audits (Audit of vendors, • Heterogenous regulatory compliance - Compliance with laws and regulations across
various country and state legislations that will govern information and transactions
third and fourth parties) processed.
• Access & permissions management - Permissions configured for defined roles for
access, validation and authorization of blockchain transactions by internal and external
participants.
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 34
Introduction to AHG02 – Guidelines for auditing DLT-based
platforms (2/2)
• Infrastructure & application management – Secure software development practices and testing of blockchain applications, platform,
infrastructure and communication interfaces.
• Network & node governance – Monitoring of network for information compliance and node reputation checks to handle and resolve
disputes.
• Smart contracts – The enterprise supports secure coding practices for blockchain source code (e.g., smart contracts or chaincode) to
mitigate information security risk proactively. Smart contracts automate the business logic execution over the DLT.
• Network-Vulnerability Management – The enterprise effectively manages blockchain network vulnerabilities through monitoring,
remediation actions and communication to relevant stakeholders.
• Endpoint Security – End user devices using the blockchain solution are properly managed by the enterprise (i.e., the end users’ devices
are tracked, hardened and addressed if compromised).
• Vendor Due Diligence – Due diligence for vendors/suppliers/contractors administrative and operational processes to ensure ongoing
alignment between the enterprise’s strategic objectives and DLT solutions.
• Business Continuity and Disaster Recovery – Private or permissioned DLT has both centralized and decentralized components, there
needs to be a concrete understanding of what will happen, should these components be affected by any potential factors.
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 35
Agenda
Introduction
ISO standard
Case studies
Q&A
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 36
Companies need to integrate with ERP systems
1 2
SAP 1
S/4HANA Initiate transaction (create Post & record transaction
Factory 2
S/4HANA
1
4 3
3
Validate via consensus Broadcast to relevant
and confirm participants
4
5 6 Consensus mechanism
applied
Transaction “inherits” part Transaction is recorded as
of the key from the a new, unalterable block 6
8 7
SAP
S/4HANA
Supplier S/4HANA Sales Order API Service is An event is created for each new
triggered to create a sales order in the purchase order which is recorded in a
Supplier’s ERP system. block.
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 39
ERP Blockchain Process Integration (1/2)
ERP Blockchain
Hyperledger
Ethereum Multichain Corda
Fabric
ERP Blockchain
Process
Integrator
Other ERPSolutions
Other ERP solutions
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 41
About the project
• This demo shows how SAP S/4HANA can be integrated with blockchain technology. The aim is to investigate the technical setup of a blockchain in an ERP
scenario.
• Blockchain is used as a data interface layer between ERP systems. The program on the blockchain manages sales orders in the Supplier’s system triggered by
the creation of purchase orders in the Factory’s system.
• This demo does not focus on creating a business case for applying blockchain to integrate P2P and O2C processes, but it shows how to integrate a blockchain
platform with transactional data in SAP.
Purchasing company on premise P2P
Purchaseprocess
Goods Match Payment
Factory Order received Invoice approved
blockchain
database
Shared
Selling company on premise O2C process
Sales Payment
Sales Order Shipment
Supplier Invoice made
PO API SI API
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 42
ERP Blockchain Integration Demo
• The end user experience is a real-time connection with an external partner’s system. The blockchain runs on the background and does not change the user
experience compared to other real-time integration types.
• Before a sales order is created in the Supplier’s system, both entities run the same business logic to update the blockchain with new purchase order data.
• More complex business logic can be programmed in the chaincode program to apply relevant validations for shared transactional data, e.g. contractual
agreements, rebate calculations, compliancy checks.
“Just real-time
integration?”
“What’s new?”
ISO standard
Case studies
Q&A
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 46
Case Study #1: Projects beyond experimentation
2020 – A company of
2017 – Proof of Concept
Deutsche Post DHL Group – Link
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 47
Case Study #2: Decentralized Digital Passport platform
covering Industrial Equipment
1. Examining the risks and threats that are 1. Unique security risks introduced by 1. Performed information risk assessment for this
unique to blockchain implementation, blockchain technology private permissioned blockchain solution, in an agile
and then design and implement key 2. Regulatory and compliance method, including detailed technology risk
blockchain security controls, alongside requirements impacting blockchain assessment, interface assessment, cloud
business controls and conventional activities assessment, code scanning, VAPT, etc.
controls 3. Minimize the risk exposure due to the 2. Supported the team in designing the key blockchain
2. Build a blockchain security reference services used by third parties controls and provided assurance on control
framework that can be applied across 4. Client needed to ensure that the implementation
blockchain projects and solutions for information security controls are 3. Re-aligned the existing process and guidelines to
various industry use cases and designed adequately and implemented include blockchain security aspects and build a
deployments that span on-prem and effectively for this solution. reference architecture and security handrails for
Software as a Service (SaaS) business use.
environments.
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 48
Case Study #3: e-Voting/Virtual AGM solution
Distributed Ledger Technology based e-voting solution Implementation Strategy
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 49
Highlights of e-Voting solution
Applicability to Organisations
• Track Internal Corporate Governance in organizations during
Annual General Meetings (AGM) or any important board
meetings
Features of Solution
• Solution is built on Hyperledger Fabric
• Nodes for issuers, intermediaries, shareholders, regulators
and asset managers
• It provides interoperability with existing blockchain platforms
• Dynamic onboarding of nodes with built in Identity and
Access Management
• Secure authentication and voting mechanism to track votes
casted by shareholders
• Reporting and reconciliation of votes submitted by
shareholders
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 50
Functionalities
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 51
Benefits to Stakeholders
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 52
Any questions?
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 53
Contact us for a demo or questions
Koen Revet Useful links:
T: +316 2292 8127
E: revet.koen@kpmg.nl ERP & Blockchain article:
https://www.compact.nl/articles/start-small-think-big
© 2021 KPMG Advisory N.V., a Dutch member firm of the KPMG network of independent member firms affiliated with KPMG International Limited (“KPMG International”), an English entity. All rights reserved. 54