Setting the standard in digital asset security
We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!
Digital assets are in a new phase of engagement. President Biden’s executive order on cryptocurrency ushered in a new era for the technology, with a clear signal that digital assets are here to stay and will play a key role in the development of a new financial infrastructure.
The United States is not alone in this approach either. Other leading financial and economic centers are accelerating their own regulatory frameworks on this issue. In Europe, EU lawmakers dropped a heavy-handed proof-of-work asset amendment from the Crypto Asset Markets Bill (MiCA), indicating a desire to create a fair system that balances innovation. authentic financial and risk management.
The importance of such forward-looking regulation cannot be underestimated. Many of the world’s largest financial institutions are in advanced stages of developing their digital asset use cases. This regulation provides them with a clear path to launch regulated products and services in major global markets.
Much of the discussion to date about engagement with digital assets has revolved around a fundamental dichotomy: Should enterprises adopt digital asset infrastructure? Is there a business case for us in digital assets? As we enter this new phase, these questions have been answered emphatically in the affirmative. Businesses are now asking: How should we build our digital asset use case? What are the main considerations we need to address?
The case for digital asset security
Security should be at the top of the list for every business, regardless of its use case. Crypto theft hit an all-time high in 2021, with $14 billion worth of cryptocurrency stolen, a 79% increase from the previous year. This figure is expected to increase significantly as adoption accelerates. Despite these risks, many companies have not implemented clear security standards for use cases, with a proliferation of products and services across the industry claiming to offer the “gold standard”.
While the rapid nature of innovation in the digital asset industry can make it difficult to keep up with the latest developments in digital asset security, now is the time for the industry to come together and define the taxonomy of security standards. common security.
Setting the standards
Security is fundamental to every digital asset use case. At its core, it revolves around securing the private keys needed to access and manage assets in digital wallets. For institutions, Wallet Security is comprised of two main solutions: Hardware Security Module (HSM) and Multi-Party Computing (MPC).
An HSM is a purpose-built, tamper-proof physical computing device to secure keys and process cryptographic transactions. HSMs are certified to international standards, with Federal Information Processing Standards (FIPS) 140 being the most commonly recognized certification. The highest level of FIPS 140 security certification attainable is Security Level 4, providing the most stringent physical security and robustness against environmental attacks.
In contrast, MPC operates on a distributed trust model, dividing keys between multiple entities and using zero-knowledge computing to allow entities to share their data without having to reveal it. MPC and HSM can be connected to a network (hot storage) or used in an offline configuration (cold storage), which is more secure but less flexible.
Although there has been considerable debate over the best security solution for institutions, the reality is that the best choice often depends on specific institutional needs. The answer is that there is no “one size fits all” solution – as traction increases and use cases expand, there are clear arguments for using both MPC and HSM. Indeed, the goal of a custodian is to combine the HSM and MPC aspects to effectively strike a balance between agility and security. Additionally, combining elements of both solutions (hot MPC, cold HSM, etc.) can enable signing mechanisms to be switched based on requirements and necessary use cases, so enterprises can ensure that they maximize both security and agility.
Elimination of single points of compromise
Despite the well-understood criticality of private key management, too often we see single points of compromise in so-called “secure solutions”. Although each solution has a policy engine that enforces distributed trusts for transactions, this ability to distribute trust stops at the transaction level. There is usually a role with admin rights that offers “god powers” over all aspects of the solution, allowing an admin to override all platform policies. Evaluate a solution with “does it have a policy engine?” is not a checkbox exercise. It’s critical that all processes – from transaction approvals to setting up users, permissions and whitelisting, and even changing the policies themselves – go through an enforced distributed approval process to ensure there is no single point of compromise.
In order to secure highly confidential keys, appropriate security controls must be in place to protect against internal and external threats. Keep your own key (KYOK) technology should be adopted as an industry standard that allows enterprise customers to ensure that they retain exclusive access to their encryption keys. The use of trustless computing technology means that only authorized users at client companies have access to encryption keys, ensuring that no special access privileges are granted to third-party technology vendors.
This technology ensures that only customers have access to the keys. Combined with a strong end-to-end authorization policy framework that requires signature approval from multiple internal users for any use case, ensures that no data is ever revealed to any computer or individual in the network and ensures that there are no compromise points. .
Rigorous risk management
Nobody likes to think of the worst case scenario, but although rare, disasters do occur and should be included in risk management procedures. It is estimated that $3.9 billion worth of Bitcoin alone has been lost by investors due to mismanaged keys. Companies must have comprehensive recovery solutions for critical private key recovery backups in the event of an accident or disaster.
Generating multiple FIPS 140.2 Level 3 smart cards containing recovery seed encrypted key fragments should be considered fundamental to this approach. Physically storing these smart cards in secure, distributed environments can ensure that there is no single point of failure in the recovery storage process.
Insurance also plays an important role. Having industry-leading security protocols in place ensures that assets are easily insurable, taking the strain off your protection.
Move forward with confidence
The digital asset industry is an industry of extremely rapid innovation and iteration. For businesses using digital assets, there have been challenges in future-proofing use cases for years to come. The available choices have been security and agility as a binary compromise due to the lack of an alternative. With the advent of mature infrastructures, there is a clear taxonomy of security infrastructures that enterprises should put in place, regardless of their use case. But more importantly, they can now rest assured that they can look beyond today’s MVP use cases and be confident that they will be able to scale and meet the needs of their business and their customers with agility and flexibility, whatever the future holds. The source of future competitive advantage, as all assets will eventually move on-chain, will be no compromises – maximum security and maximum agility.
Moving the industry towards a common, uncompromising security standard, underscored by a flexible and agile infrastructure, should be a priority for vendors. By doing so, we can ensure that as engagement with digital assets accelerates, businesses have the right infrastructure in place to operate with speed, clarity and confidence in the space.
Seamus Donoghue is Vice President of Strategic Alliances at METACO.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Learn more about DataDecisionMakers