Set the standard for digital asset security

Digital assets are in a new phase of engagement. President Biden’s executive order on cryptocurrency ushered in a new era for technology, with a clear signal that digital assets are here to stay and will play a key role in the development of a new financial infrastructure.

Nor is the US alone in this approach. Other leading financial and economic hubs are accelerating their own regulatory frameworks on this issue. In Europe, EU lawmakers have repealed a cumbersome amendment to work-based assets from the Markets in Crypto Assets (MiCA) bill, indicating a desire to create a fair system that combines true financial innovation with the balancing risk management.

The importance of such forward-looking regulations cannot be underestimated. Many of the world’s largest financial institutions are in an advanced stage of developing their digital asset use cases. This regulation provides a clear path for them to introduce regulated products and services in key global markets.

Much of the discussion to date about involvement in digital assets depends on a core dichotomy: Should firms adopt digital asset infrastructure? Is there a business case for us in digital assets? As we enter this new phase, these questions have been emphatically answered in the affirmative. Firms are now asking: How should we build our digital asset use case? What are the key considerations we need to address?

The case for digital asset security

Security should be at the top of the list for every firm, regardless of their use case. Crypto theft peaked in 2021, with $ 14 billion worth of stolen cryptocurrency – a 79% increase over the previous year. The figure is expected to rise significantly as adoption accelerates. Despite such risks, many firms do not have clear security standards in place for use cases, with a spread of products and services across the industry claiming to offer the “gold standard”.

While the rapid nature of innovation in the digital asset sector can make it challenging to keep up with the latest developments in digital asset security, now is the right time for the industry to come together and set the taxonomy for common security standards.

Set the standards

Security is fundamental to every use of digital assets. At its core, it revolves around securing the private keys needed to access and manage the assets in digital wallets. For institutions, wallet security consists of two main solutions: hardware security module (HSM) and multiparty computing (MPC).

An HSM is a purpose-built, toddler-resistant physical computing device for securing keys and processing crypto transactions. HSMs are certified according to international standards, with the Federal Information Processing Standards (FIPS) 140, the most widely recognized certification. The highest level of FIPS 140 security certification that can be achieved is security level 4, which offers the strictest physical security and robustness against environmental attacks.

In contrast, MPC operates on the basis of a distributed model of trust, which divides keys across multiple entities and uses zero-knowledge computing to allow entities to share their data without being required to disclose it. Both MPC and HSM can be connected to a network (hot storage) or used in an offline setup (cold storage), which is safer but less flexible.

Although there has been much debate about the best security solution for institutions, the reality is that the best choice often depends on specific institutional needs. The answer is that there is no “one size fits all” solution – as traction grows and use cases expand, there are clear arguments for using both MPCs and HSMs. Indeed, the goal of a custodian involves combining aspects of HSM and MPC to effectively strike a balance between agility and security. In addition, the combination of elements of both solutions (hot MPC, cold HSM, etc.) can enable the switching of signing mechanisms according to the necessary requirements and use cases, so that firms can ensure that they maximize both security and agility.

Elimination of some points of compromise

Despite the well-understood criticisms of private key management, we too often see some points of compromise in so-called “secure solutions.” Although each solution has a policy engine that enforces distributed approvals for transactions, this ability to spread trust stops at transaction level. There is usually a role with administrative rights that provides “godlike powers” over all aspects of the solution, enabling an administrator to ignore all policies in the platform. Evaluate a solution with “does it have a policy engine?” is not a boxing exercise. It is critical that all processes – from transaction approvals to drafting users, permissions and whitelists, and even changing policies themselves – are subject to a forced distributed approval process to ensure there is no single point of compromise.

To secure highly confidential keys, the appropriate security controls must be in place to protect against both internal and external threats. Keep Your Own Key (KYOK) technology needs to be embraced as an industry standard that allows client firms to ensure they only have access to their crypto keys. The use of untrusted computer technology means that only authorized users of client companies have access to encryption keys, which ensures that no special access rights are provided to third-party technology providers.

This technology ensures that customers only have access to keys. Combined with a rigorous end-to-end authorization policy framework that requires signature logos from multiple internal users for any use case, ensures that no data is ever disclosed to any computer or individual in the network and guarantees that there is no single point of compromise not. .

Strict risk management

No one likes to think of the worst case scenario, but while rare, disasters do occur and should be included in risk management procedures. An estimated $ 3.9 billion of Bitcoin alone was lost by investors due to mismanaged keys. Companies need to have comprehensive recovery solutions for critical private key recovery backup in case of accident or disaster.

The generation of multiple FIPS 140.2 Level 3 smart cards containing encrypted key seed of recycling seed should be considered as the basis for this approach. The physical storage of these smart cards in safe and distributed environments can ensure that there is no single point of failure in the recovery storage process.

Insurance also plays an important role. Having the gold standard security protocols in place ensures that assets are easily insurable – take the weight off your mind when it comes to protection.

Move forward with confidence

The digital asset sector is a hugely fast innovative and recurring industry. For firms engaged in digital assets, there have been challenges in the future-proof use cases for years to come. The choices available were security and agility as a binary consideration due to the lack of any alternative. With the advent of mature infrastructure, there is a clear taxonomy of security infrastructure that firms need to set up regardless of their use case. But more importantly, they can now be assured that they can look past today’s MVP use cases and look forward in confidence that they will be able to scale and respond to their business and customer needs with agility and flexibility, which is the future. even if poses. The source of future competitive advantage, as all assets eventually move in the chain, will be no deviations – maximum security and maximum agility.

The move of the industry to a common, no-compromise security standard, underlined by flexible and agile infrastructure, should be paramount by suppliers. By doing so, we can ensure that as engagement with digital assets accelerates, firms have the right infrastructure in place to work in space with speed, clarity and confidence.

Seamus Donoghue is VP of Strategic Alliances at METACO.