IBM Is Coming To The Crypto Custody Space (#GotBitcoin)
The move suggests IBM is wading deeper into the digital asset space, after developing the Hyperledger Fabric private blockchain for enterprises and more recently getting involved with cryptocurrency through its work with the Stellar Foundation. IBM Is Coming To The Crypto Custody Space (#GotBitcoin)
While crypto custody was once the preserve of wallet providers and crypto exchanges, the promise of institutional investment entering the digital assets space has prompted a race to come up with safe, industrial-grade solutions that are also familiar in terms of usage to these large players.
Not Cold Storage
The custody service that Shuttle and IBM are offering differs greatly from the cold storage solutions used by most crypto custodians, where the private keys are held in a device not connected to a network.
While these air-gapped arrangements have traditionally been thought of as the best way to reduce attack vectors, “from a technology standpoint, it sounds a little oxymoronic,” Chun in his presentation.
Enterprises, he noted, want to be able to connect to their customers and to have data and assets held in a readily available, yet secure setting. (Getting assets out of cold storage can be something of a headache.)
Instead, Chun said IBM Cloud has created some interesting features that enabled Shuttle to build a system that is “just as secure, if not more secure” than a simplistic cold storage wallet solution.
As such, the solution is built on a hardware security module (HSM), a kind of lockbox that safeguards and manages digital keys in a tamper-proof environment.
He Later Elaborated To Coindesk:
“There are always trade-offs between security and efficiency, but we do not utilize a traditional cold storage system. Instead, we keep keys at rest encrypted in multiple layers as data blobs so that an organization can store these backups using their pre-existing disaster recovery and backup processes and media.”
During his presentation, Chun said this combination of availability and security means the IBM Cloud solution is better equipped for a digital asset-laden future.
“Once we have this critical layer that’s highly available and secure, then all businesses can start custodying digital assets – not just cryptocurrencies; we mentioned real estate, we mentioned identity,” he said.
As far as what flavor of HSM Shuttle uses, Chun told CoinDesk the solution was HSM-agnostic.
“We focus on the entire solution, not just the HSM. If the HSM offering from Gemalto is better than what we are using, I would be happy to talk to them and incorporate them into our plans. IBM has an HSM we are using but we can easily switch it based on customer needs and demands,” he said.
Cold Storage vs. HSMs
Stepping back, opinions differ over HSMs versus traditional cold storage and the putative trade-offs between security and efficiency, in relation to managing crypto assets.
With cold storage solutions, a human has to be involved to access the assets, which can take anywhere from an hour or two to as long as 48 hours. HSMs, by contrast, rely on a purely electronic process and are therefore much faster.
IBM would not be alone in providing HSM solutions for digital assets. Last week, Switzerland’s Crypto Storage AG announced its customized HSM-solution would be rolled out to online bank Swissquote.
Other high-profile HSM initiatives include the Komainu partnership between hardware wallet provider Ledger, Gemalto and Japanese bank Nomura, slated for launch in early Q2. Demetrios Skalkotos, global head of Ledger Vault, pointed out that Komainu uniquely has been granted access to integrate its software directly into the Gemalto HSM blueprint.
“Only banks and governments have that to my knowledge,” he said.
Trustology, backed by ethereum design studio Consensys, is also making strides with an HSM crypto custody solution. Alex Batlin, the CEO of Trustology, said people like the sound of cold storage because it’s offline, but it’s really just replacing a network with a human, who can still be influenced to behave in nefarious ways.
“All cold storage does is give you a false sense of security and also very high latency for instruction execution,” Batlin said.
However, Mike Belshe, CEO of crypto custody pioneer BitGo, has argued that the latency and human involvement are a small price to pay for the security afforded by cold storage. He told CoinDesk last year:
“If you put the keys online, or if you put the keys so close to being online that you can move money within 15 minutes, that means you don’t have very tight control on it. The customers we talk to appreciate this point of view.”
IBM’s Public Cloud Is Secure Enough For Crypto Custodians
IBM’s public cloud is secure enough to attract crypto custodians.
Announced Tuesday, Singapore-based custody provider Onchain Custodian has released the latest version of its hardware-based vault, hosted entirely on Big Blue’s banking-grade public cloud.
Previously, IBM has offered cloud services to digital asset custodians on a hybrid basis, where certain servers guarding private encryption keys are held on-premise by the custodian, with other services run from data centers that are rented out and in remote locations. But this is the first time a custodian has felt comfortable outsourcing the entire key management and storage process to IBM’s public cloud.
“Onchain has been using a pure public cloud model from day one,” said Rohit Badlaney, executive director of IBM Z Cloud. “They seem to have got a lot of interest from clients, whether it’s hedge funds or institutional investors. It will be interesting to see how this market moves.”
IBM itself has no access to private keys created and stored on its HyperProtect cloud. The system is built using hardware security modules (HSM), a kind of lockbox that safeguards and manages digital keys in a tamper-proof environment.
Alexandre Kech, chief executive and co-founder of Onchain Custodian, said guarding keys in your own custom-built vaults might intuitively appear to be the safest method, but this isn’t necessarily the case.
“If it’s on-premise that means you know where it is, if you happen to be badly intentioned,” said Kech. “Of course if you are a bank you can secure that pretty well, but if you are a startup, it’s creating more risks. Even if your data center is secure, it’s generally difficult to geographically disperse it.”
Sequoia-backed Onchain currently has about 30 customers with the main focus on Asia for now. These include the Neo and Ontology foundations, and on the exchange side, Wowoo, BiKi and kuCoin.
Onchain went live with a cold-storage-only v1 of its custody solution back in April 2019. Cold storage typically means crypto assets are stored on digital media that has never been, and never will be connected to the internet. Like burying your private keys in the back garden, it can take hours or even days to access your assets, and so not ideal for active trading.
Kech described the new version Onchain released this week as “warm” storage. This means the HSM can connect to the internet to sign transactions on the blockchain in semi-automated fashion, but it remains distinct from a hot wallet system since the HSM isn’t permanently connected to the internet, he said.
Onchain has managed to snag insurance from Lloyd’s of London for its HSM-based “warm” offering, a further positive sign from the London insurance market, following the recent announcement that Lloyd’s has officially begun backing hot-wallet insurance policies.
Kech said Onchain used Lockton as its broker and found two Lloyd’s underwriters supporting the policy.
“I can’t say the size of cover but it’s a crime policy, meaning it’s covering third-party theft and employee misconduct,” said Kech. “It covers both cold and warm. It would not cover hot, permanently online, but HSMs in our solution are not considered as permanently online.”