Do you develop your own digital asset custody or trading platform security infrastructure in-house, or are you thinking of doing so? Here’s the ins and outs of going at it yourself for the long term.
As your digital asset services business grows, so does the risk of loss. Scaling your businesses means scaling your blockchain key security. With the “gold standard” being cold (offline) storage for blockchain keys, however, keeping both security and trading speed at top standard becomes a challenge.
Click here to read how Four Ways Exchanges’ Cold Storage Systems Kill Their Transaction Velocity.
While we’ve addressed the vital differences between the core technologies of hardware-based storage, multi-signature systems, and secure multi-party computation (SMPC) elsewhere, today we’ll go back to discussing basic approaches to implementing security, and the pros and cons of developing your security platform in-house (i.e. do-it-yourself or “DIY” approach) vs. deploying an external solution from a security vendor.
What’s in a DIY approach?
Organizations using an in-house DIY approach, in practice, usually employ a combination of “cold wallets” to keep assets safe offline, hardware (HSMs / tokens) to protect digital asset keys and/or multi-sig for quorum approval of transactions.
Most organizations with this security setup rely heavily (or exclusively) on internal resources (for setup, execution, and maintenance) to implement this security solution. This requires a great deal of time, money, and security expertise – the level of which can vary wildly from exchange to exchange.
Nonetheless, there are digital asset service providers that seek the control, flexibility and agility afforded by in-house built security implementations. Let’s dive into the aspects you should take into account when considering a DIY security approach.
- Operational efficiency and automation – as you expand your offering, it becomes harder to maintain your security systems, to simplify and automate workflows, and to apply security policies consistently. This introduces several potential challenges:
- Administrators and users must deal with different systems and processes which is a massive burden that only gets harder to keep at bay.
- Employee burnout – due to challenges of implementing security measures across a growing service offering, many service providers with DIY security systems require manual and cumbersome processes for daily operations. As a result, employees can burn out easily due to process inefficiencies and lack of freedom of time and movement. For example, when manual actions and physical access (e.g. to an offline server or HSM) are required to execute transactions, they can cause frustration among employees responsible for day-to-day trading and exchange operations.
- Consider the resources required for day-to-day security related operations as well as infrastructure maintenance. How can you use your resources most efficiently and poise yourself for future growth?
- Service expansion – Adding new ledgers or tokens to DIY systems requires starting from scratch with custom development – particularly if those new tokens are dependent on a new cryptographic curve. In addition, when multi-sig systems are used for the “hot wallet,” the system needs ledger-specific development (to implement) and support (to maintain).
- Does your business have the resources needed to introduce and maintain expansion?
- Security validation / controlling risk – Ledger-dependent security policies make it difficult to apply consistent security thresholds across the entire organization. If a security policy changes, for example, the R&D team must go through each asset’s signing system and make those changes, one at a time. The growing challenge in ensuring the security implementation encompasses several threats – not only external attacks, but also insider threats as well as operational mistakes.
- It’s worth noting as well that – at least, for exchanges – rogue insider attacks are a notorious problem. 23% of recorded exchange breaches between 2014 and 2019 were attributed to employees embezzling funds from within.
Bottom line: DIY security systems require a significant time, money, and resources investment as well as in-depth expertise to maintain a highly secure environment—and the challenges only grow as services expand in scope and volume. Crypto-asset service providers evaluating a DIY approach should consider whether this is the optimal choice for their organizations’ operations and risk management strategy for the long term.
From a top-down view, the benefits of DIY systems are short-term – and don’t outweigh the cons. Stay tuned for our next article examining the benefits and detriments of working with a SaaS vendor for digital asset service security.