In this Help Net Security interview, Jean-Philippe Aumasson, CSO at Taurus, emphasizes the often-overlooked complexities of key generation, storage, and distribution, underlining the necessity for a high level of security maturity in handling digital assets.
Looking ahead, Aumasson predicts that the future of digital asset protection will be influenced by overall maturity, internal skill development, technological advancements, and evolving regulations. Financial institutions are expected to strategically invest in robust systems to meet these challenges.
What are the most significant challenges businesses face when securing their digital assets, especially in the context of evolving cyber threats?
The number one challenge is key management. Digital assets critically rely on cryptographic keys—if you lose your key then you lose access to your coins forever, and if someone steals your key then they’ll most likely steal your coins. That’s why your key management must be flawless, which is easier said than done. From key generation, key storage, and key distribution to key recovery and key rotation, every aspect of key management seems simple, but even the simplest thing is hard to get right.
That’s why I often wince when I hear the phrase “not your keys, not your coin”. Those who emphatically warn against third-party custodians tend to overlook the key management challenges and the risk of carrying the responsibility yourself. We all know people or organizations who lost access to their cryptocurrency because of poor or inexistent back-ups.
Let’s elaborate on key generation. An individual acquiring $10K worth of bitcoins could use a hardware wallet’s pseudorandom generator and call it a day. But suppose you’re a financial services firm. In that case, that’s a new ballgame: we’re talking millions or billions, compliance and audit trail requirements, insider risk, supply-chain sabotage risk, disaster recovery, and so on.
To secure your coins is to prepare for the worst. For example, should you trust third-party systems to generate your keys? Can you meet auditors’ demands without full logs of the key generation? Can you prove to your clients that backups will work when needed? What if the people in charge of key management today leave the company tomorrow? There are many challenges requiring high-security maturity that new Web3 companies sometimes overlook.
How can organizations balance the need for robust digital asset protection with the drive for business innovation and agility?
It’s all about reducing friction and designing seamless processes for your everyday operations. It starts with clearly defining these processes from the get-go. For instance, consider how you go from a digital asset transfer request to its approval, execution, and settlement. You need a clear view of who is accountable for what and who is responsible for each step of this process.
I’d also like to stress that you shouldn’t use blockchain when you don’t need it. Blockchains, at least their “layer 1”, often introduce processing delays and costs. Plus, the transaction flow and associated data are public and out there forever. The front-running and de-anonymization risks shouldn’t be neglected. Therefore, you’re sometimes better off working off-chain. For instance, do you have to automate dividend distribution via a complex smart contract, or can you do part of it off-chain?
To best integrate digital assets in your business, it’s crucial to integrate your digital asset management solution with your IT systems. If you’re a bank, this entails connecting it to your banking network and leveraging the custody solution’s API to automate tasks such as financial reporting. You also want to abstract as much as possible of the nitty gritty technical details, such as hierarchical wallet key derivation parameters or the smart contracts internals. From a business standpoint, your staff should only see an account ID and its balance.
How critical is implementing IAM best practices in safeguarding digital assets, and what are some common pitfalls companies should avoid?
Identity management and digital assets haven’t really played well together in the past. This is partly because one of core principles of blockchain: the absence of traditional identity due to its pseudonymity and anonymity properties. I advise against handling identity on-chain, let alone entrusting blockchains with processing or storing sensitive information.
That said, if you have an enterprise-level digital asset management solution, you do need role-based governance and thus role-based access control. This usually involves identity and access management (IAM) solutions to authenticate and identify parties and manage their entitlements. For example, you may connect to your digital asset solution with the same single sign-on (SSO) portal used for your other enterprise services. And you might implement extra layers of security, such as application-specific credentials or hardware tokens, for sensitive operations like approving transactions or whitelisting addresses.
From a security perspective, centralized IAMs have pros and cons. There’s the obvious single point of failure objection, but I like to see the benefits: a single system to configure and manage, the aggregation and correlation of activity logs from multiple systems, and the threat detection mechanisms.
What key elements should be included in a cybersecurity policy to ensure digital asset protection in a business split-up?
You first need to get the fundamentals rights. These aren’t specific to digital assets, as we’re talking about basic IT security policies and procedures, from access control and vulnerability management to endpoint security and change management. The maturity level needed depends on your objectives, the size of your organization, and its regulatory obligations.
Regarding the specifics of digital assets, we can go back to key management. Policies should, for example, cover backup and disaster recovery aspects. I’ve seen organizations impose a “crypto period” of one or two years after which they must rotate their keys to fresh ones. I’ve also seen policies mandating a quarterly review of backups’ integrity and yearly test of the backups. In such a test, you obtain the backup shares according to your security procedures and verify that you can restore the keys used in your production systems. This process may involve third-party auditors, whose report would attest that the test was successful and that backup values haven’t been otherwise exposed.
Lastly, you may need policies that define which digital asset type is acceptable or not. A policy can define the acceptance criteria, including technical security aspects. For example, you might have to do security due diligence of new blockchain platforms and protocols and organize third-party security audits of any smart contracts you’re going to use. I once reviewed the cryptographic protocols of a blockchain platform a client wanted to use, and I advised them against after finding several security vulnerabilities in the code.
Can you share insights or lessons learned from notable digital asset breaches and how these have shaped current best practices in asset protection?
There’s no shortage of examples to choose from, so let’s look at two types of security disasters:
First, exchange hacks: Exchanges must store a lot of digital coins and need an automated system to withdraw cryptocurrency from their hot wallets to external accounts. Many exchanges have learned the hard way that the following choices usually don’t end well: putting too much money in a hot wallet, leaving the CEO and only them to manage crypto wallets, relying exclusively on pure software (as opposed to hardware-based secure environments), and bragging about how unhackable your systems are.
Second, smart contract hacks— or what you inevitably get when you combine technical complexity, lack of accountability, and huge financial rewards with little to no risk for the attackers. Take, for example, hacks of bridges, such as the 2022 Wormhole hack. Bridges are complex protocols connecting two blockchains, which have the power to create coins out of thin air and are maintained by organizations with little regulatory oversight. Also, the “decentralized finance” (DeFi) applications have their own share of horror stories when it comes to smart contract hacks. Dealing with such systems is always a risk-reward gamble, and it’s sometimes wiser not to gamble, especially if your clients’ money is at stake.
Looking ahead, what emerging technologies or strategies do you believe will play a vital role in the future of digital asset protection?
There’s a lot of technology innovations gaining traction, like zero-knowledge proof systems and cross-chain protocols. But I don’t envision a single technology playing an important role in protecting enterprise digital assets. It mostly boils down to overall maturity, shaped by internal and external factors. Internally, this means more skilled personnel and learning from trial and error. Externally, it entails technology maturation, better aligned audit frameworks and standards, and regulations providing the necessary oversight.
Concretely, we observe financial institutions approaching digital assets from a strategic angle and investing in robust systems. The shift is driven by a vision of financial systems integrating tokenized securities and real-world assets, stablecoins and potential CBDCs.
Such views may or may not include cryptocurrencies and may involve private/permissioned distributed ledgers (as opposed to public blockchains). For example, in Switzerland we have laws that recognize tokenized securities and we have frameworks where losing your private key doesn’t lead to the loss of assets.