Vincent Kobel, VP Product and Research, talks about digital asset security and METACO’s approach to SILO development.
Over the last few months, we have seen even the most reputable exchanges being hacked. Why are cryptos still vulnerable to theft?
It is most likely a combination of factors.
On the one hand, companies like exchanges — whose core business is to offer financial services — focus primarily on offering an intuitive and agile client experience. This segment has become extremely competitive over time. Understandably, many exchanges have decided to concentrate on usability and outsource storage, which means they themselves rely on 3rd party custodians to keep the cryptos secure. Unfortunately, those 3rd parties proved to not have all the points of failure tackled.
On the other hand, exchanges are extremely appealing to hackers because of the enormous amounts of assets they manage. The higher the reward, the more sophisticated the attack. As a result, their cryptos do not only need to be protected from all possible external threats, but also from insider ones, since in many occasions, the weak link is in-house.
Still, achieving optimal levels of security — especially in the context of digital assets — is not obvious. Technology can tackle many threats, but social engineering is a menace more complicated to tackle. If a custody or brokerage firm aims at guaranteeing reliability, then deploying a sophisticated, holistic and broad the security paradigm will be indispensable.
SILO is a digital asset management solution for institutional custodians. How do you ensure it is secure?
We aim at bridging traditional banks and exchanges and the crypto world. These institutions have built their reputations over decades, they cannot afford to lose their assets to a hacker or wrongful internal management. That is simply not an option. At METACO we know it, and that’s why we target security and resilience above all. There’s no shortcuts. We work strategically and operationally to mitigate all possible risks. That is why we do not only focus on implementing all current technology best practices, but also work closely with regulators to anticipate industry standards, regulatory and compliance frameworks, and our internal processes satisfy ISO 27001.
How does that materialize from a product development standpoint?
Our principle is to ensure that everything we do contributes or reinforces the product security and resilience. Already since its concept, we knew SILO had to meet 4 premises: the features had to be 100% in line with the customer needs, the HSM had to be purpose-built for crypto use, the programming language had to facilitate distributed applications, and the development had to be done, by all means, in-house.
As a software technology firm, achieving those 4 ‘simple’ objectives is not something you can — even less — should do on your own. You need experts in each field. Ideally the best. That’s why we looked into partnerships straight away.
For example, to understand the user requirements, we onboarded market infrastructure leaders Avaloq, Temenos and Swisscom. This was critical to define features, user journeys, but also integration and onboarding requirements.
For the HSM, we sought for providers specialized in flexible HSM firmware which would allow for custom code to run enabling blockchain-aware verifications, and also, who we could work closely with to co-develop the product. To date, SILO is the only product whose HSM is blockchain aware and understands if a transaction is valid or not, even when all signatories have signed. This is because all the critical information, from loss limitation policies to signature parameters, are implemented directly in the secured environment and enforced by it.
For the code, we relied on the Scala programming language and on the Akka framework, which support resilience and distributed applications and which are quite well known by a wide pool of developers in the region. Scala was developed by the Ecole Polytechnique Fédérale de Lausanne. That proximity was a big advantage back at concept time because we were able to work with their experts to apply the framework at its best.
To handle the development, our objective was to build a highly competent and versatile team. Priority has always been quality over quantity and that is why our developers standout for deep knowledge on distributed applications, security and cryptography. The team is almost entirely based in Lausanne, although we may make exceptions when the skill is so exceptional that we would rather work remotely than without. That is the case, for example, of our co-founder and Bitcoin expert Nicolas Dorier, who is based in Japan.
Having everyone onsite is crucial to make every component of the solution secure and resilient. It allows us to communicate transparently and with agility, and implement industry best practices such as an agile framework, iterative methodology, peer code reviews, external code audits or peer shadowing. Furthermore, we have someone on the team constantly tracking news and resources, in the search of new security or resilience risks. As a result, we have a smooth process to identify, tackle and audit every critical component for security, we release features and fixes almost on a weekly basis and have built up a versatile and resilient team where everyone can take over tasks and provide with thought-provoking contributions, which ultimately makes the product more robust and better.
Which challenges have you encountered in the development of SILO?
Several. Developing a product like SILO means designing a product almost from scratch.
To start, there is the technical challenge on working on cryptographic protocols and standards. Assets like Bitcoin are well designed and a strong community exists. Other exotic coins are less straightforward. Since we aim at maximum security – and that requires developing a custom firmware for the HSM for every single coin – we, ourselves, must fully and entirely understand the ins and outs of each currency’s protocol. That involves much R&D on its own. Luckily, we are not racing to onboard coins in SILO. We prefer to do it progressively and robustly, instead of blindly.
On the other hand, there is compliance and regulation. The framework on those two is not yet fully clear and hence, defining the standards and features our clients will need to ensure compliance in aspects like AML or KYC is not straightforward. In this sense, we are lucky to work closely with the regulators and financial institutions: it allows us to hear and discuss the needs and concerns first hand, anticipate requirements and even contribute to the definition of frameworks.
Finally, there’s the notion of security and resilience. Imagine you have an extremely available system but you rely on one single database; as soon as the database fails, your whole system will go down. Targeting security and resilience means identifying every single dependency and potential concerns, and tackling them. It is an exhaustive and meticulous process.
How do you tackle the security and resilience threats, once the product is transferred to the client?
To start with, we designed SILO to be easy to manage, versatile and suitable to our customer’s workflows. That is why the solution includes a user interface, a complete set of APIs and connectors which allow the client to blend it at will in existing systems, create a product stack out of it or use it standalone.
Technical security is indeed under our control and we try to enforce it through the product and the way it is managed. For instance, the most critical configurations (those impacting the system’s core security) have to be done at very specific occasions, physically on the HSM and in the data centers, while more broad configurations and parametrizations can be done remotely.
However, even if we do great efforts to make components easy to manage, set up strict protocols and procedures, and put in place documentation and trainings, we still cannot verify how the clients use the system, and if they do it in a secure and compliant manner. What we know is that if deployed and managed as we suggest, SILO delivers the promised levels of security and resilience.
How do you see the future of digital asset management? How will that impact solutions like SILO?
From a product concept point of view, I expect several developments.
On the one hand, I expect an outburst of digital assets as soon as regulatory frameworks are defined. That means that solutions like SILO will not only serve for wealth management purposes, but also for digital identity management, for example.
On the other hand, we could expect broader and deeper collaboration across the ecosystem actors, including regulators. As a result, digital asset management platforms will be even more complete, integrated and equipped to fully support the client’s legal and compliance requirements.
As the market capitalizes, we shall also expect an increase in the number and sophistication of physical and cyber threats. On our end, since we took an anticipating approach and are confident on our components and algorithms, our recipe will be to stay informed and ready to quickly deploy upgrades to counter new threats when needed.
Finally, I believe social engineering will become a core priority in the era of digital assets. People can be educated but they are difficult to manage and predict. Finding new and effective ways to limit the threat vector within organizations related to the human factor, will certainly be.