IBM’s Public Cloud Is Secure Enough for Crypto Custodians

IBM3
3 March 2020

IBM’s public cloud is secure enough to attract crypto custodians.

Announced Tuesday, Singapore-based custody provider Onchain Custodian has released the latest version of its hardware-based vault, hosted entirely on Big Blue’s banking-grade public cloud.

Previously, IBM has offered cloud services to digital asset custodians on a hybrid basis, where certain servers guarding private encryption keys are held on-premise by the custodian, with other services run from data centers that are rented out and in remote locations. But this is the first time a custodian has felt comfortable outsourcing the entire key management and storage process to IBM’s public cloud.

“Onchain has been using a pure public cloud model from day one,” said Rohit Badlaney, executive director of IBM Z Cloud. “They seem to have got a lot of interest from clients, whether it’s hedge funds or institutional investors. It will be interesting to see how this market moves.”

IBM itself has no access to private keys created and stored on its HyperProtect cloud. The system is built using hardware security modules (HSM), a kind of lockbox that safeguards and manages digital keys in a tamper-proof environment.

Alexandre Kech, chief executive and co-founder of Onchain Custodian, said guarding keys in your own custom-built vaults might intuitively appear to be the safest method, but this isn’t necessarily the case.

“If it’s on-premise that means you know where it is, if you happen to be badly intentioned,” said Kech. “Of course if you are a bank you can secure that pretty well, but if you are a startup, it’s creating more risks. Even if your data center is secure, it’s generally difficult to geographically disperse it.”

Sequoia-backed Onchain currently has about 30 customers with the main focus on Asia for now. These include the Neo and Ontology foundations, and on the exchange side, Wowoo, BiKi and kuCoin. 

Onchain went live with a cold-storage-only v1 of its custody solution back in April 2019. Cold storage typically means crypto assets are stored on digital media that has never been, and never will be connected to the internet. Like burying your private keys in the back garden, it can take hours or even days to access your assets, and so not ideal for active trading.

Kech described the new version Onchain released this week as “warm” storage. This means the HSM can connect to the internet to sign transactions on the blockchain in semi-automated fashion, but it remains distinct from a hot wallet system since the HSM isn’t permanently connected to the internet, he said.

Onchain has managed to snag insurance from Lloyd’s of London for its HSM-based “warm” offering, a further positive sign from the London insurance market, following the recent announcement that Lloyd’s has officially begun backing hot-wallet insurance policies.

Kech said Onchain used Lockton as its broker and found two Lloyd’s underwriters supporting the policy.

“I can’t say the size of cover but it’s a crime policy, meaning it’s covering third-party theft and employee misconduct,” said Kech. “It covers both cold and warm. It would not cover hot, permanently online, but HSMs in our solution are not considered as permanently online.”