Web3 refers to the next Internet generation, one that leverages public blockchains and DLT technologies. It is based on decentralization, self-sovereign identity and actions. Web3’s intention is to give the end user control over their own data, bringing back control of transactions and interactions to their rightful owner.
One use-case of Web3 that is gaining a lot of traction is decentralized finance, also known as DeFi. DeFi involves conducting financial transactions on the blockchain without assistance from a central authority. Through DeFi protocols Web3 pushes the limit of decentralization, bringing tokenomics (which is a study of economics of a crypto token) to the forefront of financial services innovation.
Security is a key aspect of Web3 and refers to the infrastructure built to ensure transaction integrity, non-repudiation, rightful authorisation and execution. Beyond encryption in infrastructure, when Hardware Security Modules (HSMs) are involved, it is crucial that transactions are executed in a trusted environment.
Even with the best encryption technology, a weak endpoint would wreak havoc to the entire solution: think of a secure entitlement system, where would this software stack reside?
Where would you place the code that has access to a HSM?
Hence the critical need for secure computing
So where do financial organizations stand on this issue? What are their key issues when it comes to crypto-assets?
Zodia Custody, a subsidiary of Standard Chartered, is a holistic, all-in-one crypto asset service provider for institutions. Far beyond being bank-grade, Zodia Custody is part of a leading banking group. Zodia Custody uses highly secure segregated wallets, air-gapping technology, with instant settlement capabilities.
With the aim to bridge the gap between traditional finance and crypto assets, Zodia Custody’ s goal is to raise the standards of the crypto industry. One of the ways in which they are doing this, is through a focus on security.
Indeed, when setting up this type of service offering, companies like Zodia must ensure that their core business is conducted in a secure environment.
The execution of cryptographic primitives, which involves a combination of cryptography, i.e. key pair generation, address generation and signing, as well as the guarantee of business logic, must absolutely take place in a secure and reliable environment.
To ensure the success of this operation, Zodia Custody must be assured of an access to a HSM while maintaining an unconstrained and trusted operating system.
Today, data security can be achieved through a variety of means such as TEEs, HSMs, and hardened operating systems (OS).
Let’s take the example of Trusted Execution Environment (TEE) which is a hardware component that allows data to be processed according to defined rules without anyone, even the system administrator, being able to see the data set.
Since the component can be remotely attested, it can be used on a decentralized network. TEE also takes into account the crucial right to delete its data.
Another aspect is the hardened OS part, like ARCA Trusted OS which is a secure container orchestration platform composed of a hardened Linux-based operating system (OS) combined with a Kubernetes orchestrator. This hardened OS is a micro distribution designed specifically to run containerised applications and having a minimal attack surface that is much smaller than a general-purpose Linux OS.
In fact, the Kubernetes layer comes with default secure settings and a set of curated components allowing an easy cluster bootstrapping, easy management, a secure data exchange between pods and nodes. It also allows secure execution of your code in a hardware-based trusted execution environment with different runtimes such as gVisor and Kata-containers.
Applications running on ARCA Trusted OS have an option to use CYSEC’s Cryptographic service via a convenient gRPC API. This API provides access to cryptographic primitives provided either by a purely software-based backend or by a FIPS-certified Hardware Security Modules (HSM). Furthermore, the Cryptographic service takes full advantage of clustering property of Kubernetes deployments allowing synchronization of cryptographic material across all nodes of Kubernetes cluster leading to strong resilience answering most stringent application’s demands, as Zodia Custody seeks in its security requirements.