Today, IBM is announcing IBM Hyper Protect Offline Signing Orchestrator (OSO)—a new technology to help deploy cold storage solutions for digital assets, and the latest addition to its confidential computing portfolio.

OSO is designed to address limitations of current cold storage offerings for digital assets, including the need for people to perform manual procedures for the execution of a cold storage transaction. It helps protect high-value transactions by offering additional security layers including disconnected network operations, time-based security and electronic transaction approval by multiple stakeholders.

Hyper Protect OSO provides a policy engine that brokers communication between two different applications that have been designed not to communicate directly with each other for security purposes, providing an efficient and securable solution to facilitate digital asset transactions.

Designed to address the needs of customers

IBM has worked with Metaco, an IBM Business Partner and digital asset custody provider, and tier 1 banks, to help ensure OSO addresses client requirements. Metaco Harmonize offers a highly robust and secure orchestration system for digital asset applications and will leverage this solution. OSO acts as the intermediary between two Metaco components running in separate Hyper Protect Virtual Server instances: the Harmonize Core that is externally available to receive signing requests and the Harmonize Cold Vault that is isolated.

“As a provider of institutional grade custody infrastructure that is trusted by some of the largest global custodians and banks, it is our responsibility to deliver cutting-edge digital asset security to our clients,” said Adrien Treccani, Founder and Chief Executive Officer at Metaco. “IBM’s confidential computing division has been a reliable partner throughout the years, and we are pleased to complement Metaco’s catalog of institutional cold storage solutions with the unique air-gapped cold storage that OSO enables, especially as cold storage requirements are increasingly being stipulated by regulators in markets such as Singapore, Hong Kong and Japan,” added Treccani.

Metaco Harmonize leveraging OSO can enable an even more seamless transaction environment with zero exposure to the digital assets in cold storage, offering an attractive alternative to the current commercially available physically air-gapped cold storage technologies. This ultimately gives Metaco’s clients the critical optionality to deploy an institutional cold storage solution fit for their unique operating and risk management models.

The digital assets market continues to grow

As the financial ecosystem matures, eventually all assets are subject to be tokenized. We expect the tokenization of global illiquid assets to grow as a business opportunity in the coming years. With the continued progression of the industry, there is a need for a more mature solution for cold storage that will support this market growth.

Certain concepts and approaches have evolved in terms of securely managing digital assets. A hot, or online storage system is connected to the internet. A “warm” storage system offers a higher level of security than hot wallets since they store private keys offline, but they are less convenient since they require manual intervention to connect to the internet when needed. Also, it is important to note that for a short period of time, assets are not truly offline. This requires a connection to be enabled or disabled automatically or manually. In this regard, some “warm” storage approaches use uni-directional communication, proposing that this meets cold storage standards. However, not all markets or clients would agree that this is the case since there is still a direct communication or network connection with one of the components that is not truly offline. In a cold storage system, assets are always, at any point in time, completely offline, or even physically air-gapped.

When it comes to offline or physically air-gapped cold storage, there are limitations, including privileged administrator access, operational costs and errors and the inability to truly scale. All these limitations are due to one underlying factor—human interaction.

The most common attack vector of traditional cold storage within an organization is the insider attack. Malicious users can take advantage of their access by tampering with devices and even installing malware on them. As a result, the hacker could re-direct the transaction to a different bank account causing the loss of millions of dollars. Once the transaction is published to the blockchain, it cannot be reversed. Bottom line—you don’t need to have access to the assets themselves to steal them. IT System Administrators could also exploit their privileged access to manipulate policy or business logic, ultimately changing or creating new “rules” to allow them to steal assets. These types of attacks are very difficult to detect and can be very hazardous to the organization. Another concern for clients is the “forced attack” where an un-authorized person uses violent physical threats to demand a transaction to be executed. This could be a life-threatening situation that no company should risk.

Operational costs and operational errors are also inhibitors to current cold storage solutions. A minimum of 2 datacenter administrators are needed to facilitate the signing process of a digital asset transaction resulting in reoccurring costs for the client. Typically, the datacenter administrator must physically walk devices, such as a laptop or USB, across the data center to the offline hardware for signing and back again; others might even use a “pen and paper” approach. Additionally, this interaction from the datacenter administrator can lead to risks of operational errors due to tasks not being performed correctly, or an overall, careless approach to the task. These can be costly mistakes that can potentially result in huge loss to organizations.

Finally, as the digital asset industry continues to grow, so will the number of transactions, resulting in the increase of these manual operations and the risks associated. This type of manual process is not scalable as clients continue to grow and need to keep up with making these assets available.

Increasing regulations on the industry

As digital assets continue to become mainstream, and more digital asset custody providers emerge, there is a parallel increase in country-specific security regulations for this market. Providers need to ensure they safeguard their clients’ digital assets by putting the right solution in place to manage the thousands if not millions of wallets, as well as maintain control over the devices required to execute the transactions—all of which poses a risk to the business.

A key regulation that has emerged is the requirement of cold storage for security purposes. Recent government regulations in Hong Kong and Japan outline that digital asset custody providers expected to keep a certain percentage of customers’ digital assets in cold storage. Based on these countries’ various regulation reports, we believe that, for security reasons, there should be a certain amount of assets disconnected from the internet.

What is IBM Hyper Protect Offline Signing Orchestrator?

Addressing these limitations in protection, operations and scalability, Hyper Protect OSO addresses the need for the people to perform manual procedures for the execution of a cold storage transaction. This mitigates the cost of the administration and reduces inherit risk of human interactions and errors, embracing the zero-trust approach to all of IBM’s confidential computing solutions. The confidential computing environment provides technical assurance (versus operational assurance, or a “promise”) that no one, not even datacenter or application administrators have access to it.

While humans are removed from the operational process, clients can assign auditors from separate lines of the business to review and approve or reject the transactions adding a human control function. Further, clients can set two timers: one for how often a transaction should be signed or verified, and a second timer for when transactions should be published to the blockchain. To give an example, a client may decide to allow cold storage signing and verification be conducted every 5–10 minutes, every hour or once a day, while the actual publication to the blockchain may be executed 1–2 days later. The second timer, in particular, can optionally be made and set unchangeable by clients. Hence, in the event of a forced attack, the attacker may force the initialization of a transaction but would have to wait the allotted amount of time (maybe 1–2 days if second timer is defined like this) for the transaction to be published on the blockchain, giving stakeholders the ability to cancel the transaction or even allowing time for law enforcement to intervene.

All required tasks can be consolidated on one system, running in a confidential computing environment on isolated enclaves, or logical partitions (LPARs) on IBM Z or IBM LinuxONE. Each LPAR has its own operating system, memory, and hypervisor, and have been evaluated under the Common Criteria at Evaluated Assurance Level (EAL) 5+. The solution prevents an application running on one LPAR from accessing application data running on a different LPAR on the same system. Additionally, we consider this isolation better than physically air-gapped isolation because there is no network connection which eliminates the network attack vector.OSO leverages encrypted in-memory communication that is unidirectional and is based on IBM HiperSockets.

OSO turns the entire digital asset transaction signing process from a manual operation to a completely automated and policy driven one, without eliminating the human control—just the operational involvement is eliminated. This will allow clients to scale as needed as they are onboarding more and more customers.

OSO is deployed in one of IBM’s confidential computing solutions, IBM Hyper Protect Virtual Servers, which provides end-to-end protection—from deployment of the data to data in-use—because it is technically assured that nothing can be manipulated. OSO securely passes communications between the hot (online) and cold (offline) system while ensuring it is never connected to both at the same time. This is ideal for digital asset custodians building solutions designed to ensure data is secure and tamper proof, while also providing access to faster and more frequent transactions.

Watch the demo below to see OSO in action:

Get Started with IBM Hyper Protect Offline Signing Orchestrator

To get started with Hyper Protect Offline Signing Orchestrator, a client will need to leverage IBM LinuxONE III or IBM z15 or later hardware capabilities which can be hosted in their own datacenter or by a managed service provider. There are multiple sizes and price points available to accommodate start-ups to enterprise clients. IBM Hyper Protect Virtual Servers is also required and will need to be configured before deployment of OSO. Choose a custody solution such as Metaco Harmonize to store your digital assets, and start using Hyper Protect Offline Signing Orchestrator. Hyper Protect Offline Signing Orchestrator will be generally available on 8 December 2023.

For more information go to the Digital Asset Infrastructure page or reach out to your local sales representative.