By Rebecca Aspler 4 min read
October 19, 2020

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the IT Infrastructure blog. The opinions in these blogs are their own, and do not necessarily reflect the views of IBM.

There are very few scenarios where security is more important than in the world of digital assets. If the key protecting a digital asset is compromised, then it’s game over.

At the same time, trading digital assets will only enter the mainstream when it’s possible to do it quickly and easily. For financial institutions accustomed to making transactions within a fraction of a second, waiting hours or even days for different keyholders to sign off on a digital asset trade is unthinkable.

At Unbound Tech, we saw an opportunity. By combining our unique multiparty computation (MPC) software with the IBM Hyper Protect Digital Assets Platform built on IBM LinuxONE, we’re bringing unprecedented liquidity and security to digital asset management.

Sizing up the challenge

Unbound is a pioneer in the use of MPC to secure cryptographic keys from every angle, splitting each key into multiple shares that are never united. By distributing trust, we ensure that a breach of any single machine never compromises the integrity of a key.

In the cryptographic world, there’s no such thing as “too secure.” However, we recognized that existing enterprise-class digital asset management solutions are forcing customers to choose between security and agility. What use is the most secure platform in the world if it’s unusable in real life?

We set out to build a new offering that pushes the boundaries of security without limiting liquidity of digital assets.

Creating the Unbound Crypto Asset Security Platform (CASP)

Developed with help from IBM, the Unbound Crypto Asset Security Platform (CASP) solution introduces lucrative benefits for digital assets service providers, including:

  • The elimination of any single point of failure across the full digital asset lifecycle. IBM LinuxONE infrastructure offers unique resiliency features such as triple-redundant environmental sensors and Redundant Array of Independent Memory (RAIM) to keep applications running even in the unlikely event of a component failure. IBM LinuxONE can withstand a severe earthquake, with the mean time between failures (MTBF) measured in decades(!).
  • Strict policy enforcement and cryptographic signing support across nearly unlimited asset types (no need for programming multi-sig, smart contracts).
  • Insider-resistant, hardened infrastructure for Unbound CASP’s critical software elements. CASP services, key management, vaults, databases, chain connectors, and server-side bots all run within IBM Hyper Protect Virtual Servers, which are securely booted, protected memory enclaves. These enclaves help assure that administrators and operators do not have even technical access to the applications managing digital assets, such as policy enforcement mechanisms. For example, if an administrator initiates a memory dump, the dump is encrypted and does not include administrative access to the private key.
  • Unbound CASP’s code build, signing, and deployment services run within IBM LinuxONE specialized Secure Image Build enclaves. These enclaves help rigidly enforce software review and attestation procedures, to frustrate potential malware, ransomware, and backdoor attackers. These defenses help assure that MPC is properly deployed without human interference. They also help accelerate testing and deployment of legitimate, authorized code updates if there’s ever an application security vulnerability requiring a quick fix. Secure Image Build solves two critical dilemmas: 1) proving the deployed software image is the right one and has not been modified or replaced by a privileged insider, and 2) proving the signed image is what it was supposed to be through the use of the secured source code manifest.
  • Exploitation of IBM Crypto Express Hardware Security Modules (HSMs) for the CASP cold backup key and CASP disaster recovery. IBM Crypto Express is one of the only commercially available FIPS 140-2 Level 4 certified HSM, meaning it meets or exceeds the most rigorous standards for tamper protection and response. It enables exceptional business continuity, which is mandatory for enterprise-grade financial institutions.
  • Only clients or their trustees control their assets—not Unbound Tech, nor IBM. Clients are issued special IBM smart card HSMs. During a trusted key ceremony, these smart cards collectively generate AES256 bit key parts that are securely transferred to the platform’s HSM and assembled into a master wrapping key inside an isolated HSM domain. Only the client retains control of their master wrapping key. HSM domains are highly isolated and protected by 360-degree envelope tamper detection and response.
  • Solutions can be deployed to the IBM Cloud, on premises, or in a hybrid deployment, giving institutions and service providers full freedom to decide how and where they’d like to manage their digital asset platforms.

Better together

In partnering with IBM, Unbound achieved a real meeting of minds. IBM demonstrated that they understood our marketplace and our vision.

We participated in a two-day strategy session that helped us home in on what prospective customers are looking for, and how to deliver it to them. The result was a platform that combines our unique software with the IBM Hyper Protect Digital Assets Platform to bring something unmatched to the market, at a surprisingly competitive price point.

By building security into every transaction on the platform, we’re unlocking new liquidity around digital assets. Users don’t have to worry about risk or meeting even the most stringent regulations, as that’s taken care of for them.

Finally, the digital asset market can start reaching its full potential. Alongside IBM, Unbound is offering a platform that means no compromises for customers.

To learn more about how Unbound and IBM are working together to transform digital asset custody, watch the webcast at ibm.biz/Unbound.

To learn more about IBM LinuxONE technology, visit ibm.com/it-infrastructure/linuxone.

Categories

Cloud  |  Cybersecurity

Tags

 |  |  |  |  |  |  | 
Rebecca Aspler
Rebecca Aspler

More from Cloud
October 2, 2023

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

September 29, 2023

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

September 26, 2023

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

September 26, 2023

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…