Multi-layered security in crypto custody
With cryptocurrency companies garnering frequent attention for scandals and fraud, it's more critical than ever for digital asset custody providers to be transparent and comprehensive in their security measures. Sound and reliable control environments necessitate multiple layers to protect assets. Bakkt doesn’t merely give lip service to security, but rather we have implemented enhanced processes and protections, from the physical world to the digital world. Read on for an overview of some of the protections that make up our safeguarding strategy.
Physical security
While crypto operates within the virtual space, its protection demands a comprehensive suite of physical assets. Possessing private keys to wallets means having direct control over the associated funds on chain, so it’s crucial to prevent inappropriate access to the private keys by bad actors.
It is imperative that private keys are physically protected from loss, misuse, and corruption. Hardware wallets are physical devices that can be used to store private keys; air-gapped media and computers can also be used for this purpose. Organizations that store keys that provide access to significant funds should also consider additional physical security measures, such as vaults, safes, surveillance systems, and guards. Bakkt utilizes multiple layers of physical security and protections and maintains multiple secured copies of private keys to ensure it can continue to operate even through an adverse event.
Digital security
At the heart of crypto security is digital fortification. Naturally, encryption is of utmost importance here. End-to-end encryption ensures the integrity of transmitted data; encryption of data at rest is also important. Utilizing TLS (Transport Layer Security) for end-to-end encryption ensures that even if someone were to intercept a transaction, they wouldn’t be able to decipher the information contained therein. Utilizing strong encryption for data at rest ensures that a malicious actor cannot gain access directly to transaction data stored within the platform.
The type of wallet technology used is also crucial in determining just how secure a crypto service is. Multi-party computation (MPC), one wallet technology Bakkt deploys, is a technique that breaks down a private key into smaller pieces of data, encrypts each element, and separates them so that there is no single point of failure. Wallets that use MPC technology are often seen as more secure than alternatives.
Still, the digital landscape isn’t just about technology but the processes governing it. Consensus models like the ones seen in Bakkt’s custody solution, where multiple members of an organization must approve a transfer before it goes through, help combat the ability of a single bad actor to commit malicious acts or cipher funds illicitly. Similarly, withdrawal limits and time locks serve to minimize the window of opportunity for such misdeeds.
Network security
A secure network isn’t static, but evolves through continual maturity and testing. Regular penetration testing can help validate that security measures and controls are functioning properly. Regular audits, such as System and Organization Controls (SOC) create transparency and foster a higher level of trust among the user base. Bakkt executes annual SOC 1 and SOC 2 audits, and maintains current reports for its crypto platforms. A trusted provider should invest in third party audits to provide clients with assurance that appropriate and effective controls are in place to protect digital assets; Bakkt executes these audits to provide its clients this assurance.
Operational security
As much as technological controls help bolster a safe custodial environment, they can only go so far. At the end of the day, the human beings involved must also adhere to a strict set of policies and processes to ensure that assets are managed appropriately. Bakkt takes employee awareness very seriously, and as such implements regular trainings, in-depth vetting of potential hires, and a host of other preventative measures. Regular personnel training on important subjects such as anti-money laundering (AML), Know Your Customer (KYC), and other best security practices help keep everyone vigilant and informed. Background checks for all employees, especially those that have access to digital assets and systems can identify personnel risks and help to avoid hiring people with problematic backgrounds. Access controls and multi-factor authentication (MFA) add a barrier to unauthorized access. Our Risk Management, Custody Operations, Information Security, and Compliance teams all play indispensable roles in keeping daily operations running smoothly.
Separation of custody and exchange functions
Zooming out to look at the larger business architecture, one concern looms over the rest. In the world of traditional finance, it’s standard practice to separate custody and exchange functions into distinct entities. This division helps protect assets from theft or interception, and allows for a higher level of trust and transparency. Separating these functions means there is no single point of failure and— perhaps most importantly—no comingling of assets. Cautionary tales of what can go wrong when this distinction isn't upheld are unfortunately abundant.
The crypto world, with its nascent yet still evolving regulatory environment, has not yet caught up with traditional finance in this regard. There is no legal requirement that custody and exchange be separated—yet responsible-minded custodians such as Bakkt choose to be proactive and do so anyway.
Business Continuity
As the saying goes, even the best laid plans can go awry. It’s important for custodians like Bakkt to have thorough Business Continuity Plans (BCPs) in place. The BCP acts as a roadmap and a source of truth, guiding (and in some cases predetermining) each action taken in the event of an emergency. Business Continuity Plans include risk assessment, Business Impact Analysis (BIA), and recovery goals. Recovery goals should outline the maximum tolerable downtime (how long can something be down before it materially impacts operations), recovery time objective (the max time allocated to recover to normal operations), and recovery point objective (the point to which operations is recovered, minimizing data loss). Robust planning make all the difference when it comes to mitigating the impacts of an unfortunate situation, which is why Bakkt maintains business continuity plans and regularly updates and tests its plan.
Compliance
The last piece of the digital security puzzle is regulatory compliance. With its Intercontinental Exchange (ICE) foundations and roots in traditional finance, compliance has always been core to Bakkt’s organizational values. Our Compliance department is structured in such a way as to address key aspects of safety and regulatory adherence. We have dedicated resources to focus on areas such as AML and Sanctions Compliance, Data Privacy Governance Compliance, Regulatory and Licensing Compliance, and Broker Dealer Compliance.
The importance of adhering to regulations and guidance cannot be overstated. A crypto custodian that “plays by the rules” is generally more credible and trustworthy than one who disregards protocol—and credibility is significant in this industry.
Additionally, the requirements are there for a reason. Regulations such as the Bank Secrecy Act (BSA) protect against financial crime and money laundering. Compliance can prevent illicit funds from entering the country’s financial system. Data protection and privacy regulations help ensure that clients’ sensitive information isn’t breached. And so on. Crypto regulation is still evolving; responsible custodians will stay abreast of new developments and make any necessary adjustments to remain compliant.
Conclusion
The safeguarding of crypto assets requires a harmonious mix of physical infrastructure, logical controls, diligent personnel, and above all a steadfast dedication to security. Holistic security involves holding people to the highest standards of work and defining and holding to effective processes and controls. Conscientious providers are blazing the path of regulated, responsible crypto—setting the gold standard, and laying groundwork for healthy growth and development.