IBM, originally one of the biggest supporters of permissioned blockchains, is now carefully positioning its hardware security and cloud computing capabilities around the safekeeping of cryptocurrencies and digital assets.
With much less of the fanfare that accompanied its enterprise blockchain experimentation, IBM’s cryptographic key management infrastructure is becoming a complementary technology to a growing list of crypto custody firms such as Hex Trust, Protego Trust, Propine, Unbound, Onchain Custodian and most recently, Swiss custody firm Metaco.
This matters because IBM works with lots of banks and large financial institutions, almost all of which have woken up to the concept of crypto assets and are currently in search of suitable and safe ways to handle them.
IBM was publicly connected to crypto custody in 2020 via Promontory Financial, a consulting firm wholly owned by Big Blue, that was deeply involved in Wyoming’s special purpose depository institution (SPDI) charter. Promontory was also involved in the national charter granted to custody firm Anchorage Digital.
But it was back in 2016, right around the time the 110-year-old computing giant was diving into enterprise blockchain, that IBM’s head of digital asset infrastructure, Peter DeMeo, started looking closely at the technology. Indeed, IBM’s extensive foray into enterprise blockchain was a learning experience for DeMeo, who says he wants to be careful not to replicate the same level of expectation that came with it.
“IBM could certainly offer a custody stack and do ‘IBM, the custodian’,” said DeMeo in an interview with CoinDesk. “But to do that right really requires organizational commitment. And I saw what happened with blockchain. Whilst there are successes with the permissioned blockchains, they’re not huge moneymakers.”
Rather than competing with existing crypto custody firms, partnerships are a more natural next step for IBM, DeMeo added. “We’re basically going to be layer zero for blockchain tech for others to build on top, and we provide a set of tools in order to do that.”
IBM currently supplies many of the world’s banks with hardware security modules (HSMs) – physical computing environments for protecting keys and encrypting various functions, which can become inoperable when tampered with.
But “hardware is dead” is a narrative that’s gained a lot of momentum recently, especially among the cryptocurrency and Web 3 development community, said Adrien Treccani, founder and CEO of Metaco, in an interview. Now it’s all about the cool and extremely practical things you can do with software, he said, like splitting up keys into fragments and securing them without the use of hardware.
Problems occur, however, when it comes to the governance policies and authorization processes around the access to cryptographic keys, which often ends up being done on a normal server, according to Treccani.
“The weak point of your system becomes this piece of the authorization process before you get access to the keys, and that’s one of the challenges that companies like ourselves are facing on a daily basis,” said Treccani.
Large institutional players entering crypto want bank-grade computing, he added, where a special-purpose operating system on adapted security hardware handles and attests to the integrity of everything: deployment of code, execution, maintenance, auditing, etc.
“IBM invested in this so-called confidential computing very early on, and has done it both for their on-premise Linux One mainframes, which pretty much every bank in the world uses, and also for their cloud capabilities,” Teccani said.
From the point of view of an institution-focused crypto custody provider, working with a storied company like IBM has been “super helpful,” said Calvin Shen, Head of Business Development at Hong Kong-based Hex Trust, the first crypto custody firm to start working with IBM back in 2019.
“Hex Trust was relatively new to some of these big banks, who perhaps just saw us as a startup,” Shen said in an interview. “But when they were doing due diligence, we would say, ‘Hey guys, we’re building on our IBM Linux one platform,’ and that makes those institutions feel comfortable.”
These days, banks and financial institutions are also attracted by clever security techniques such as multi-party computation, whereby private keys are split and stored in different locations. That said, those same institutions must be able to show they have full control over their assets at all times.
This is really a workflow issue, which is something most crypto custody firms haven’t really thought through, said IBM’s DeMeo. There is a need to manage policy around what administrators can do, thus preventing the possibility of internal collusion – changing the rules around digital signature thresholds, for example. Another component is “secure build,” which means eliminating backdoor attacks when software is added.
“We have a technical environment where you can deploy your stack, where you write it and we take care of the rest,” said DeMeo. “We also have a way to put stuff into that environment where it’s fully attested. Last but not least, when it comes to key management, we are talking about having keys encrypted 100% of the time and never exposed to the internet – a preeminent, world-class cold storage.”
“If you’re a bank and you bet your dollar on any of these guys, well, you have a seed migration issue because you have to do something else,” DeMeo said. “We create the ability to do off-chain migration of seed, to retain the seed and not create a new one.”
Not a binary choice
The debate over whether hardware security modules, multi-signature or multi-party computation (MPC) offers the most appropriate security technology is pushing the boundaries when it comes to state-of-the-art crypto custody.
“HSM versus MPC doesn’t have to be a binary choice,” said Hex Trust’s Shen. “The next big thing is MPC on HSM. That’s coming, and people are certainly cognizant of this hybrid.”
Treccani echoed this, pointing out that some of Metaco’s clients want to use MPC for their hot wallets and HSM for cold storage, often in combination, and it’s been driving exploration in this overlapping area.
“The qualities of MPC are elegantly complemented with the qualities of hardware if you’re able to embed one in the other,” said Treccani. “I don’t want to say too much about it because this technology doesn’t officially exist today, but I think the next step is MPC within HSM.”
Penetrating the exchange market
IBM’s main market for its digital asset suite remains the banks that already use its LinuxOne mainframes and who can deploy a digital assets stack that connects to their core banking system without the need for any additional infrastructure.
Thus far, cryptocurrency exchanges have yet to be convinced of the benefits of using IBM technology, despite the reputational damage and substantial losses that could result from collusive attacks and inside jobs that happen periodically in crypto.
While he’s now having considerable success courting banks and larger fintech firms looking to explore digital assets, it’s puzzling to DeMeo that IBM has not been able to generate any traction with the more established crypto exchanges.
After all, the cost of an IBM mainframe is a drop in the bucket to a firm like Binance, said DeMeo, and when you “peel back the onion,” most crypto exchanges have little in the way of controls to stop a rogue chief technology officer disappearing with all the funds.
“Personally, I don’t understand it,” DeMeo said. “Invest in this technology and the likelihood of you experiencing this type of attack is greatly reduced.”
UPDATE (Feb. 28, 15:28 UTC): Modifies list of IBM custody clients.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.