Digital Asset Trusted Third Parties: Why are they needed, and who can you trust?
by Mark Titmarsh
With many institutions now relying on custodial technology providers, trusted third parties are an ever-growing presence in the digital asset industry.
Custodial technology providers allow institutions to self-custody digital assets by providing wallet technologies, among other services. When institutions are using these technologies, they are generally on their own when it comes to managing and securing the private keys.
To help institutions protect their digital assets, trusted third parties offer services to back up copies of private keys, which can be recovered in the event of a disaster if the institution's key management or business operation fails. While trusted third parties should never be in control of the entire threshold of backups, they offer an important layer of additional security to protect the institution’s assets.
The way trusted third parties back up the private keys depends on the wallet technology used by the institution, but some common examples include:
- Backing up and securing MPC key shards on physical FIPS 140-2 devices – a type of cryptographic hardware – and placing the physical hardware in vaults.
- Securing shards within secure enclaves/hardware security modules (HSMs) across multiple data centres, away from the institution’s premises.
- Securely storing seed phrases, recorded on crypto steels, within a vault.
While trusted third parties help institutions to back up and recover private keys, and distribute the risk of a loss, they do introduce some risks of their own. These should be carefully considered when deciding which third party to trust.
- Trusted third parties may not undertake their key ceremonies in secure, access-controlled locations, which can affect the integrity of backups. For example, if a key ceremony is undertaken in a busy office, anyone walking by could copy, record, and share private key information. Find out where key ceremonies take place, and the access controls the provider has implemented.
- Once private keys have been backed up on physical hardware, it is not always clear how the hardware is transported to storage sites off-premises. It could be lost or stolen on public transport or in a taxi between the ceremony site and the storage location. Some providers offer discreet secure transport, while others put hardware in a bag and walk it between locations, which poses a risk of theft, loss or damage while in transit – it’s vital that you understand how your backups are getting to their secure storage location.
- The secure storage itself is often subcontracted by a trusted third party to small safe deposit box centres, which may not be open at all hours. This affects availability times in the event of a disaster recovery and could cause business interruptions while trying to retrieve the hardware. Knowing the arrangements your trusted third party has either with their own secure locations, which is always the more secure option, or otherwise those they use, is another key thing to find out.
- In the event of a service failure, it is important to know what liability limits your trusted third party offers. Do they match up to the potential loss your business could face in the event of a loss of backups?
When dealing with digital assets, some individuals and institutions are put off by the risk of a loss. But, these risks are inherent with lots of different types of technology, and when carefully managed and properly researched, a trusted third party can be the missing puzzle piece to limiting the likelihood and extent of a loss. It’s important to ask questions about the end-to-end security of any third party before trusting them, as while nobody wants to face the prospect of initiating disaster recovery, the peace of mind of a backup in a secure and accessible location is a worthwhile investment.
Mark Titmarsh is an experienced business leader, risk manager and product innovator within the digital asset, Web3 and insurance industries. Following a decade of underwriting experience at the UK's largest insurer, Mark is now the Head of Digital Assets at a global security company, working with financial institutions and custodians to safeguard their assets, key management processes and security operations.
Mark has led the development of products and infrastructure to protect digital assets, including an insured cold storage solution for crypto assets and NFTs, and an institutional disaster recovery security service to ensure the safe generation, storage and recovery of private keys.
Mark has regularly delivered insight on digital asset security and risk on panels, webinars, and podcasts and has been featured in industry publications such as the Block and Finews.