IBM unveils new air-gapped cold storage solution for digital assets
IBM announced the launch of IBM Hyper Protect Offline Signing Orchestrator (OSO), an air-gapped cold storage solution for digital assets, on Dec. 5.
Working with digital asset manager Metaco — an IBM partner and Ripple subsidiary — and tier-1 banks, IBM developed the end-to-end asset encryption service to address common vulnerabilities found in typical cold storage solutions.
According to the announcement:
Cold storage
IBM designed OSO to address these vulnerabilities by removing the manual functions of initiating and conducting transactions. Much like a time-release safe that cannot be opened upon request, OSO can be configured to only send transactions from cold storage to the blockchain, and vice-versa, at specific times or only through the authorization of a multibody governance scheme.
This, according to the blog post and accompanying research, prevents the most common forms of insider attack, including physical access, administrative manipulation and coercion attacks. If a bad actor were to somehow access the system, physically or remotely, they could only initiate a transaction during approved times and would have to wait until the transaction was approved for execution in order to receive/steal assets.
Further ensuring OSO’s resilience to attack, digital assets can be placed in “air-gapped” storage containers. Storage is considered air-gapped when it is not connected to the internet or any device capable of connecting to the internet. This ensures remote attacks can’t access assets while they’re at rest.
https://www.youtube.com/embed/o28kWyxoiV8
Securing blockchain transactions
Administrators managing cold storage solutions in a typical air-gapped paradigm usually have to hand-carry physical storage devices such as laptops or USB drives to offline hardware in order to sign transactions. This manual process introduces human error, a non-malicious form of attack that can be just as costly as an intentional exploit.
OSO implements a policy engine that can broker communication between two different applications without simultaneously connecting to both. As it operates through a virtual, partitioned server, via IBM’s Confidential Computing service, it also has no direct external network connectivity. This prevents human error from manual processes as well as remote access (hacking) — even during transactions.
Related: Bitcoin custodian Nostr Assets pauses deposits after reaching ‘maximum capacity’
Source: Read Full Article