Virtual Asset Trading: Getting the Technology Piece Right

Image credit: iStockphoto/francescoch

Mention virtual asset trading (VAT), and people focus on the assets — cryptocurrencies and tokens. They also debate the regulatory framework and compare the merits of each regime. 

Most overlook the third equally important aspect of virtual asset trading: technology. And it is also where current and aspiring exchanges must pay extra attention. That’s because the technology path can determine your ability to remain compliant, scalable, and resilient to spiking demands.

Making the technology case

Hong Kong is one of the few Asia Pacific countries taking the lead on VAT. Early this year, the government shared more details of the new proposal to establish a new licensing regime for virtual asset service providers (VASPs). 

It requires potential and existing VASPs to carry out customer due diligence (CDD) and comply with the similar record-keeping expectations of financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs). You can find more details in this Hong Kong Bills Committee report

But hidden within these details and definitions of what is considered virtual assets (e.g., non-fungible tokens (NFTs) are considered mainly limited-purpose digital tokens and are excluded from the Bill) is an assumption that the technology architecture is robust and can withstand current and future scrutiny. 

For Arvind Swami, director for financial services industry at Red Hat Asia Pacific, the reasons are apparent. “Let's start with what is a virtual asset: it's a digital representation of an item. And this is important because we're already getting into the realm of technology.” 

This makes VAT different from other types of exchanges. While technology enables all kinds of trading, the asset is often fiat-based or tied to a physical asset or commodity. “In VAT, the virtual asset itself is quite tightly coupled with technology,” Swami says. 

VASPs also need robust technology from the onset for two other reasons: making the exchange accessible for trading and securing transactions and virtual assets. “When you bring these things together, it automatically brings you to the area of technology. Because all of these things are facilitated through technology,” says Swami. 

APIs also play an intimate role in VAT. That’s because they need to interconnect with different parties in an ecosystem, such as payment processors and individual interfaces in the trade. “So APIs become that much more important,” says Swami.

Equally important is scalability. And this is one reason why many VASPs often take a cloud-first route, as it offers them “elasticity.” “It gives you that scalability to handle those kinds of trading volumes,” says Swami.

Lastly, running a blockchain-based exchange is not the same as spinning up fast servers in a data center backed by massive storage. Blockchains are distributed digital ledgers. The keyword here is “distributed.”

Swami points out that blockchains are essentially peer-to-peer networks sitting on the internet. The ledger becomes replicated into vast amounts of identical databases, each hosted and maintained by an interested party.  

When transactions occur, records of the value and assets exchanged are permanently entered into all ledgers and appended to the growing “chain.” This makes VAT transactions immutable and almost immediate. There is no need for third-party intermediaries to verify or transfer ownership like a stock exchange. “But VAT also becomes all the more technology-driven because there's nothing physical about it,” says Swami. 

Immutability vs. security

Often blockchains are marketed as inherently secure. Yes, the virtual asset is protected by a private key with strong security. Yet, we still hear news about crypto theft and hacked exchanges. 

“People should not confuse immutability with security. In an exchange, the ability to log in and trade are all linked to security. And this goes back to how the architecture was set up,” says Swami. 

Many virtual asset trading exchange hacks target poor security around private keys and insecure sharing of keys. API security is another infiltration point; if they are not adequately checked or vetted (especially when APIs are often updated independently, and you need site reliability engineers to test them), hackers can access your private keys.  

“You can have the best safe in the world, but if the keys to the safe are available to everyone, how safe is that safe?” Swami explained. 

To harden a virtual asset trading exchange’s infrastructure, you must follow the proper standards and site reliability engineering. Instead of trying to build from scratch, Swami suggests potential VASPs consider hardened products. 

For example, one candidate is Red Hat Advanced Cluster Security for Kubernetes, powered by StackRox (the container-security company Red Hat acquired in 2021). 

It offers a self-managed security solution for your Kubernetes infrastructure. It also integrates with existing DevOps tooling and workflows to deliver better security and compliance — tackling the worry of supply chain attacks. 

The policy engine includes hundreds of built-in controls to enforce DevOps and security-focused best practices. These follow industry standards such as Center for Internet Security (CIS) Benchmarks and National Institute of Standards Technology (NIST) guidelines, configuration management of both containers and Kubernetes, and runtime security.

Such a deployment aims to lower operational costs, reduce operational risks, and (if you have substantial development resources) improve developer productivity. 

It also gives a more holistic approach to security, not piecemeal. This is vital as regulators will only increase their scrutiny of the security architecture as new threats emerge. It also allows a VASP to make strategic decisions on closing its security holes and better manage a multiprotocol environment. 

“When you're looking at across the spectrum, you have to look at security across the whole spectrum where you're hosted across the whole architecture that you're setting up for the application that you're going to run,” reiterates Swami. 

The open source innovation advantage

While it’s clear that VAT will be a technology play from the start, should VASPs take a proprietary route and open source one? 

“I will rephrase your question: why should they look at open source? One of the biggest reasons [compared with proprietary] is the community,” Swami answers. 

He argues that the days when large teams of over 1,000 people working on proprietary software “are gone.” In contrast, the open source community has grown by leaps and bounds. 

“It allows you to get a high degree of ideas coming in and driving innovation. But at the same point of time, if there's a security issue, there's a much larger pool of people contributing in terms of how fixes are deployed in and made available,” Swami describes. 

Open source has also matured a lot. As open source software and its distributors increasingly support mission-critical enterprise projects, they have shored up their skills. And, in the spirit of open source, those learnings, outcomes and code gets channeled back into the community for further innovation and scrutiny. 

Swami points to the development of blockchain and Kubernetes, which are open source. “And why are [major vendor] companies making their IT projects into open source? That’s simply because they see that once in the community, the ability [for these projects] to expand and become much bigger is way faster.” 

This means that open source is now driving innovation. And this is already occurring in the highly-regulated financial services space, where companies are looking to virtualize trading. It should also be a starting point for VASPs.

But before jumping on the bandwagon, Swami had some advice. “Try and stick to enterprise-grade because you get something which is tested and hardened, and you get proper support.”

The community and support will matter as regulators and VASPs learn from each as VAT becomes more pervasive and accessible.

Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].

Image credit: iStockphoto/francescoch