CDO University | Thought Leaders

Six Steps to Secure Cryptographic Keys

In Hong Kong, financial technology (Fintech) is transforming traditional financial services. The growing popularity of bitcoin and the technology behind cryptocurrencies, as well as blockchain, has led to increased demand and usage of these digital assets. While Hong Kong is part of China, it has not followed in its footsteps of effectively banning cryptocurrency trading. It provides a unique opportunity for Hong Kong, which is now becoming a hotbed for technology and new cryptocurrency projects and innovation.

Hong Kong authorities, The Financial Services and Treasury Bureau (FSTB) and The Investor Education Centre (IEC) are raising awareness through the launch of an educational campaign which outlines the features, information and potential risks of Initial Coin Offerings (ICO) and cryptocurrencies for the public.

However, the era of cryptocurrencies has brought new threats from attackers. The rapid development of the cryptocurrency market is also accompanied by new ways of cyber attacks as well as the number of methods to access data illegally, exploit computer power and extort money.

In parallel, the surge in interest in cryptocurrency is posing a real threat as well. As this form of currency gains more popularity and credibility, organizations in every industry will need to implement security controls to mitigate risk against crypto-credentials from becoming exposed.

Digital Wallets – The Basics

There are two types of digital wallets: hot wallets and cold wallets. Hot wallets are used by individual users and organizations to store smaller amounts of currency, providing the need for more fluidity required for quick transfers and exchanges. Many cryptocurrency services manage and store the wallet's private key and provide users with easy access. Usually, this type of managed service is password protected.

As for cold wallets, it is used by organizations and security-savvy individuals and typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely and often stores it on an offline computer. However, if the network becomes compromised, then the keys will follow suit shortly.

Don’t Get Digitally Robbed

Human users do not exclusively use cryptocurrency private keys. Many automated processes perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a foundational first step, quickly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.

Cryptocurrency private keys should be treated as another type of privileged credential that needs to be managed and protected. In essence, it should be handled similarly to how we store a password with a few slight modifications and specific requirements.

Whether humans or automated processes access the private keys, it is critical to authenticate the access control and assure a malicious insider or external attacker has not forged it.

Here are six key considerations to help secure and protect cryptographic keys:

Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
Enable secure application access – Restrict access to stored keys to authorized applications and verify that the applications are legitimate and untampered.
Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
Enforce workflow approvals – Enforce workflow approvals for any activities considered to be highly sensitive, and the same goes for accessing the keys.
Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g., the system hosting the wallet).

This is a contributed article from Jeffrey Kok, Vice President of Solution Engineer, the Asia Pacific and Japan, CyberArk. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.