Digital Asset Security as-a-Service (SaaS), and the Pros/Cons of Outsourcing Security
Crypto-asset Security as-a-Service offerings can be tempting for enterprises who want to deliver digital asset services without building the infrastructure. But is it right for your organization?
Let’s play out a scenario: you’re a mid-size organization (or larger) dealing with cryptocurrency and blockchain keys — and you must keep them secure.
Your organization has decided not to develop its digital asset security infrastructure internally. (Perhaps after reading our last blog post on internally built or “DIY” security systems ). The next natural option? Security-as-a-Service (SaaS) vendors to handle the security aspect for you.
Will SaaS be up to the task? In this article, we’ll explore the pros and cons, benefits and tradeoffs of choosing SaaS for protecting digital assets.
What’s SaaS in the secure digital asset space?
Whereas a DIY digital asset security system usually involves deploying and managing an amalgam of hardware-based security to protect digital asset keys, “cold” storage and multi-sig technology, SaaS provides businesses with an easy-to-manage, outsourced alternative for their security needs.
SaaS services for digital assets often include the SaaS vendor handling the following:
- Handle the organization’s key protection
- Secure all transactions
- Publish transactions to the blockchains of the ledgers which they support (more on that below).
From a practical standpoint, here are the pros and cons of such a system:
· Service performance and resilience
o SaaS vendors typically invest in building robust and high-performance infrastructure, and on a day-to-day operations level, help organizations by offloading administration and maintenance overhead.
o However, the risks involved with outsourcing critical systems apply to security as well. Organizations are vulnerable to losses and reputation damage caused by service outages; the SaaS client is only as operational as the service itself, and has limited control during periods of maintenance, outages, etc.
o In addition, organizations are limited to the backup and resilience capabilities provided by the SaaS vendor.
· Service flexibility — SaaS clients are limited to the operations, core features, ledger support, and service options provided by the vendor. If a client wishes to expand to new service types, or add support for new or custom blockchain ledgers/assets to their existing services, for example, they are limited by the flexibility (and setup time) of the SaaS vendor.
· Security validation/controlling risk — SaaS vendors typically invest in security, benefitting organizations who don’t have the same level of expertise and resources in-house. Still, SaaS clients must rely on their vendors’ security implementation and thus have limited ability to control or address security risk. Breaches leave clients vulnerable.
SaaS may be a viable option for organizations with a certain size or growth capability. But for companies who consider digital assets a strategic part of their offering, service flexibility and risk control aspects are critical to consider, as over time they can have huge business impact. Here are the critical questions we recommend exchanges, custodial services, trading platforms, and other cryptocurrency service providers ask while evaluating their options:
· What happens if you have a new requirement that the SaaS vendor does not support?
· Will outsourcing your operations inhibit your organization’s ability to grow and expand?
· What are your reasons for deciding to outsource security services? If your SaaS vendor’s services go down so your customers can’t transact, will your SLA with the service provider cover your losses?
Answers to these questions are not one-size-fits-all. Still muddling over the possibilities? Stay tuned for our upcoming conclusion to this series about how a self-managed security platform developed by a security vendor can fill some of those gaps.