IBM Unveils Hyper Protect Offline Signing Orchestrator (OSO): A Secure Air-Gapped Cold Storage Solution for Digital Assets”
IBM made a significant announcement on December 5 with the launch of IBM Hyper Protect Offline Signing Orchestrator (OSO), a cutting-edge air-gapped cold storage solution designed for digital assets. In collaboration with digital asset manager Metaco, an IBM partner and Ripple subsidiary, and in partnership with tier-1 banks, IBM developed this end-to-end asset encryption service to effectively address common vulnerabilities prevalent in conventional cold storage solutions.
Highlighting the limitations associated with offline or physically air-gapped cold storage in the official announcement, IBM emphasized challenges such as privileged administrator access, operational costs, errors, and the inability to scale—issues all attributed to human interaction.
IBM’s OSO is strategically crafted to tackle these vulnerabilities by automating the manual functions involved in initiating and conducting transactions. Analogous to a time-release safe that remains sealed until specific conditions are met, OSO can be configured to execute transactions solely between cold storage and the blockchain at designated times or through the authorization of a multibody governance scheme.
This approach, as outlined in the accompanying blog post and research, serves as a robust deterrent against common insider attack vectors, including physical access, administrative manipulation, and coercion attacks. In the event of unauthorized system access, whether physical or remote, a malicious actor would only be able to initiate a transaction during approved times, requiring subsequent approval before execution to prevent unauthorized access or asset theft.
To further fortify OSO’s resistance to potential attacks, digital assets can be securely stored in “air-gapped” containers. Storage is considered air-gapped when it remains disconnected from the internet or any internet-capable device, ensuring that assets are impervious to remote attacks while at rest. IBM’s OSO emerges as a comprehensive and resilient solution, effectively addressing the limitations of traditional cold storage and providing enhanced security for digital assets in an ever-evolving landscape.
IBM announced the launch of IBM Hyper Protect Offline Signing Orchestrator (OSO), an air-gapped cold storage solution for digital assets, on Dec. 5.
Working with digital asset manager Metaco — an IBM partner and Ripple subsidiary — and tier-1 banks, IBM developed the end-to-end asset encryption service to address common vulnerabilities found in typical cold storage solutions.
According to the announcement:
“When it comes to offline or physically air-gapped cold storage, there are limitations, including privileged administrator access, operational costs and errors and the inability to truly scale. All these limitations are due to one underlying factor—human interaction.”
Cold storage
IBM designed OSO to address these vulnerabilities by removing the manual functions of initiating and conducting transactions. Much like a time-release safe that cannot be opened upon request, OSO can be configured to only send transactions from cold storage to the blockchain, and vice-versa, at specific times or only through the authorization of a multibody governance scheme.
This, according to the blog post and accompanying research, prevents the most common forms of insider attack, including physical access, administrative manipulation and coercion attacks. If a bad actor were to somehow access the system, physically or remotely, they could only initiate a transaction during approved times and would have to wait until the transaction was approved for execution in order to receive/steal assets.
Further ensuring OSO’s resilience to attack, digital assets can be placed in “air-gapped” storage containers. Storage is considered air-gapped when it is not connected to the internet or any device capable of connecting to the internet. This ensures remote attacks can’t access assets while they’re at rest. https://www.youtube.com/embed/o28kWyxoiV8
Securing blockchain transactions
“Enhancing Security in Cold Storage Management: The Role of IBM Hyper Protect Offline Signing Orchestrator (OSO)”
In conventional air-gapped scenarios, administrators overseeing cold storage solutions often find themselves manually transporting physical storage devices, such as laptops or USB drives, to offline hardware for transaction signing. Unfortunately, this manual process introduces human error, which, while non-malicious, can be just as detrimental as intentional exploits.
OSO introduces a sophisticated policy engine designed to facilitate communication between two distinct applications without the need to connect to both simultaneously. Operating through a virtual, partitioned server via IBM’s Confidential Computing service, OSO ensures there is no direct external network connectivity. This dual functionality not only prevents human errors in manual processes but also safeguards against remote access, such as hacking, even during active transactions. Explore how OSO is revolutionizing cold storage management and fortifying security measures in the process.”
