Aaron Lint, Security Lead at Anchorage Digital, as well as Prasanna Gautam, Technical Lead, Protocols, among other members of the firm’s professional team have shared key updates.
Anchorage Digital notes in a blog post that as a fast-scaling company, their technical staff is core to their institutional digital asset platform.
They’re sharing some key updates made by their engineering team “to help institutions participate in the digital asset ecosystem.”
Launched in San Francisco in 2017, Anchorage Digital is “a regulated crypto platform that provides institutions with integrated financial services and infrastructure solutions.”
Two security industry veterans founded the company “with the goal to secure digital assets, and security is foundational in everything we do.”
Their differentiated custody solution reportedly “protects billions of dollars in digital assets — all without compromising accessibility.”
So when it came to selecting workstations — the computer and hardware setup for their team — security was their “top priority.”
Their decision to use Chromebooks as their main hardware and OS at Anchorage Digital was “an uncommon choice.”
It was “driven by this central desire to enable the highest level of security.”
When it came to selecting their hardware and operating systems, they knew they “would need a combination of security, developer productivity, and scalable choices as we grew.”
Early on, they decided “to use Chromebook Pixelbooks with strong hardware Two Factor Authentication (2FA) as their computers of choice for most employee activities.” These most easily allow them “to safely sandbox sensitive company data and maintain an extremely high standard for security.”
Beyond the standard concerns to prevent security breaches that happen every year, they take additional precautions as a company “operating in the crypto industry, which is especially tempting for hackers.”
Zero-day attacks “targeting crypto exchange employees are just one of the many examples of elevated risk in our industry.”
Google’s ChromeOS allows them “to stay nimble and run the latest secure code while developing cutting edge technology and security for their customers, along with additional security measures we’ve taken when it comes to employee workstations.”
For growing companies like Anchorage, scaling highly secure, auditable access while balancing the cost and friction of those controls “presents a variety of challenges.”
This can acutely manifest “if the choice is made to deploy and maintain perimeter Virtual Private Network (VPN) servers, which create a single point of failure, compromise, and bottleneck which can become brittle as companies expand.”
Their selections are as follows:
- Chromebooks using up to date, Verified Boot ChromeOS
- Hardware for non-carrier based two-factor authentication
- Isolation of non-Chromebook hardware from corporate network
- Policies enforced through Chrome Enterprise which prevent arbitrary installation of untrusted applications and extensions
Using Chromebooks allows them “to cleanly restrict access to company-managed and approved devices only.”
They rely on the Chromebook-native principles “adhering to the BeyondCorp philosophy, ensuring that every internal application is hardened with strong cryptography and access controls directly.”
As explained in a blog post, this is “an intentional choice of embedded security instead of introducing perimeter services (like VPNs) which, once breached, allow an attacker to more freely pivot on an internal corporate network.”
They claim to have taken steps “to further deepen their resiliency against credentials-based attacks by using 2FA on our hardware.”
Since the launch, there’s reportedly been “no need to introduce services that have to be managed outside the Chrome Enterprise ecosystem.” They use the Identity Aware Proxy “to enforce meaningful hardware-level policies as a part of every authentication and authorization decision.”
For more details on this update, check here.