There are plenty of defining years in the history books, and as 2020 draws to a close, it’s almost certain that the global pandemic will ensure that this year is featured prominently. With events cancelled, launches delayed, and country-wide lockdowns, the way we work has changed forever. Still, for financial technology and surrounding industries, this was also a year of challenge and opportunity.
This December, The Fintech Times is asking industry leaders for their ‘View from the Top’ to gain an insight into the decisions behind the last 12-months.
Today, we speak to Yehuda Lindell, the co-founder and CEO of Unbound Tech, a company that creates cryptographic key management and protection solutions designed for an increasingly interconnected world. Lindell is also a professor of computer science at Bar-Ilan University in Israel and a cryptographer with years of industry experience.
Here he discusses his expertise in secure multi-party computation and Unbound Tech’s work with global organisations.
What was the vision behind starting Unbound Tech?
I am a cryptographer by trade and training and have been practising cryptography for more than 20 years now. I started doing pure theory, bordering on applied math and, over time, my research shifted to making multi-party computation (MPC) technology – my research speciality – a technology that is efficient enough to be used in practice. The idea of commercialising MPC technology was therefore a natural next step on the road from theory to practice.
Almost a decade ago, I co-founded Unbound Tech along with Guy Peer and fellow cryptographer Nigel Smart. The underlying idea behind Unbound’s solution was that the MPC research we were doing in academia could solve the acute problem of protecting cryptographic keys and secrets. Our theory was that if we split the keys and secrets (of all types) and use MPC to ensure that they are never combined, even while in use we could deliver a new methodology in key protection. This simple and yet powerful idea became the springboard to our solutions which are now in use by some of the world’s largest banks and enterprises. At the time, MPC was primarily only known by academics and a big part of founding Unbound was the understanding that we could greatly improve how businesses and people’s information are secured in today’s dynamic and virtualised computing environments.
Today, Unbound Tech aims for enterprises worldwide to easily secure and manage all their clients’ information, identities and assets, and as MPC has begun to really take off in the security field, we are well on our way.
What is MPC and what value does it bring to the fintech sector?
In technical terms, secure MPC is a subfield of cryptography allowing multiple parties to jointly compute any function while keeping their respective inputs private. Unbound has pioneered the use of secure, MPC to enable a distributed model of trust based on creating, using and managing secrets as multiple shares distributed across multiple entities, with a strong yet elastic and agile pure-software platform.
In other words, MPC never keeps keys in one place and offers strong cryptographic key protection capabilities in pure software. This means that any key management system can now be secured to the highest degree and split among multiple parties without the scalability problems, high cost of ownership, and inflexibility that many legacy hardware-based models present.
When it comes to real-world applications: MPC has so many potential use cases that we helped found an entire organisation around it: The MPC Alliance.
Fintech is one of the key markets that greatly benefits from our highly advanced approach and many use cases. For example, one of the main benefits we see often is being able to tokenise any asset; securing mobile banking data to meet the strictest of requirements, without sacrificing the user experience for employees and clients; and policy enforcements across multiple and complex financial IT environments – whether that’s for fiat assets or for blockchain-based assets. Another advantage to fintech is the ability of MPC to support maker/checker workflows, with cryptographic enforcement.
What special challenges would you say the financial sector faces today in terms of cryptographic key security?
Financial services are under great pressure to keep delivering the same premium levels of security and trust as before – but they’re dealing with a world that’s increasingly mobile, where information is less and less under their direct control, and where different asset types leave different security vulnerabilities than before.
Coupled with the fact that compliance requirements for financial services – no matter where that service is based – are typically based on 20+-year old IT infrastructures, like hardware security modules (HSMs), and may not take into account the mass interfacing of everything via internet and cloud services.
In practice, this means that financial services often have their clients’ data spread over multiple data silos or other key management infrastructures and are struggling to make those systems interoperable enough to provide full transparency to auditors and fast services to clients. Not to mention the recent renewed emphasis on compliance on both sides of the financial asset equation – increased scrutiny over assets kept on Cloud environments (e.g. CLOUD Act, GDPR, etc.) and over the compliance and regulation enforcements in the digital asset sector (security tokens/SEC, the IRS now requiring cryptocurrency reporting on page one of the 1040 form, etc.).
As a result, we once again have the classic ‘security-usability trade-off’: either clients’ assets are held to traditional standards of hardware-based security, but it takes the client a long time to access those assets, and they are burdened by hardware tokens or other processes along the way – or, the clients’ assets are secured using newer software-based systems, but they’re more vulnerable to attacks from identity thieves, rogue insiders at organisations, or just plain human error. And the bottom line is, both sides of the trade-off cost organisations considerable time and money. MPC-based solutions bridge that gap by providing a high level of security without compromising on usability, agility and flexibility.
MPC-based solutions are also compatible with hardware. It is possible to utilise hardware where needed (e.g., for regulatory reasons) and MPC elsewhere, in a single platform that provides a unified solution for an enterprise’s cryptographic needs.
Where do you think the financial industry is going in terms of meeting those challenges?
Looking at the macro level, we’ve already seen that governance and compliance are more important than ever – especially now when everything is moving from on-premise centres to devices. Tamper-proof auditing has never been more critical in terms of meeting government requests for data and in terms of providing custodial services for mobile, data-driven, device-driven enterprise banking clients.
In terms of the usability issue, we’ve found that even the world’s biggest banks are experiencing pushback from a generation of young professionals looking to access their assets securely, from anywhere, without region-specific accessing required as in SMS-based authentication. They’re also demanding the kind of transparency often seen at challenger all-digital banks.
MPC can help with that, and at Unbound we’ve been helping those tier-1 banks make the jump to systems which can both uphold the institutions’ reputation for security and meet the needs of a world that’s outgrown what that reputation was built on in the first place. That means switching from hardware tokens to built-in authentication systems, and from HSMs to virtual HSM systems with one centralised form of management.