Jump to Content
Startups

Helping secure global collaboration at the first federally regulated crypto bank

March 17, 2023
https://storage.googleapis.com/gweb-cloudblog-publish/images/google_cloud_x_anchorage_digital.max-2500x2500.jpg
Aaron Lint

Security Lead, Anchorage Digital

Prasanna Gautam

Technical Lead, Protocols, Anchorage Digital

Editor’s note: Today we hear from Anchorage Digital, a Web3 company with offerings designed for institutions to participate in crypto directly and for those looking to integrate crypto into their own products and services. 


Launched in San Francisco in 2017, Anchorage Digital is a regulated crypto platform that makes crypto accessible to institutions such as family offices, hedge funds, venture capital firms, fintechs, banks, corporations, and more. Our goal is to provide a safe, regulated way for institutions to participate in crypto. 

We started with custody, the storage model that’s the basis for all our other services, including: trading, financing, staking, governance, and building crypto-access for institutions. Protecting billions of dollars in digital assets without compromise to access is core to everything we do. Because of that, when it came to daily operations, we wanted a similarly aligned secure and accessible approach.

Selecting Google Cloud and Google Workspace

We began in traditional startup fashion at a living room table, but our team grew quickly, first to a San Francisco office and then other offices. Amidst the early stages of the pandemic, we increasingly went remote. Today, with a remote-friendly team of more than 300 employees, we’ve seen the same solution that worked for us as a startup in a single office work across the globe. 

The combination of Google Cloud and Google Workspace empowers us to collaborate securely and asynchronously on a global scale. Our decision to use Google Cloud centered around practicality and aligned security values. Google Cloud’s open-source tools and pricing appealed to us. By using Google's BeyondCorp framework, we bypassed the expense and complexity of a traditional centralized corporate network infrastructure. This helped us prevent a whole class of security risks and costs that come with the territory, while making it possible to scale the company efficiently.

BeyondCorp, which provides a Zero Trust security framework that shifts access controls from the perimeter to individual users and devices, meaningfully lowers the cost to maintain straightforward daily management and auditing over access to the secure environment. For example, we can prevent the introduction of untrusted extensions and applications on our endpoints through simple organizational policies. We can vet all extension requests and allow them only after we have inspected their security posture. The extensive logging and monitoring position that Google Workspace provides simplified compliance, providing the governance and oversight necessary for a regulated financial institution. 

Our digital asset platform is built on infrastructure-as-code, harnessing Google Kubernetes Engine. With GKE we can focus on growing the platform with minimal overhead spent on maintaining the underlying infrastructure. Combined with powerful support for Terraform, we can embrace the latest infrastructure patches and features, often with only a single line of code change. BigQuery and Looker also allow us to visualize our data and derive meaningful insights about our platform and its security. Google Cloud’s continuous improvement in security and consistency enables us to primarily focus on building our platform. 

Using Chromebooks for additional security

Our decision to use Chromebooks as our standard employee workstation was, at the time, an unconventional choice. We knew our hardware and operating systems would require a balance of security, developer productivity, and scalability as we rapidly grew. Using Chromebooks with BeyondCorp Enterprise allows us to cleanly restrict internal application and workspace access to company-owned, policy-managed, approved devices only. 

We took steps to further deepen our resiliency against credentials-based attacks by deploying hardware-based multi-factor authentication, which we require for all our Google Workspace accounts. Plus, device and data management tools like remote wiping and Zero-Touch enrollment make onboarding and offboarding employees reliable and straightforward.

Additionally, the guiding security principles underlying ChromeOS reduce the common attack surfaces that security teams all too often struggle to deploy at scale: hardening of the OS with defense in depth, default native sandboxing capabilities, and strong hardware-based device integrity features. This baseline security level allows our security engineers to focus on building secure code and deploying new features instead of spending countless hours with incident response and recovery.

Within Chromebooks and the ChromeOS operating system, using Google Workspace allows us to perform common daily functions that would otherwise require expensive annual software renewals. We also benefit from the immediate, continually updated versions of the tools we use from Meet to shared drives, docs, presentations, and sheets. Lastly, we benefit from new ChromeOS updates that keep our hardware hardened from security risks, since employees are prompted to restart their devices upon each new rollout.

Google Cloud, Google Workspace, and Chromebooks help us achieve our business goals as we operate under strong security principles. Even as we faced the challenges of a remote-based team during the business-continuity conditions of a pandemic, we grew our company in terms of both clients and employees. Our employees have shown flexibility in adjusting to this novel system, and we’ve been pleased with the progress and continual improvements in security posture of the ecosystem. We look forward to continued partnership and day-to-day use of these technologies.

Posted in