Introduction
Effective security requires a holistic approach, combining different layers to address multiple attack vectors. When applying this approach to Web3 and securing private keys, it involves two main building blocks:
- Protecting the keys themselves: Generating and storing them securely.
- Defining and enforcing policies: Ensuring that the keys are used only by authorized users and for their intended purposes.
MPC addresses the first by creating keys in a distributed manner. Together with secure enclaves for storing each key share, this approach minimizes the risk of unauthorized access.
A policy engine addresses the second by defining and enforcing a set of rules. Only when these rules are met will the key share participate in signing.
However, one of the main challenges Web3 companies face with policy engines—particularly asset managers and enterprises— is that the policies are often configured and enforced by their wallet providers. This introduces concerns around data privacy, compliance, and operational risks. For some, this sensitive logic constitutes their core business logic. For others, a provider-side error resulting in a non-compliant transaction could trigger severe regulatory repercussions.
Sodot Self-Managed Policy Engine
The Sodot Self-Managed Policy Engine is designed to address these challenges, enabling organizations to set and enforce policies effectively, fully on-premise, with complete control and data privacy. The system is architected to enforce policies independently for each secret share, enhancing both security and policy robustness.
How It Works
A Rule Server, configured by the customer, connects securely to each MPC signer server (referred to as a Vertex), which holds a key share. This connection uses authenticated communication protocols to ensure security. When a transaction is initiated, the Vertex sends its details to the Rule Server for evaluation. Based on the evaluation, the Rule Server either approves or rejects the transaction. Approved transactions proceed to signing, while rejected ones are blocked, ensuring security and compliance with your policies.
Policies can include transaction limits (e.g., "Only sign transactions that send up to $10,000"), recipient restrictions such as blacklists, location- and time-based rules, multi-factor authentication, and more. Additionally, external services such as transaction security or AML/KYC checks can be integrated and applied as policies.
For more technical details, check out our docs.
Core Advantages
The Self-Managed Policy Engine aligns with our product philosophy: ensuring our customers have complete control over their infrastructure and data. Here are the key benefits:
1. Fully Self-Hosted and Self-Controlled
Customers retain full control by setting and enforcing policies entirely on their own infrastructure. This keeps the approval logic private and ensures true ownership of the transaction approval process and organizational data.
2. Full Customization
The Policy Engine offers extensive customization, allowing customers to create rules tailored to their specific use cases. with the flexibility to adjust and refine as requirements evolve.
3. Manual Verification
In scenarios where automated checks are insufficient, transactions can be paused for manual review, ensuring an additional layer of oversight before approval.
Final Remarks
The Sodot Self-Managed Policy Engine equips Web3 companies to secure their infrastructure with confidence. By providing complete control and preserving data privacy, this solution addresses the critical challenges of transaction approval processes, ensuring compliance and safeguarding sensitive business logic.
This innovation highlights Sodot’s commitment to delivering robust, secure, and customizable infrastructure solutions. By prioritizing customer ownership and adaptability, we enable organizations to elevate their security practices while meeting evolving regulatory and operational demands.
For additional information, feel free to reach out.
