Ahmet Tuncay Interview - Cybernews

Ahmet Tuncay, Sepior: "every industry operating in the chain of digital storage should be upping their game with security"

With the rising number of cyberattacks, individuals and enterprises are already relying on cryptographic encryption solutions to prevent threat actors from obtaining private files or sensitive company data. 

However, the sudden expansion of cryptocurrencies, non-fungible tokens (NFTs), and other decentralized financial (DeFi) services created a need for even more advanced security solutions in these new markets.

We reached out to Ahmet Tuncay, the CEO at Sepior, who explains how new innovations in the field of threshold cryptography can help achieve the highest-grade data protection.

Tell us about your story. How did the idea of Sepior originate? 

Sepior originated as a spinout from the decades of research done at Aarhus University in 2013 and was officially registered as a private limited company in 2014. 

The Co-Founders of Sepior created the first-ever real-world multi-party computation (MPC) based system, a price matching solution, for the Danish co-op DANISCO in 2008. During that time, they were actively working with MPC for both data privacy and data security applications in academic and commercial settings. 

MPC algorithms are particularly well suited to applications that require some form of confidentiality among multiple participants who wish to transact, such as determining a clearing price, because they are designed to keep bidders’ and sellers' information secret while guaranteeing correctness without a trusted third party. So, this so-called spinout allowed Sepior to focus exclusively on security applications, with specialization in cryptographic key protection and management. 

In 2015, Sepior was granted EU funds to develop an MPC-based cryptographic threshold Key Management System as a Service (KMaaS) for encrypting business data in the cloud without any dependency on the cloud service provider. This represented quite a challenge as the varying security posture of different cloud service providers introduced architectural, scale, and throughput implications for key management. That ultimately led us to a SaaS approach leveraging MPC, where encryption keys are generated, used, and stored in a distributed fashion in any public or private cloud setting. The company went on to deliver the world’s first pure-software, multi-cloud Bring Your Own Key (BYOK) solution in 2018.

Sepior’s technology and offerings are well suited to conventional enterprises and cloud-centric key management applications. However, the growth of financial markets around of cryptocurrencies, digital assets, non-fungible tokens (NFTs), and an exploding array of decentralized financial (DeFi) projects have created a demand for MPC-based key management and protection services in entirely new markets. 

The underlying blockchain technologies used to deliver these services depend on distributed computing and trust models which are the same building blocks of MPC systems. MPC-based management of private and public keys is a natural fit for managing wallets and signing transactions in distributed ledger technologies, often replacing schemes relying on multi-signatures and Hardware Security Modules. So, Sepior’s long history and expertise in MPC and early optimization for these new digital asset markets has positioned us well for the tsunami that will be consuming nearly every digitized market.

Can you tell us about what you do? What are the challenges Sepior helps overcome?

Sepior develops and licenses the core libraries, APIs, and SDKs that perform cryptographic operations and key management using MPC. In some cases, that also includes white-label MPC platforms, which large enterprises, service providers, and platform providers can use or integrate within their systems to improve the security, performance, and scale of their operations or services. Our Advanced MPC-based digital wallets are universally acknowledged as the highest throughput and lowest latency solutions available with support for online and offline wallet types running on any server or mobile client.

Our licensed MPC software and integration support services allows our clients to accelerate their ability to achieve improved security, performance, and scale with less time and effort, and most importantly – with the unrivaled expertise and complete security confidence that can only be achieved by partnering with Sepior’s world-renowned cryptographers. Sepior becomes a virtual extension of the client's team without having to hire and retain the expertise in-house.

What does it mean to be a member of the MPC Alliance? Can you briefly explain what multi-party computation is?

Sepior is a member and Co-Founder of the MPC Alliance. Under the initiative of Frank Wiener, our CMO and the President of the MPC Alliance, Sepior led the process of proposing and forming the alliance in collaboration with Unbound and ZenGo in 2019. 

At that time, MPC was not widely recognized or understood by people outside of cryptography circles, so the goal of creating the alliance was to unite the voices of all companies working with MPC to help accelerate MPC awareness, acceptance, and adoption. 

Today, the alliance has 50 members, and the industry awareness and adoption of MPC have increased exponentially. We still have a lot of work to do, but the MPC Alliance is off to a good start, and markets are moving toward MPC adoption at an unprecedented rate.

Talking about Multi-party computation (MPC), it is a game-changing security approach to protecting secrets – preventing them from being stolen, misused, or otherwise compromised. One of the primary functions of MPC is to protect the digital keys used to provide encryption services and/or digital signing services. These keys are protected by using MPC to generate them in the form of distributed key shares, where each share is stored locally on a different approver’s physical or virtual machine. 

MPC allows for the key shares to be used to provide cryptographic operations, such as generating a signature or decrypting a document, without ever combining the shares or creating a complete key on any single device or machine. Eliminating the existence of a complete key dramatically reduces the potential for theft or misuse and mitigates the classic requirement for complex, specialized security appliances.

Have you noticed any new tactics used by threat actors during the pandemic?

We’ve seen markets in cryptocurrencies, non-Fungible tokens (NFTs), and decentralized finance (DeFi) become very active since the pandemic set in, but that timing is probably coincidental. Naturally, with the movement of billions of dollars into these digital asset markets, the typical threat actors are busy trying to steal the property of others. 

Fortunately, the rapidly expanding adoption of MPC to secure these digital assets and the entrance of traditional financial service providers with rigorous and systematic security policies and practices have largely kept theft under check, but only for those institutions who are adopting these practices and the latest technology. 

It is more important than ever for clients of crypto-asset service providers to know which technologies are being used and how they’re being combined with internal security controls to make sure all assets under management are safe.

As we move into the world of Web3, which tips would you give to stay safe on this new version of the internet?

Web3 is rapidly evolving around blockchain and distributed processing. Conventional security systems and paradigms were designed and optimized for centralized control and will struggle to maintain security, performance, and scale. On the other hand, decentralized security models, such as MPC, align perfectly with the emerging Web3 applications and operational frameworks, providing security with more collaborative and distributed services, running in distributed-trust environments. 

The good news is that MPC enabled security layers are increasingly being integrated into the platforms of many service providers. So, asking for and verifying those systems that are protected with MPC-based solutions is a good starting point. Asking for Advanced MPC by Sepior sets the stage for not only increased security but also optimal performance and massive scale.

When it comes to data security, which risks are often overlooked by companies?

Security practitioners will be challenged to think outside of the conventional box that represented security for the past few decades. In particular, Hardware Security Modules (HSMs) have been considered the gold standard for protecting the data security keys. 

The problem is that HSMs are designed and optimized for legacy applications – defined by perimeters and physically secured spaces. The new world knows no secure perimeters since our systems must work in distributed, untrusted environments. At least for now, HSMs do not easily fit here with the rest of the distributed, decentralized ecosystem. 

Instead, we need to think about security paradigms like MPC, which allow for decentralized systems, with distributed operations in untrusted environments. It will take time for industry standards and regulations to fully catch up with this new evolving world. Eventually, it will, and market winners will be those who take reasonable steps now, rather than waiting for the dust to settle.

Is there a specific industry that should put more attention towards its cybersecurity? 

The short answer is every industry operating in the chain of digital storage and services should be upping their game with security. For many industries, the cloud-centric platforms and infrastructure services that they procure from others will provide a sufficient level of cybersecurity. 

But soon, many of the industries making big moves toward blockchain-based service models will need to take a more direct and personalized approach to fully understand and vet their cybersecurity vulnerabilities up and down the stack. Eventually, this market will mature and offer standardized services much as we see with cloud service providers today. 

But the companies that want to dominate in the future Web3 market will be those which take a more active role in understanding and defining their cybersecurity solutions as part of their new ecosystem approach.

Talking about the future, which trends surrounding digital assets will emerge in 2022?

DeFi and NFTs are hot and only getting hotter. I think we are going to see more and more conventionally centralized financial service providers moving into the realm of digital assets and DeFi. The rewards of securing a seat at these new tables are simply too high, and the cost of ending up without a seat is even higher. 

And finally, what’s next for Sepior?

For the past several years, Sepior has been consistent with our model of providing core MPC libraries and SDKs. They are integrated by larger or more innovative companies that prefer to develop their own platforms and security systems rather than purchase turn-key systems from other vendors. Going forward, I expect to see Sepior offer additional layers of wallet and policy functionality to make the technology easily adoptable by a much wider segment of the market. 

We also see many areas of improvement to the overall security of wallet solutions by enforcing policy cryptographically rather than as simple business logic. Our threshold MPC algorithms are particularly well suited for such advanced wallet architectures that are not available from anyone else today. We may not need to move all the way to conventional enterprise sales of off-the-shelf systems in the short term, but more complete systems that our clients can rapidly adopt and deploy, with Sepior’s security value expertise running further up the stack is the next step.

See the original interview post here: https://cybernews.com/security/ahmet-tuncay-sepior-every-industry-operating-in-the-chain-of-digital-storage-should-be-upping-their-game-with-security/