Explore & Design
Try in Sandbox

API Co-signer Security Checklist and Recommended Defense and Monitoring Systems

Co-signer security checklist

  • Only authorized personnel with high-level privileges and full trust from your organization may perform the Co-signers installation.
  • Use a clean, hardened machine for the Callback Handler server, restricting access exclusively to authorized personnel or service accounts.
  • Configure your network rules, cloud resources, and required policies according to the instructions provided in each API Co-signer installation guide.
  • Use the Callback Handler to log all approval requests, and consider utilizing it to implement additional programmatic protection logic against malicious withdrawals.
  • Create TAP rules that prevent API users from initiating transfers above a specific amount threshold within a certain timeframe, and require additional manual approval. These rules should apply globally to all withdrawals and withdrawals from specific external user wallets.
  • Fireblocks advises against disabling Linux UEFI secure boot on your API Co-signer virtual machine, as this goes beyond the security risks introduced by not validating kernel code. We recommend working around any issues you have instead. Using TrendMicro Deep Security agent on Ubuntu 20.04 is one option for secure boot support.

Co-signer recommended defense and monitoring systems

Although a quorum can be configured to approve requests, and a single MPC key share cannot be used to compromise the system, we recommend adding multiple defense and monitoring systems on Fireblocks API Co-signer instances.

Implementing the recommended defense and monitoring systems can significantly improve the security of the Fireblocks API Co-Signer and reduce the risk of security incidents.

  • Cloud Workload Protection: A solution that actively monitors the instance running on the Fireblocks AWS API Co-Signer and provides real-time protection against known and unknown threats.
  • Event Detection and Response (EDR) or Extended Detection and Response (XDR): A solution that actively monitors the instance running on the Fireblocks AWS API Co-Signer and detects and responds to potential security threats in real-time.
  • Security Information and Event Management (SIEM): A solution to collect all login attempts to the instance running on the Fireblocks AWS API Co-Signer and provides real-time alerting and reporting on potential security incidents.
  • Privileged Access Management (PAM): A solution that actively controls and monitors access to privileged accounts, such as root access to the instance running on the Fireblocks AWS API Co-Signer. A PAM solution can also provide real-time monitoring and alerting on privileged account activity, and enforce security policies, such as password management and least privilege access.
  • Multi-Factor Authentication (MFA): An MFA solution can enforce secure authentication and access control to the instance running on the Fireblocks AWS API Co-Signer. An MFA solution can also help prevent unauthorized access and reduce the risk of account compromise.

AWS Nitro Recommendations

  • EC2 - EBS Volume Encryption
    Enabling encryption for all EBS volumes is strongly recommended to ensure data security and compliance with best practices. While Fireblocks uses AWS Nitro to safeguard sensitive workloads, customers are advised to configure EBS encryption based on their organization’s compliance requirements and data protection policies. Encryption can be managed seamlessly through AWS Key Management Service (KMS).
  • CloudTrail - Enabling Service for all Regions
    Fireblocks utilizes an organizational structure incorporating AWS Control Tower, a dedicated log-archive account, and automated processes to ensure comprehensive multi-region coverage for CloudTrail. While this approach is recommended, customers retain the flexibility to operate in single or multi-region modes based on their operational and regulatory requirements. Enabling CloudTrail for all applicable regions is crucial, however, to maintain visibility into account activities and meet audit requirements.
  • S3 - Enabling MFA Delete
    MFA Delete for S3 buckets is a security best practice for protecting against accidental or unauthorized data deletion. However, Fireblocks does not enforce specific bucket policies, which must align with each customer’s internal security frameworks. Customers are encouraged to evaluate and implement MFA Delete which supports their risk management strategy.
  • S3 - Enabling Versioning
    S3 versioning provides added protection for data backup and replication. However, Fireblocks' Co-Signer architecture does not require backup or replication of data stored in S3. Customers should assess the need for versioning based on their internal data resilience and disaster recovery policies.
  • S3 - Enabling Access Logging
    Enabling S3 access logging requires a dedicated logging bucket. Fireblocks recognizes that customers often have centralized logging infrastructures, forwarding logs to SIEM platforms for analysis and archiving. In such cases, enabling S3 access logging may result in redundancy. Customers must ensure their existing logging solutions sufficiently cover S3 access patterns for security monitoring and compliance.
  • VPC - Enabling Subnet Flow Logs
    While VPC Flow Logs are a valuable tool for monitoring network traffic, they can incur significant costs. Customers should evaluate the necessity of enabling VPC subnet flow logs based on their security posture, budgetary considerations, and compliance obligations. Fireblocks recommends allowing this feature to where granular network activity monitoring is required.

GCP Confidential Space Recommendations

  • Enabling Cloud Audit Logging
    Cloud Audit Logging is critical for tracking administrative and data-access operations at the project level. As Fireblocks’ Co-Signer is deployed within customer-managed environments, customers are responsible for enabling and managing Cloud Audit Logging to meet their governance and monitoring needs.
  • Cloud IAM - Service Account with Admin Privileges
    GCP creates a default administrative service account during the initial setup. To reduce the attack surface and adhere to the principle of least privilege, customers should delete this service account after installation unless explicitly required for operational purposes.
  • Cloud Storage - Enabling Buckets with Versioning
    Versioning is primarily designed for backup and replication use cases. Fireblocks’ Co-Signer solution does not require this feature, and this configuration has no associated security risk. Customers may enable versioning based on their organizational backup and recovery strategies.
  • VPC Enabling Subnet Flow Logs
    As with AWS, enabling VPC subnet flow logs in GCP provides visibility into network traffic but may incur additional costs. Customers should consider enabling this feature if their security or compliance policies necessitate detailed network traffic analysis.
  • API Event Monitoring
    The Fireblocks Co-Signer is hosted within customer environments, and customers are responsible for implementing and managing API event monitoring. Fireblocks recommends monitoring API activity to detect anomalies and ensure compliance with security standards.
  • Firewall Rules
    GCP creates default firewall rules during project setup, which may not align with security best practices. Customers are strongly encouraged to delete these default rules and implement custom firewall rules that adhere to the principle of least privilege and align with their security requirements.

Updated 10 days ago