In a rapidly evolving digital world, security and privacy stand paramount. Shauli Zacks, from SafetyDetectives, had the privilege of interviewing Edward Newman, the Chief Information Security Officer (CISO) at Digital Asset. With a rich history rooted in technology, Edward has navigated the dynamic corridors of financial services, working with giants like Merrill Lynch and Goldman Sachs. Today, as the CISO of Digital Asset, he oversees the security facets of a company that is revolutionizing the business transaction landscape with its flagship products, Daml and Canton. Join us as we delve into Edward’s journey, Digital Asset’s innovative offerings, and the future trajectory of blockchain technology in global markets.
Below is a reprint of Edward's discussion with SafetyDetectives.
I’m with Edward Newman of Digital Asset; thank you for your time today. Can you briefly discuss your journey and your role as Digital Asset’s CISO?
Absolutely, my journey has always been centered around technology and computers. I pursued computer systems engineering at Bristol University in the UK. Subsequently, I navigated through various companies, primarily within the financial services sector. My initial tenure of 10 years was at Merrill Lynch, where I focused on authentication, authorization, and identity management. I was heavily involved in the institutional web trading portal, called Direct Markets/MLX, from 1999 into 2000.
Later, I spent eight and a half years at Goldman Sachs, primarily dedicated to engineering security products and managing security product operations. This included working on crucial elements like DNS, DHCP, Active Directory, PKI, and secure file transfer systems. I also spent 3 years running the enterprise systems monitoring group, and many of the same principles apply to security operations.
Around the time Bitcoin emerged, I began experimenting with it. I ran a Bitcoin node and dabbled in mining, although the landscape had shifted from CPU and GPU mining by then. Despite not yielding substantial results, I found the tech side of it quite captivating.
In 2015, a former manager contacted me about a startup seeking a security leader. I joined Digital Asset in 2016 and have remained with the company ever since.
My role as a CISO encompasses a wide spectrum of responsibilities. I like to structure it into three main pillars:
Corporate Security: This entails safeguarding traditional aspects such as laptops, cloud resources, SaaS and cloud services, and sensitive customer and company data. We handle sensitive data related to projects, strategies, and business insights from our clients and partners. Although we don’t process customer transactions, protecting sensitive information is paramount.
Secure Software Development Life Cycle (SDLC): Here, the focus shifts to building secure products. We emphasize robust testing and threat modeling to ensure the highest level of security possible. This involves practices like software composition analysis, code provenance, and code signing. I’ve taken a keen interest in understanding incidents like the SolarWinds, LastPass, CodeCov, and CircleCI hacks, highlighting the importance of securing and controlling access to the software development and build pipeline.
Product and Service Security: As a trusted provider, we maintain high trust with companies using our products, particularly major financial services. They seek assurance about the security of our offerings and how to operate them securely. Additionally, we offer services such as Daml Hub, a managed platform, and the recently announced Canton Network.
These three pillars—corporate security, secure SDLC, and product and service security—guide my approach to cybersecurity. Over the years, we’ve received increased funding and developed our program. Though we’re still a startup, we consider ourselves a maturing one, having achieved milestones like SOC 2 Type 2, a US attestation of security, and ISO 27001 certification over the past few years. These certifications reassure our customers that we prioritize security in our operations.
What does Digital Asset specialize in, and what are your flagship products?
Digital Asset specializes in providing a range of products, with our flagship offering being Daml. Daml is a functional and strongly typed programming language meticulously designed for modeling legal contracts. This product stems from our acquisition of a Swiss company in 2016. They had invested substantial effort into devising methods for modeling business contracts and translating them into computer programs. Our focus with Daml is to streamline the process of expressing business logic while minimizing the burden of understanding the underlying cryptographic and technical intricacies.
To complement Daml, our other flagship product is Canton, a privacy-enabled blockchain protocol. Canton encompasses the Daml runtime, serving as the execution environment for Daml smart contracts. It empowers users to construct distributed networks and concentrate on distributing data and workflows across various partners while keeping sensitive information safe.
Additionally, we offer two services that revolve around these flagship products. Daml Hub is a platform for hosting Canton nodes, allowing users to host Daml applications efficiently. For customers who have gained proficiency with the SDK and have experimented with basic workflows, Daml Hub offers a convenient hosting solution.
Lastly, we’ve introduced the Canton Network, which represents our strategic vision for the long term. It embodies our belief in enabling companies to establish extensive networks of value spanning multiple organizations. This entails seamlessly integrating Daml applications to create increasing levels of complexity and value, fostering a cohesive ecosystem that benefits each participant.
What are the benefits of using blockchain as opposed to traditional methods?
The benefits of using blockchain, as opposed to traditional methods, fundamentally center around data. In contexts like today’s post-trade market, which many of our clients operate within, the focus often revolves around settlement procedures and the seamless exchange of information among various participants.
Legacy systems have historically taken many days to settle transactions – commonly referred to as “T plus two.” This extended settlement duration incurs costs for our clients as their assets remain locked and inaccessible for other purposes during this period.
The crux of the value proposition lies in our endeavors to streamline and automate this data flow. Minimizing the need for data reconciliation enables all market participants to access a unified view of the market’s status and transactional progress. This harmonized perspective is grounded in the consistent logic of Daml models, delineating permissions for specific actions and their timing.
In practice, numerous clients have experienced significant reductions in financial settlement times—shortening them from multiple days to mere minutes. This reduction adds substantial value, mitigating risk, releasing locked assets, and bolstering operational efficiency. Our clients place a strong emphasis on these aspects.
In essence, blockchain technology reduces operational costs, mitigates data reconciliation challenges, and addresses errors commonly occurring during manual reconciliation. This technology empowers clients to alleviate operational burdens, maximize network value, and substantially expedite transaction times, ultimately enhancing their ability to derive optimal value from the network while significantly reducing settlement times.
How does a company ensure the security and privacy of data as it flows freely within the interconnected networks created by its technology?
Security and privacy of data is a key differentiator between ourselves and others in the blockchain space. If you think about Ethereum, as one example, it operates in a way that shares all participants’ data with all nodes, leaving users with no control over their data. Other public networks operate similarly, and some private networks also have gaps.
In contrast, our approach with the Canton Network distinctly incorporates privacy right from the foundation. Within our system, privacy is embedded within the language itself. Users model who is authorized to access specific data and what actions they are permitted to undertake within those models. The Canton protocol then reinforces this privacy model by disseminating data among participants. Notably, nodes within the Canton Network exclusively receive data pertinent to the transactions they are actively involved in. They are not privy to data, even in an encrypted form, that goes beyond their specific role. Our technology functions much like a sharded database, where each participant can only access the shard relevant to their engagement and no more.
Privacy is not merely an afterthought but a core tenet of our technology. This design ensures that unauthorized access is rigorously prevented. Furthermore, we recognize the significance of data privacy regulations like GDPR, particularly the right to be forgotten. Our technology empowers applications to adhere to these regulations by enabling an auditable process of purging data related to data subjects.
For us, privacy isn’t just a feature—it’s an essential capability that significantly resonates with our customers’ needs and concerns.
What future developments does Digital Asset envision for its technology, and how do these align with the changing landscape of global markets?
It’s the Canton Network. It is a third option to the public and private blockchain dilemma, creating a mixture of permissioned and permissionless networks, based on the requirements of each use case. One of the concerns over time is that you would end up building lots and lots of silos of applications within a specific organization or across a small group of organizations. Canton Network is our way of allowing those networks to be joined together and interoperate. It gives us the capabilities of composable applications.
Just like somebody can build a very good stock loan or bond application or an application that allows people to transact in digital currencies, somebody should be allowed to come in and combine those two workflows into a single application. Therefore, it should allow the network to effectively build more and more value because all of these different workflows get linked together into a network of business value. Over time, this will add significant value to our customers and partners.
To learn more about Digital Asset's Information Security Program, click here.