Cloud security architecture for an APAC crypto custody provider

Context

A n APAC crypto custody provider was building a regulated digital asset custody platform from greenfield. The platform held material customer balances and was subject to oversight from the local regulator. The cloud architecture needed to satisfy:

• A securities regulator’s expectations on custody segregation
• A SOC 2 Type 2 audit cycle starting within the same fiscal year
• An internal expectation of zero successful attacks on key material — a single incident here was an existential event

Risk

• Key-material risk — anything touching cryptographic keys had a failure cost equal to the entire business
• Architectural lock-in — decisions made in week 4 would shape what was auditable in year 4
• Talent gap — the engineering team was deep on crypto, lighter on cloud platform engineering

Engagement

We embedded as the cloud security architect for 10 weeks:

• Weeks 1-3: threat modelling + landing-zone design — accounts, network segmentation, identity boundary, KMS posture. Custody-tier workloads ring-fenced into dedicated accounts with hardware-backed signing.
• Weeks 4-7: implementation — landing zone built with platform engineering. Every control implemented as code; nothing click-deployed.
• Weeks 8-9: SOC 2 readiness — control evidence collection designed into the platform from day one. Auditor walkthrough rehearsed.
• Week 10: handover — runbook, threat model, control register delivered to the in-house team. Ongoing advisory continued on a monthly retainer.

Outcome

This work is covered in our Cloud Security Architecture service.