1. Cloud & Trust Boundaries
Stage 8/9 — 3-cloud 분할 · 6 system component · zero-trust3-Cloud Provider 분할
Fireblocks 는 단일 cloud 가 아니라 sensitive material 의 위치 기준으로 3 cloud 를 분할한다.
| Provider | 역할 | Sensitive material |
|---|---|---|
| Microsoft Azure | Core services · Auth / Policy / TAP / MPC / SGX / Co-Signer Engine / Secure Vault · key shares · configs · policy rules · third-party API credentials · SGX Confidential Enclaves | YES |
| Amazon AWS | Shell Services VPC (Firestore, Transaction Manager, Mobile Service, Dev API Gateway, Web Console, API Gateway) + Node Infrastructure VPC (Blockchain Nodes, Fireblocks Network) | NO |
| GCP (Firebase) | Console + mobile app caching DB | NO |
Azure = sensitive 의 root, AWS = 외피 (gateway / frontend), GCP = caching.
Azure ↔ AWS 통신은 SGX DMZ + PROXY 매개.
DB 설계에 미치는 함의
물리적 DB 분할의 1차 기준은 "sensitive 인가 / 외피인가 / cache 인가". 한 DB 안에 두 종류를 섞으면 cloud / network / IAM 분리가 무의미해진다.
6 System Components
- Shell Services — API gateways, event orchestration, message queues (no sensitive data)
- Transaction Signing Modules (Co-signers) — MPC private key shares + signing tx
- Core Components — core service modules + sensitive data (Auth Engine, Policy Engine TAPs, Secure Vault, Co-Signer Engine)
- Trusted Shared Services — shared modules + Fireblocks P2P Network
- Blockchain Nodes Infrastructure — blockchain network broadcast (no sensitive data, scales V+H)
- Disaster Recovery Services — 자산 복구, extended ECDSA + EdDSA private keys (xprv+fprv) 재구성. "offline air-gapped machine with hardened access permissions". SPOC 경고: "Should not be used regularly — single point of compromise."
graph TB
subgraph SHELL["Shell Services (AWS, no sensitive data)"]
GW[Dev API Gateway]
TM[Transaction Manager]
BS[Balance Service]
SS[Screening Service]
CS[Certificate Store]
end
subgraph CORE["Core Components (Azure SGX)"]
AE[Auth Engine - SGX]
PE[Policy Engine / TAPs - SGX]
SV[Secure Vault - SGX]
CSE[Co-Signer Engine - SGX]
end
subgraph SIG["Co-Signers"]
C1[Co-Signer 1
Fireblocks SGX]
C2[Co-Signer 2
Fireblocks SGX]
C3[Co-Signer 3
Customer mobile / SGX]
end
subgraph NODES["Blockchain Nodes"]
N[Node infrastructure]
end
DR["DR Services
offline air-gapped
★ SPOC warning"]
GW --> TM --> BS --> N
TM --> SS
GW --> AE
SS --> PE
PE --> SV --> CSE --> C1 & C2 & C3
C3 -.optional.-> CH[Callback Handler
customer-deployed]
CSE --> N
classDef azure fill:#dbeafe,stroke:#1e40af
classDef aws fill:#fef3c7,stroke:#92400e
classDef customer fill:#dcfce7,stroke:#166534
classDef dr fill:#fde2e2,stroke:#991b1b
class AE,PE,SV,CSE,C1,C2 azure
class GW,TM,BS,SS,CS,N aws
class C3,CH customer
class DR dr
Figure 1. 6 system components + 3 co-signers + DR plane. SGX components in Azure, gateway/screening in AWS, customer-side co-signer optional Callback Handler.
Zero-Trust Architecture (Stage 9)
transaction-lifecycle.md, p.5 직접 인용:
"All services in the Fireblocks core infrastructure operate in a zero-trust configuration. Each service has a derivation of root CA and validates every handoff between services."
→ Root Key (Core Services 의 CA) → Intermediate Cert → Co-Signer End Cert chain of trust. SGX 끼리도 derived cert 검증.
Authentication Architecture
- Root Key (Core Services 의 CA) → Intermediate Cert → Co-Signer End Cert chain
- Customer components 는 Core Services public Root Key 사전 보유 → 받은 access token 의 서명 검증
- Token lifecycle: activation token (7d) → refresh token (mobile KeyChain) → access token (6h)
신뢰 경계 (Trust Boundaries)
| 영역 | 호스팅 | 신뢰 자산 |
|---|---|---|
| Fireblocks SaaS | Fireblocks | Console, API, version 결정, audit logs, cloud key share backup |
| Auth0 (SSO) | Fireblocks 측 service provider | SSO callback |
| 사용자 mobile device | 사용자 | Primary MPC key share (secure enclave), PIN, biometric, mobile app passphrase, recovery passphrase 입력 |
| 고객 인프라 | 고객 | API Co-Signer instances (옵션 SGX), Callback Handler servers, CSR private keys |
| 외부 IdP | 고객 또는 third-party | SSO authentication |
| Blockchain | Public | 서명된 트랜잭션 |
3-Region SaaS 배포 (Egress / Webhook IP)
- US:
3.133.194.13 - EU:
3.126.240.51 - EU2:
3.77.238.179 - Webhook source: US
3.134.25.131, EU3.72.125.45 / 18.184.217.45 / 18.198.71.192