Regardless of the image evoked, online vaults are just cloud data management systems. Some offer more security features, but even the best have limitations and should be evaluated against particular use cases before relying on them.
Consider use cases for who needs access and the data to be stored. Access is personal (individual or family owner-user), company (company-owned, employee-users), or advisory (shared between clients and advisors). Data is private (non-confidential files), confidential (taxes, financials, estate plans), or access-sensitive (private keys, authenticators, Web3 assets). An advisory/confidential use case means an online vault shared between clients and advisors storing confidential client data.
Most mainstream cloud servers use end-to-end encryption with multi-factor authentication options and suffice for the average personal/private and company/private use cases. We recommend multi-factor authentication, access alerts, and monitoring for any unusual activity.
Though this might also be adequate for some personal/confidential and company/confidential use cases, additional features can protect from external and internal threats if a user is compromised. We recommend Zero Trust frameworks for network security that provide user verification and authentication, limit and strictly enforce access control, and inspect and log all network activity. Regulated confidential data (such as customer personal health information) may require additional features and compliance certifications.
Zero Trust frameworks are the minimum viable system for advisory/private and advisory/confidential use cases because advisors are subject to ethical and fiduciary standards and may be liable for data loss. We encourage liability insurance with adequate cyber coverage for this reason. We do not recommend any type of online vault for advisory/access-sensitive use cases. Ethical and fiduciary obligations may prohibit access to this data, the liability risk is material, and liability insurance typically excludes this. Instead, we recommend specialty custodians or distributed key solutions where advisors hold only a key.
We do not recommend online vaults for personal/access-sensitive or company/access-sensitive use cases. Even the best online vaults have vulnerabilities. If an online vault is required, consider a Zero Trust encrypted environment (distinct from Zero Trust frameworks for network security, this refers to how data is stored and is offered by some password managers) or a cryptographically-secure multi-signature wallet with distributed keys. Scrutinize data recovery features to ensure the system is truly a Zero Trust encrypted environment and beware inheritance features that may not be permissible under applicable probate and privacy laws. In all situations, we recommend product testing and adequate diligence before committing to an online vault.