# Personnel and expertise requirements

A successful on-premises deployment requires a dedicated team with deep technical expertise across various domains. Your organization is responsible for provisioning, managing, securing, and ensuring the high availability (HA) and disaster recovery (DR) of several foundational services.

This document outlines the required skillsets, broken down by functional area. Assign personnel with the necessary expertise for each category before beginning the deployment process.

Why these skills matter
The platform uses a **zero-trust security model** with cryptographic verification at every layer. Keys are never exposed outside secure hardware. All communication is encrypted and authenticated. Every state change is recorded in an immutable, auditable Merkle tree. See [Security](/products/custody/v1.34/concepts/security) for details.

**Related documentation**: For detailed component HA/DR strategies, see [Resilience planning](/products/custody/v1.34/deployment/planning/resilience).

## Infrastructure and deployment expertise

The platform components are deployed as containerized applications into your environment, typically leveraging Kubernetes or OpenShift.

| Expertise area | Skillset | Responsibilities |
|  --- | --- | --- |
| Container orchestration (Kubernetes/OpenShift) | • Managing containerized environments (Kubernetes, OpenShift)• StatefulSets, Deployments, Services, ConfigMaps, Secrets | • Deploy and manage platform pods• Configure HA and resource limits• Troubleshoot pod failures |
| Helm configuration | • Helm charts and complex YAML configurations | • Manage `values.yaml` and Helm releases• Perform `helm install`/`upgrade` operations• Manage environment configurations |
| Container image management (Docker/Podman) | • Container runtimes and image management• Image signing and verification | • Maintain private Container Registry• Mirror images from metaco.azurecr.io• Verify container signatures |
| Linux administration | • Linux OS administration• systemd, file permissions, networking | • Maintain host environment• Support HSM CLI interactions• Manage persistent volumes |
| Telemetry & observability | • Monitoring and logging• OpenTelemetry, Prometheus, Grafana | • Deploy OTEL Collector• Configure dashboards and alerts• Manage log forwarding |


## Services management

You are responsible for provisioning, managing, securing, and ensuring the HA/DR of these core dependencies.

| Expertise area | Skillset | Responsibilities |
|  --- | --- | --- |
| Database management (PostgreSQL) | • PostgreSQL deployment, security, backup/restore• Replication strategies, connection pooling | • Provision PostgreSQL instances (v14+)• Implement HA/DR strategy• **Critical**: Time-sync backups with ARFSee [Database Planning](/products/custody/v1.34/deployment/planning/database) |
| Messaging broker administration (AMQP) | • AMQP message brokers (RabbitMQ)• Quorum queues, clustering | • Provision and configure broker with HA/DR• Configure SSL/TLS and monitoringSee [Messaging Planning](/products/custody/v1.34/deployment/planning/messaging) |
| Blockchain node operations | • Blockchain node deployment and maintenance• Node types (Full vs. Archive), RPC APIs | • Provision nodes meeting platform requirements• Implement load balancing and monitoring• Manage upgrades during hard forksSee [Blockchain Node Planning](/products/custody/v1.34/deployment/planning/blockchain-nodes) |


## Security and key management expertise

The platform's institutional-grade security relies on expertise in managing cryptographic infrastructure and network security.

| Expertise area | Skillset | Responsibilities |
|  --- | --- | --- |
| Key management system (KMS) administration | **HSM**: Vendor-specific expertise, partition setup, HA groups**MPC**: Distributed systems, threshold cryptography, DKG | • Perform initial KMS setup for notary and vault• Configure HA and backup/recovery procedures• Coordinate DKG ceremonies (MPC)See: [KMS Integration](/products/custody/v1.34/how-to/integrate-kms/overview) |
| Public key infrastructure (PKI) and TLS/mTLS | • PKI concepts, certificate lifecycles, CAs• TLS/mTLS configuration, X.509 certificates | • Issue TLS certificates from internal CA• Configure mTLS for zero-trust communication• Manage certificate rotationSee [Security](/products/custody/v1.34/concepts/security) |
| Network security and firewall planning | • Enterprise network architecture• Firewall rules, proxy configuration, network policies | • Implement network security and firewall plan• Configure ingress, proxy, and network policiesSee [Network planning](/products/custody/v1.34/deployment/planning/networking) |
| Disaster recovery procedures | • Security-sensitive recovery operations• State Review Authority role, ARF verification | • Execute ARF recovery procedure• Register State Review Authority public key• Coordinate time-synced backups with DBAsSee [Recover ARF](/products/custody/v1.34/system-management/disaster-recovery/recover-arf) |


## Application and governance expertise

Management of the application layer—including user roles, access control, and transaction rules—requires specific platform knowledge.

| Expertise area | Skillset | Responsibilities |
|  --- | --- | --- |
| Governance design | • Institutional governance models and risk controls• Domain hierarchy, RBAC, approval workflows | • Design Domain hierarchy and User Roles• Create approval Policies with quorum requirements• Implement breakglass policiesSee [Governance](/products/custody/v1.34/overview/governance), [Policy Design](/products/custody/v1.34/get-started/design/policies) |
| Scripting and logic (for advanced policies) | • JSON and JavaScript for policy conditions• Conditional expressions using context object | • Write custom policy conditions• Create risk-based policies (amount thresholds, account properties)See [Policy Examples](/products/custody/v1.34/get-started/design/policies/examples) |
| Security operations | • Platform security model and Genesis Block concept• ARF and State Review Authority concepts | • Define and implement the Genesis Block• **Note**: Genesis can only be loaded **once**• Register State Review Authority public keySee [System Setup (Genesis)](/products/custody/v1.34/deployment/install/installation#genesis-payload-reference) |
| Compliance & audit | • Cryptographic audit trail and data integrity• Merkle trees, entity signatures, regulatory requirements | • Verify data integrity and entity signatures• Generate audit reports for regulators• Coordinate with external auditorsSee [Security](/products/custody/v1.34/concepts/security) |


## Checklist: Before you proceed

### Personnel assigned

- [ ] Infrastructure team with Kubernetes/Helm expertise identified.
- [ ] Database administrator with PostgreSQL HA/DR experience assigned.
- [ ] Security team for KMS administration and PKI/TLS assigned.
- [ ] Governance/policy designer with domain modeling experience assigned.
- [ ] Compliance officer for audit trail and regulatory requirements assigned.


### Decisions made

- [ ] Deployment model confirmed (Kubernetes distribution: EKS, GKE, AKS, or on-premises).
- [ ] Primary and backup personnel assigned for each expertise area.
- [ ] Escalation paths defined for security-critical operations (e.g., ARF recovery).


## Next step

**Next:** [Resilience planning](/products/custody/v1.34/deployment/planning/resilience) - Understand the platform components and your HA/DR responsibilities.