CTO & Co-Founder
Share the love
Want to stay updated? Subscribe below to keep in touch.
Security Principles and Practices at Portal
How we keep assets and data secure
April 4, 2023
At Portal, security comes first. Our customers place significant trust in our platform, not only to protect their users’ assets, but also their own reputations. We embrace this responsibility and maintain industry best practices to ensure the security of our product. These practices are continuously tested, verified, and improved as there is no such thing as too safe when it comes to digital assets.
Portal enforces strong security through:
(I) Key security principles
(II) External verification of Portal's security practices
(III) End user security
I. Portal’s security principles
Portal adheres to three key principles for security of the platform.
The principle of least privilege ensures that a user or service only has access to the data necessary to do their job.
There are several ways we implement least privilege in practice. We used tiered, role based access to restrict employee permissions to just the cloud services they need. We review and reduce the permissions of dockerfiles to ensure containers aren’t running with elevated access. Services are deployed with scoped IAM roles to restrict lateral movement. Database roles are limited to support what an application needs. When handling sensitive data, we limit exposure of unencrypted data to a single server with limited cloud permissions.
Reducing user and entity privileges to only what’s required reduces our attack surface, reducing the potential for breaches and misuse of data.
Defense in depth
Building resilient systems means accounting for defense in depth. Adding multiple layers of security controls helps to keep data safe even if one control fails.
One way we apply defense in depth is with how we encrypt data at rest. Many companies encrypt data at rest with disk level encryption within their database. While this is good to do, in practice it protects your data against the risk of a physical breach at a cloud server provider’s data center. In most data breaches, disk level encryption isn’t helping keep data secret from an attacker.
At Portal, in addition to disk level encryption, we encrypt sensitive data at the application layer using the key management service of our cloud provider. Only the services that need access to decrypt sensitive data are granted permission to decrypt it. Not even our employees have access to the keys. If the contents of our database were to be leaked, the sensitive data would still be encrypted.
Security is everyone’s responsibility
No matter their job title, everyone plays some role in keeping customer data safe. All Portal employees learn and apply our security principles throughout their work. From challenging design documents with adversarial scenarios, to evaluating pull requests for security risks during code reviews—we believe that when everybody is challenging security assumptions, our product and engineering practices are hardened for the better.
II. External verification of Portal’s security practices
We don’t just expect our customers to believe that we have stringent security; we participate in a variety of external verification processes to demonstrate our commitment.
SOC 2 Type II audit
As we announced last week, Portal received its SOC 2 Type II certification. This certification requires an audit of Portals processes and controls. These pieces represent the foundational elements of any high quality security practice and are a strong foundation on which we build our platform.
Quarterly pen tests
Portal undergoes quarterly security testing by outside firms to battle test our core products and constantly evaluate our attack surface. When possible, we choose open-box security testing methods. With this method, pen testers are allowed to see our source code when they perform pen testing activities. This allows them to do their job better and find more vulnerabilities. We're interested in finding and fixing issues, not just receiving a report that says "no issues found" to pass on to customers.
Code review & audit
Portal’s MPC product is built on open source, audited code. In addition, we’ve had an external code review performed by NCC Group and audit of our implementation and mobile SDKs to verify the security of all MPC configurations, key shares, and cryptography.
III. End user security
To keep user assets secure, it is not enough that our internal security practices are rigorous. Our products are also designed to help the end user maintain the highest level of personal security.
All MPC operations, including generating a signature, include Zero Knowledge Proofs (ZKPs) to ensure that a transaction is protected against malicious parties attempting to spoof or tamper with the operation. This occurs at the protocol level within the MPC operations to ensure that all parties must be in control of a key share to participate.
Additionally, we require additional authentication above the MPC layer to protect against abuse . We enforce short lived sessions when users request an MPC signature, and we recommend even stronger protections to our customers when implementing sensitive operations like wallet recovery and ejection.
Backup & recovery
In the event a device is lost or stolen, Portal supports recovery from a set of different key shares linked to the same address that have been backed up to cloud storage during account setup. During the recovery process the old signing shares are deleted from Portal’s servers, ensuring that if a user’s key share is compromised the pair is rendered useless.
We understand that users put trust in our customers, and our customers put their trust in us. At Portal, we embrace this responsibility to be trusted leaders driving security in our space.
To learn more, please reach out to chat with us.