David Scrobonia

David Scrobonia

CTO & Co-Founder

Share the love

Want to stay updated? Subscribe below to keep in touch.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="mask0_996_146" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="1" y="1" width="46" height="46"> <path d="M46.5882 1.41177H1.41174V46.5882H46.5882V1.41177Z" fill="white"/> </mask> <g mask="url(#mask0_996_146)"> <path d="M26.5425 39.4729C24.1381 41.4971 21.1623 42.7211 18.0294 42.9744C14.8966 43.2274 11.7629 42.4969 9.06481 40.8847L2.06244 43.2C1.55421 43.3694 1.30009 43.1153 1.4695 42.6353L3.81302 35.5765C2.48566 33.338 1.75682 30.7954 1.69667 28.1936C1.63651 25.5918 2.24707 23.0183 3.46957 20.7208C4.69207 18.4233 6.48535 16.4791 8.67686 15.0754C10.8683 13.6716 13.3843 12.8556 15.9825 12.7059C14.4182 15.0595 13.4461 17.7562 13.1487 20.5665C12.8514 23.3768 13.2377 26.2174 14.2748 28.846C15.3119 31.475 16.9691 33.814 19.1051 35.6643C21.2411 37.5148 23.7926 38.8213 26.5425 39.4729Z" fill="currentColor"/> <path d="M43.7068 29.9848C45.6014 26.8096 46.2703 23.0518 45.5881 19.418C44.906 15.7842 42.9196 12.5249 40.0026 10.2532C37.0856 7.98141 33.439 6.85375 29.7487 7.08232C26.0587 7.31088 22.5792 8.87992 19.9648 11.4943C17.3505 14.1086 15.7814 17.5882 15.5529 21.2783C15.3243 24.9685 16.452 28.6151 18.7237 31.532C20.9955 34.449 24.2548 36.4354 27.8886 37.1176C31.5221 37.7997 35.28 37.1308 38.455 35.2365L45.4574 37.58C45.9656 37.7495 46.2197 37.4953 46.0503 37.0153L43.7068 29.9565V29.9848Z" fill="currentColor"/> </g> </svg>
4 min read

Security Principles and Practices at Portal

How we keep assets and data secure

April 4, 2023

Security Principles and Practices at Portal

At Portal, security comes first. Our customers place significant trust in our platform, not only to protect their users’ assets, but also their own reputations. We embrace this responsibility and maintain industry best practices to ensure the security of our product. These practices are continuously tested, verified, and improved as there is no such thing as too safe when it comes to digital assets.

Portal enforces strong security through:
(I) Key security principles
(II) External verification of Portal's security practices
(III) End user security

I. Portal’s security principles

Portal adheres to three key principles for security of the platform.

Least privilege

The principle of least privilege ensures that a user or service only has access to the data necessary to do their job. 

There are several ways we implement least privilege in practice. We used tiered, role based access to restrict employee permissions to just the cloud services they need. We review and reduce the permissions of dockerfiles to ensure containers aren’t running with elevated access. Services are deployed with scoped IAM roles to restrict lateral movement. Database roles are limited to support what an application needs. When handling sensitive data, we limit exposure of unencrypted data to a single server with limited cloud permissions. 

Reducing user and entity privileges to only what’s required reduces our attack surface, reducing the potential for breaches and misuse of data.

Defense in depth

Building resilient systems means accounting for defense in depth. Adding multiple layers of security controls helps to keep data safe even if one control fails.

One way we apply defense in depth is with how we encrypt data at rest. Many companies  encrypt data at rest with disk level encryption within their database. While this is good to do, in practice it protects your data against the risk of a physical breach at a cloud server provider’s data center. In most data breaches, disk level encryption isn’t helping keep data secret from an attacker.

At Portal, in addition to disk level encryption, we encrypt sensitive data at the application layer  using the key management service of our cloud provider. Only the services that need access to decrypt sensitive data are granted permission to decrypt it. Not even our employees have access to the keys. If the contents of our database were to be leaked, the sensitive data would still be encrypted.

Security is everyone’s responsibility

No matter their job title, everyone plays some role in keeping customer data safe. All Portal employees learn and apply our security principles throughout their work. From challenging design documents with adversarial scenarios, to evaluating pull requests for security risks during code reviews—we believe that when everybody is challenging security assumptions, our product and engineering practices are hardened for the better.

II. External verification of Portal’s security practices

We don’t just expect our customers to believe that we have stringent security; we participate in a variety of external verification processes to demonstrate our commitment.

SOC 2 Type II audit

As we announced last week, Portal received its SOC 2 Type II certification. This certification requires an audit of Portals processes and controls. These pieces represent the foundational elements of any high quality security practice and are a strong foundation on which we build our platform.

Quarterly pen tests

Portal undergoes quarterly security testing by outside firms to battle test our core products and constantly evaluate our attack surface. When possible, we choose open-box security testing methods. With this method, pen testers are allowed to see our source code when they perform pen testing activities. This allows them to do their job better and find more vulnerabilities. We're interested in finding and fixing issues, not just receiving a report that says "no issues found" to pass on to customers.

Code review & audit

Portal’s MPC product is built on open source, audited code. In addition, we’ve had an external code review performed by NCC Group and audit of our implementation and mobile SDKs to verify the security of all MPC configurations, key shares, and cryptography.

III. End user security

To keep user assets secure, it is not enough that our internal security practices are rigorous. Our products are also designed to help the end user maintain the highest level of personal security.

MPC protocols

All MPC operations, including generating a signature, include Zero Knowledge Proofs (ZKPs) to ensure that a transaction is protected against malicious parties attempting to spoof or tamper with the operation. This occurs at the protocol level within the MPC operations to ensure that all parties must be in control of a key share to participate. 

Additionally, we require additional authentication above the MPC layer to protect against abuse . We enforce short lived sessions when users request an MPC signature, and we recommend even stronger protections to our customers when implementing sensitive operations like wallet recovery and ejection.

Backup & recovery

In the event a device is lost or stolen, Portal supports recovery from a set of different key shares linked to the same address that have been backed up to cloud storage during account setup. During the recovery process the old signing shares are deleted from Portal’s servers, ensuring that if a user’s key share is compromised the pair is rendered useless.

We understand that users put trust in our customers, and our customers put their trust in us. At Portal, we embrace this responsibility to be trusted leaders driving security in our space.

To learn more, please reach out to chat with us.