External security firm validates Fortris’ protocols after full platform audit

Fortris is an enterprise digital asset management platform that spreads security across multiple levels and locations. This unique approach gives organizations absolute control over their policy management and user permissions.

Private keys are never visible to daily users, which means that access can be added or revoked by simply allocating signing rights. Built to integrate directly into existing financial infrastructure, Fortris gives organizations industry-leading protection and eliminates single-point-of-failure.

Part of our internal auditing process requires regular penetration testing from external security specialists. The most recent activity was completed by leading German IT security firm, Detack. Their reputation and experience working with other multi-national financial technology companies, made them an ideal choice to properly audit our security protocols.

Problem

When integrating cryptocurrency into daily financial operations, organizations need advanced user accounts and permissions, paired with top level security. Multi-signature technology gives organizations the ability to spread trust across various parties, while never giving complete control to one person.

However, problems arise when there is a change in the multi-signature quorum. This is a major security concern and makes traditional multi-signature technology difficult to incorporate into daily enterprise operations.

Fortris solved this problem by building a 2nd layer on top of multi-signature technology. This layer adds a level of flexibility without sacrificing security. Detack’s mission was to ensure beyond reasonable doubt that the Fortris digital asset management platform is completely secure and fit for purpose.

Results

After an in-depth 2-month analysis, Detack tested every facet of the Fortris platform. When looking specifically into our policy engine, Octav Opaschi, Senior IT Security Consultant from Detack, said,

“Fortris uses a multi-layered approach to security, where separation exists, independently, between the customer data and the vendor data, at the physical layer, network layer, storage layer, container layer and business application layer. This makes it considerably harder for pivot attacks to succeed, even in case parts of the infrastructure are compromised. The safety of customer assets makes use of offline signatures + customer-side MFA + multiple signatures. This guarantees that only the asset holder is able to sign off transactions or transfer assets.”

The separation of the Fortris security layers creates an environment where each independent key location never trusts another location until all security measures are completely satisfied.

This inherent protection protocol ensures that any sign of malicious activity is caught and immediately contained by shutting down the system.

Fortris’ Head of Security, Liudvikas Jablonskas, said “We were impressed with the level of detail that was put into the Detack penetration testing exercise. They put our security protocols and infrastructure to the test with a thorough audit of our system.”

Key points

  • No authorization or authentication issues were found for any of the financial functionality.
  • Contrary to normal multi-factor-authentication (MFA) systems, Fortris MFA is not controlled by the application, but rather by the customer.
  • Complete separation of transaction functionality from data access, account balance, transaction overview or other financial functions makes it almost impossible to get access to customer funds.