Building a threat model for a PaaS based Cloud service



A while back I worked with a great Architect general guru of secure code. Adam Shostack who is a foremost expert when it comes to threat modeling. He does a great job in help educate us all in how you should plan a secure solution before you build it. A threat model should be seen as a key design element before code is started, similar to a floor plan in a house design.

In this blog I wanted to illustrate the value and methods required to build a threat model, and tie it back to work I recently published, Payment Processing Blueprint for PCI DSS-compliant environments which included sample threat model for a cloud based PaaS solution. Wow, that’s great a free starter threat model to an architecture, what else can you ask for?



What does it take to create your very own threat model?

  1. Think like an attacker, it’s important to see the problem from the attackers point of view when designing, or architecting a solution. For instance that includes thinking about what and how an attacker might consider ingress and egress to an architecture.
  2. Revisit, and improve your work. A threat model requires you to reconsider new attacks and how they might affect your solution. This may seem like a full time job, but it is not. However when considering an architecture redesign, or upgrade, might be a good time to look at your design, and consider if anything changed, and could be affected by the new attacks.
  3. Threat modeling does not have to be complicated. The model should help spur discussion and consideration. Once you have your threat model share it with your peers, review, and consider the risks. Bottom line it’s about keeping your solution and services secure, it’s not an ego trip!
  4. Threat modeling should be part of your skill set, as well as anyone else that works on your solutions. You should consider threat modeling as a ‘required’ skill for all your PM’s and Dev’s. This is a corner stone of a skill to build securely. Security cannot be an afterthought.
  5. You must practice to become proficient. It’s not good enough to do once….say the first year of university, or college. As outlined in my last point, it needs to be part of your skill you practice repeatedly. It’s like using git… you need to keep at it to really know it..ha..ha…
  6. There is no one way to start a threat model, looking at the attacks, or evaluate your assets are two most popular ways to start the process. For instance if you start by looking at your assets, consider the loss associated with the service, and map out the cost associated with the possible loss of service/assets.
  7. Threat modeling is a specialty, and I did state that everyone on a team should practice the effort, it’s essential to consider having a specialist who gets threat molding on your phones quick dial. It’s like finding a lawyer, to defend you in court vs, pretending to be one by watching law videos on YouTube.
  8. Consider the big picture when modeling threats. It’s not only code related issues that need to be addressed to protect a solution some are process related solutions. For instance DDOS issues can be mitigated using an edge DDOS protection service/solution.
  9. Threat modeling is not ALL about the threats. It’s essential to consider how your requirements, and mitigations resolve or mitigate threats.
  10. And as mentioned in point 4, threat modeling and security cannot be an afterthought. The effort of securing your solution at design time is key to success.

Now what, where to go from here.

I’d say download the threat modeling tool, grab a copy of the threat model provided for the Payment Processing Blueprint for PCI DSS-compliant environments and deploy the solution. I find the best way to learn how to do…. Is to try with a reference.

Once you’ve tried, let me know what you think… Does the threat model meet the 10 criteria?

Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more