What makes trust boundaries a challenging concept?

  • 19 November 2022
  • 8 replies
  • 377 views

Userlevel 3
Badge

I routinely hear people struggle. Perhaps it's been too long since I first encountered it. Have you heard a good explanation of why it's hard? Do you have one of your own? What helped you overcome it? How do you teach it, or elicit boundaries when you’re leading threat modeling work?


8 replies

Userlevel 2
Badge

Perhaps we should start simply, what is the definition of a trust boundary? What exactly do we mean by that?

Userlevel 3
Badge

Exactly? A boundary is where principals can interact.

 

It turns out that’s pretty abstract, and relies on an unfamiliar concept.

I usually say it’s where some level of trust stops.  What that “trust” actually is, depends on the context. e.g. Two endpoints trust each other (to some extent) because they are on the same domain etc.  

Thanks for asking this @adamshostack.

Curious to hear successful stories of explaining trust boundaries to product teams interested in trying out Threat Modeling.  

Userlevel 2

Personal opinion? It’s a hard concept because we don’t have examples that reflect non-technology concepts. Instead, I think how trust boundaries are introduced is important. To that end - what’s the simplest definition of Trust? Ilike the recent Zero Trust movement, because it’s given rise to context that helps me understand trust. In specific, I like this definition:

 

[ZTA] is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

 

By this logic, a “trust boundary” is where:

  1. identity has the potential to change needs to be verified
  2. ownership and administration of resources change teams or permissions
    or
  3. policy and access controls affect explicit actions

The first two can be easy to represent on a DFD, but the last one is made difficult without an understanding of RBAC on a whole, roles & policies and how they relate to group memberships, AND the potential different applications of those concepts in different systemic contexts.


To illustrate, I love asking for 4 workflows;

  • What is your user workflow? This is usually the most restrictive, and is the “happy path”.
  • What is your administrator workflow? This usually is your operational response workflow, as well as deployment methodologies and systems. Here, you have MORE tools.
  • Do those tools relate to users from the previous workflow? If not, what are the differences? Is that new system coordinated across all the products and services?
  • What are your external interactor workflows? How do they differ from the above two?

By challenging participants to define identity, ownership, and policy - you build the concept of trust within people. To your point @adamshostack - Trust relies an understanding of an abstract concept.

Userlevel 3
Badge

Personal opinion? It’s a hard concept because we don’t have examples that reflect non-technology concepts. Instead, I think how trust boundaries are introduced is important. To that end - what’s the simplest definition of Trust? Ilike the recent Zero Trust movement, because it’s given rise to context that helps me understand trust. In specific, I like this definition:

 

I think a pretty good non-tech analogy would be border controls: for example travel inside Schengen area vs travel outside of this boundary. Or zones within the airports in general. What’s the difference in having the security controls at the perimeter (faster gates as people at the gate are somewhat trusted), or a  security checks in front of each gate? They are more hellish in my experience, as up to this point incoming and outgoing traffic is allowed to merge, so less trust at this data flow. 

Userlevel 3
Badge

Given the new push for zero  trust threat modeling, I wonder if the trust boundaries would start to align with the Policy enforcement points and policy decision points by default. 

 

Generally though, I don’t think organizations struggle with trust boundaries, but I do see that almost every organization uses them differently. I think achieving concept parity within an organization is most important. 

Is something that is semi-recoursive. You can start with the “default” permissions of who can/should change/write or read to/from a specific subsystem of your whole system under study. But that profile may change during the threat model exercise so you need to reassess. The can vs. should should converge…

 

On the other side, as I pointed to Adam on LinkedIn, I found a good approach to (advanced) developers is to use “their” Domain Driven Development methodology, every boundary between different domains means a potential semantic mismatch of flowing information and most of existing vulnerability classes are due to that semantic mismatch (every injection, Cross-site, ..) or simply overriding access controls that allows you change the can/should match

Reply


V2