Question: What's the purpose of defining trust boundary?

Question

Question: What's the purpose of defining trust boundary?

rucciva opened this issue 10 months ago · comments

Hi, thanks for creating this apps.

Just wondering, what would be the effect of not defining trust boundary? I've tried creating threat model with and without trust boundary but aside from the dfd, there is nothing different, especially in the threat report.

Izar Tarandach · Answer 1 · Mon Aug 28 2023 20:37:58 GMT+0800 (China Standard Time)

Right now we are not using the Boundary class for any rules, but there is a crosses() function defined that checks if a dataflow is crossing boundaries. It is functionality that is intended to improve in the next iteration of rules (coming RSN).

I Putu Ariyasa · Answer 2 · Mon Aug 28 2023 20:46:02 GMT+0800 (China Standard Time)

Thanks @izar for the explanation.

Another thing, in theory, does crossing multiple boundary different from crossing just one boundary in terms of possible threat?

Izar Tarandach · Answer 3 · Mon Aug 28 2023 21:44:21 GMT+0800 (China Standard Time)

Do you mean crossing nested boundaries?
I guess that would depend on how the crossing happens, that is, if there is a change in trust at every boundary or only one big leap from the inner to the outer, for example. Can you give a scenario?

I Putu Ariyasa · Answer 4 · Mon Aug 28 2023 21:59:13 GMT+0800 (China Standard Time)

Yes, nested boundaries.

For example:
Users -> web server -> db

Where

Db is inside a boundary, which is rds cluster,
Web server in a boundary which is kubernetes cluster,
Rds and kubernetes boundary are inside the same vpc, which separate against the user.

When user access the web server, they will cross both the vpc and kubernetes cluster.

I Putu Ariyasa · Answer 5 · Mon Aug 28 2023 22:02:25 GMT+0800 (China Standard Time)

Or, should i add load balancer between user and web server (just like in reality) as an element, that way user will cross only the vpc boundary, while communication from lb to webserver will cross kubernetes boundary, and web server to db will cross rds cluster blundary?

Izar Tarandach · Answer 6 · Mon Aug 28 2023 22:06:06 GMT+0800 (China Standard Time)

If the load balancer is something you want to be in scope of your threat model, then it should be there. But I think that here in this case, even though the trust boundaries are nested, the request is not really traversing them all - as you probably don't have users going straight to the db. So the trust chain is user->web server, web server->rds with different identities (right?) and possibly distinct modes of authn and authz. The threats in that case would be distinct and separate, I believe.

I Putu Ariyasa · Answer 7 · Mon Aug 28 2023 22:36:49 GMT+0800 (China Standard Time)

Noted @izar , its clear now.
Thanks