Introduction

  • 5 minutes

As we learned in the Threat Modeling Security Fundamentals Learning Path, threat modeling is an effective technique to help secure your systems, applications, networks, and services. It can also help secure your company infrastructure.

Infrastructure threat modeling uses a data-flow diagram to show how data flows in the enterprise. It also shows how it's protected at each stage in the lifecycle.

The process helps you find ways to reduce or eliminate risk using security policy-based assessment questions and the threat modeling framework.

Threat Modeling Framework

The threat modeling framework is flexible, and can be easily used for your infrastructure. Let's revisit the framework, which is primarily found in our Threat Modeling Security Fundamentals Learning Path:

Threats

Threat Security control Affected elements
Spoofing.
Spoofing is when you pretend to be someone in a company to access their data.		 Authentication
Authenticate everyone using strong authentication methods, like multi-factor authentication.		 Process
Process

External entity
External entity
Tampering.
Tampering is when you change enterprise data without permission		 Integrity
Prevent data modification by using available integrity methods, like encryption.		 Process
Process

Data store
Data store

Data-flow
Data-flow
Repudiation.
Repudiation is when you hide sensitive actions from the enterprise to avoid repercussions.		 Non-repudiation
Use non-repudiation methods to tie users to their actions, like security logging and monitoring.		 Process
Process

External entity
External entity

Data store
Data store
Information disclosure.
Information disclosure is when you read or share enterprise data without permission.		 Confidentiality
Enforce confidentiality to protect data against unintended disclosure, like Data Leakage Prevention (DLP) systems.		 Process
Process

Data store
Data store

Data-flow
Data-flow
Denial of service.
Denial of service is when you bring the enterprise down.		 Availability
Use availability mechanisms to ensure the enterprise handles each request, like elastic resources and other resiliency strategies.		 Process
Process

Data store
Data store

Data-flow
Data-flow
Elevation of privilege.
Elevation of privilege is when you unlawfully access resources above your permission level.		 Authorization
Use authorization mechanisms to ensure each user has the right permissions to carry out their requests, like Access Control Lists (ACL).		 Process
Process

Security Domains

The security domains discussed in this module are similar to the ones used by Microsoft.

They can also be mapped to requirements from well-known institutions, such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST):

Security Domain What it means
Access Control domain.
Access control		 Learn how the enterprise grants, manages, and revokes access to resources. Also, understand the process employees go through to access those resources.
Secure Development domain.
Secure development		 Discover how engineering work is managed, secured, and stored.
Business Continuity domain.
Business continuity		 Learn what happens to the enterprise during an outage and what they do to reduce the effect.
Cryptography domain.
Cryptography		 Find out how data is protected at-rest, in-transit, and in-use.
Asset Management domain.
Asset management		 Uncover how physical and logical assets are created, managed, and retired.
Legal domain.
Legal		 Understand the legal and regulatory obligations for both employees and the company.
Incident Response domain.
Incident response		 Learn how incidents are handled for both the enterprise and product.
Network domain.
Network		 Discover how the network is protected against security threats.
Operations domain.
Operations		 Learn how well security is integrated with daily operations.
Physical and environmental domain.
Physical and environmental		 Discover how people, assets, and facilities are protected against security or environmental threats.
Governance domain.
Governance		 Find out what the strategic direction for the enterprise looks like. Also, learn how they manage security risks.
Security architecture domain.
Security architecture		 Confirm how security baselines are created, managed, and enforced. Also, discover how different platforms securely work together.
Supplier risk domain.
Supplier risk		 Learn how does the company decides who to do business with. Also, find out how they enforce supplier security and support.

When should I threat model my infrastructure?

Infrastructure threat modeling is ideally done before the infrastructure goes live, and then again each time a component is added or changed. Examples include:

  • A small, early stage tech start-up building their infrastructure from scratch.
  • A small brick-and-mortar retailer expanding to their online customer base.
  • A gaming studio adding a domain controller to centralize access and manage assets.

Who can threat model the infrastructure?

Any IT professional with a basic understanding of security can create an infrastructure threat model.

They need to work with people from other divisions, like legal, human resources, and finance, to get a better picture of the current state-of-security.

When completed, this exercise helps you identify and incorporate missing security requirements and controls across the enterprise.

Learning objectives

In this module, you explore the four steps in the infrastructure threat modeling process, allowing you to:

  • Understand the importance of a well-defined, open-ended questionnaire to get a better view of the infrastructure.
  • Visualize how each component interacts with the other with a detailed data-flow diagram.
  • Identify infrastructure security gaps using a combination of security policies and the threat modeling framework.
  • Reduce or eliminate risk with known security requirements and controls.

Prerequisites