Security threat modeling guide #5322
Conversation
Signed-off-by: Ljupcho Palashevski <ljupcho.palashevski@ing.com>
lpalashevski
changed the title
lpalashevski
requested review from
mandy-chessell,
planetf1,
davidradl,
bogdan-sava and
mstrelchuk
Signed-off-by: Ljupcho Palashevski <ljupcho.palashevski@ing.com>
There was a problem hiding this comment.
Additionally from the diagram
- Authentication has a mis-spelling
- the view server does not do authentication. The UI has sample users built in & we've dicussed adding a plugin for auth - but that is the UI backend not the view service (and would use an ldap connector, but not necessarily the same as that used for authorization)
|  | ||
|
|
||
| ### Determine possible threats | ||
| Most common threat categories following [STRIDE](https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN) methodology each violating some aspect of the CIA triad. |
There was a problem hiding this comment.
I don't know the topic area, but I note from the link that the article is from 2009 and there's a banner 'We're no longer updating this content regularly. Check the Microsoft Product Lifecycle for information about how this product, service, technology, or API is supported.' Not necessarily a problem, but if there's a later good source that would be worth adding
There was a problem hiding this comment.
Can we also clarify the definition of CIA triad or add a link (I have to admit I had to look it up)
| Egeria does not store and manage sensitive user identity information such as usernames with passwords. | ||
| Egeria Open Metadata Security module delegates this responsibility to dedicated security connectors that can be developed to integrate with external Identity Management system. | ||
|
|
||
| Learn more about [Open Metadata Security](https://egeria.odpi.org/open-metadata-implementation/common-services/metadata-security/). |
There was a problem hiding this comment.
We may need to add distinct links to any UI components, or identify them as not addressed here.
Also the doc linked is primarily about user authorization, but related is user authentication - do we need to clarify (it is implied by the first sentance) that WE DO NOT DO THIS. Even with the security connectors? Authorization would typically lie in the layers outside egeria -- for example via enterprise signon in the UI, and via other controls on services (could even be api guards) for the backend?
|
|
||
| #### Tampering with data | ||
|
|
||
| Access to metadata in Egeria platform is also controlled by Open Metadata Security connectors. |
There was a problem hiding this comment.
Do we need to clarify that data in egeria is generally not encrypted, nor do we have checksums so we are subject to OS/environment controls
| #### Tampering with data | ||
|
|
||
| Access to metadata in Egeria platform is also controlled by Open Metadata Security connectors. | ||
| You can configure and use security API to introduce access control on different levels like Platform and Server. |
There was a problem hiding this comment.
Should we say that plugins can be developed that use the security API .....
| #### Information disclosure | ||
|
|
||
| Egeria supports transport level security for its components to minimize information disclosure on the data in transit. | ||
| Although SSL/TLS is enabled by default in the Egeria Open Metadata Platform, it is strongly recommended that consumers configure all components using strong encryption and preferred trusted PKI. |
There was a problem hiding this comment.
I'm not sure what the last sentence means - but an important task is to ensure you use your own certificates and keys and do not use what is provided for a production environment. It's also important to note the strong encryption is at the transport level for incoming https requests. There is also configuration required, for example, for any back end metadata servers which is subject to their connectors.
| #### Denial of service | ||
|
|
||
| Some core Egeria components are designed to counter threats like DoS. Measures like MaxPageSize on APIs that read metadata or throttling mechanism for the React UI login page. | ||
| However, consumers should also plan to mitigate these threats on infra/service level by enforcing additional counter measures on key components such as Gateways (Revers Proxy). |
There was a problem hiding this comment.
Revers->Reverse
Do we need to recommend orgs perform their own tests?
|
|
||
| #### Elevation of privilege | ||
|
|
||
| It is strongly advised that multiple mitigation factors are in place on infrastructure level. Some include principle of least privilege and Application security monitoring. |
There was a problem hiding this comment.
important here is the reference to authentication vs authorization - generally egeria is only doing the latter, not the former
|
We should also note that the 'demos' we have -- ie the labs, dojo, helm charts, docker-compose all make use of hardcoded (even if via config files) passwords. They are intended for learning and demos, not production. |
|
|
||
| Lear more about [Open Metadata Security connectors](https://egeria.odpi.org/open-metadata-implementation/common-services/metadata-security/metadata-security-apis/). | ||
|
|
||
| #### Repudiation |
There was a problem hiding this comment.
Presumably here we need to recognize the egeria framework is one part of the system. To really address repudiation we need other aspects like authentication, encryption etc?
| # Building a Threat Model | ||
|
|
||
| Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigation can be prioritized. | ||
| It is recommended that consumers embrace threat modeling technique and walk through series of concrete steps in order to fully understand the environment and specific solution you are trying to build and secure. |
There was a problem hiding this comment.
I am wondering who the consumers are here.
| - What do I need to do to safeguard against these threats? | ||
|
|
||
| Egeria's architecture allows consumers to make specific choices and minimize risk factors from the early solution design phase. | ||
| Here we outline some generic aspects that can help you to build model specific to your solution using Egeria Open Metadata Platform. |
| - What do I need to do to safeguard against these threats? | ||
|
|
||
| Egeria's architecture allows consumers to make specific choices and minimize risk factors from the early solution design phase. | ||
| Here we outline some generic aspects that can help you to build model specific to your solution using Egeria Open Metadata Platform. |
There was a problem hiding this comment.
I think 'Egeria Open Metadata Platform' might be confused with platforms. I suggest removing the word platform.
| - What are the most relevant threats? | ||
| - What do I need to do to safeguard against these threats? | ||
|
|
||
| Egeria's architecture allows consumers to make specific choices and minimize risk factors from the early solution design phase. |
There was a problem hiding this comment.
Maybe before this sentence we could say something like: 'Using open metadata in your IT architecture means that you can build on the thinking outlined here by the community around how Egeria deals with different types of threats.
| Egeria's architecture allows consumers to make specific choices and minimize risk factors from the early solution design phase. | ||
| Here we outline some generic aspects that can help you to build model specific to your solution using Egeria Open Metadata Platform. | ||
|
|
||
| ### Decomposing the solution and identifying data flows |
There was a problem hiding this comment.
I am not sure what he solution is here. I think this needs explanation
| ### Decomposing the solution and identifying data flows | ||
|
|
||
| - Identify high level application components; | ||
| - Identify metadata flows; |
There was a problem hiding this comment.
Do we mean actually mean metadata flows or also instance flows dictated by metadata.
| - Identify metadata flows; | ||
| - How metadata is stored? | ||
| - How metadata is accessed? | ||
| - Identify how Egeria interacts with external entities; |
There was a problem hiding this comment.
A bit confusing using the word entities as this has a meaning internal to Egeria.
| - How metadata is exchanged? | ||
| - Identify Trust boundaries and security measures; | ||
|
|
||
| Common data flow patterns between components in Egeria solution: |
There was a problem hiding this comment.
Egeria solution - maybe replace with an architecture built around open metadata.
|
|
||
| #### Repudiation | ||
|
|
||
| Egeria platform uses its AuditLog framework help with diagnostics, auditing and data repudiation threats. All system events, user operations are recorded and published to AudiLog subsystem. |
There was a problem hiding this comment.
I would go stronger than help, I would say the Audit log framework provides a trusted record of what has happened around metadata including errors.
spelling 'AudiLog' is incorrect.
I don't think every user operation is audit logged. That would be an activity log.
| Egeria platform uses its AuditLog framework help with diagnostics, auditing and data repudiation threats. All system events, user operations are recorded and published to AudiLog subsystem. | ||
| You can configure different severity levels and extend this framework to send audit log trails to variety of external systems. | ||
|
|
||
| Lear more about [Diagnostics and Auditing](https://egeria.odpi.org/open-metadata-publication/website/diagnostic-guide/). |
|
This PR has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
no-pr-activity
lpalashevski
removed
the
no-pr-activity
|
This PR has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
no-pr-activity
lpalashevski
removed
the
no-pr-activity
|
This PR has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
no-pr-activity
Signed-off-by: Ljupcho Palashevski ljupcho.palashevski@ing.com