This is an initial draft of the STRIDE model of threat mitigation in authentication performed on Kubernetes clusters.
STRIDE stands for
Spoofing Identity – is the threat when a user can impersonate another user
Tampering with data- is the threat when a user can access Kubernetes resources or modify the contents of security artifacts.
Repudiation – is the threat when a user can perform an illegal action that the Kubernetes cannot deter
Information Disclosure – is the threat when say a guest user can access resources as if the guest was the owner.
Denial of service – is the threat when say a crucial component in the operations of the Kubernetes is overwhelmed by requests so that others experience outage
Elevation of privilege – is the threat when the user has gained access to the components within the trust boundary and the system is therefore compromised.
Usually we begin the process of evaluating against these factors with a control and data flow diagram.
A control flow diagram may look something like this:
Now we apply how the different threats can arise in this diagram by partitioning it between that which is within trust boundary and that which is outside.
When a user1 can behave like user2, that is considered spoofing. Possible defense might involve issuing tokens specific to users.
Tampering is when the user has successfully modified the token to her advantage.
Repudiation is when the user can hijack a valid token that the system cannot refure.
Denial of Service is when the user can tank the Identity provider (IDP) or the API server.
Elevation of privilege is when the user has compromised the IDP or the API server.
STRIDE stands for
Spoofing Identity – is the threat when a user can impersonate another user
Tampering with data- is the threat when a user can access Kubernetes resources or modify the contents of security artifacts.
Repudiation – is the threat when a user can perform an illegal action that the Kubernetes cannot deter
Information Disclosure – is the threat when say a guest user can access resources as if the guest was the owner.
Denial of service – is the threat when say a crucial component in the operations of the Kubernetes is overwhelmed by requests so that others experience outage
Elevation of privilege – is the threat when the user has gained access to the components within the trust boundary and the system is therefore compromised.
Usually we begin the process of evaluating against these factors with a control and data flow diagram.
A control flow diagram may look something like this:
Now we apply how the different threats can arise in this diagram by partitioning it between that which is within trust boundary and that which is outside.
When a user1 can behave like user2, that is considered spoofing. Possible defense might involve issuing tokens specific to users.
Tampering is when the user has successfully modified the token to her advantage.
Repudiation is when the user can hijack a valid token that the system cannot refure.
Denial of Service is when the user can tank the Identity provider (IDP) or the API server.
Elevation of privilege is when the user has compromised the IDP or the API server.
No comments:
Post a Comment