In this blog post I will introduce you to the Microsoft Threat Modeling Tool (TMT) and how it can be used specifically with the Microsoft Azure environment for application development and application deployment purposes. In order to do this, I will take a specific example, using the Enzo Cloud Backup tool my company is building, and show you how to perform a high level threat model for a specific operation: a backup request.
First things first… what is the Threat Modeling Tool (TMT)? It’s a pretty cool piece of software that allows you to lay down your application architecture, with its various dependencies and protocols; it becomes a canvas for understanding and identifying potential threats. The tool itself may provide certain recommendations, and a list of checkpoints, but even if you decide to use the tool as a simple architecture diagram, it is very effective at doing so. You can use TMT to create simple, system-level diagrams, or to dive into specific operations to get into the data flow of your system. I refer to system-level diagrams as Level 0, and a data flow as Level 1. The deeper you go, the deeper the analysis. Interestingly enough, I am starting to use TMT as a troubleshooting guide as well, since it does a good job at representing inter-system connections and data flows.
As you draw your diagram, you will need to choose from a list of processes, external components, data stores, data flows and trust boundaries. Selecting the correct item in this list is usually simple; you also have Generic items that allows you specify every security property manually.
Enzo Cloud Backup – Level 0 Diagram
Let’s start with a Level 0 system diagram of the Enzo Cloud Backup system. As we can expect, this is a very high level overview which provides context for other more detailed diagrams. The Level 0 diagram shows two primary trust domains: the corporate network where Enzo Cloud Backup is installed, and the Microsoft Azure trust domain, where the backup agent is installed. This diagram also introduces the concept that the agent and the client communicate directly, and through an Azure Storage account. As a result, two communication paths need to be secured, and both happen to take place over an HTTPS connection. The cloud agent also communicates to an Azure Storage account through HTTPS within the Microsoft Azure trust boundary, and to a data source (that is being backed up or restored). A more complex diagram would also show the fact that multiple Virtual Machines could be deployed in the cloud, all communicating to the same storage account, but for simplicity I am only showing one Virtual Machine. Also note that in my Level 0 diagram I choose not to document the sequence of events; in fact my Level 0 diagrams are not specific enough to dive into specific events or data flows.
Although the diagram below shows boxes and circles, selecting the right stencil is important for future analysis. There are no specific visual cues on the diagram itself indicating if you are dealing with a Managed or Unmanaged process for example, but the tool shows this information in the Properties window (shown later) and it will use this information to provide a set of recommendations. In addition, each item in the diagram comes with a set of properties that you can set, such as whether a data flow is secured, and if it requires authentication and/or authorization.
Enzo Cloud Backup – Level 1 Remote Backup Operation
Now let’s dive into a Level 1 diagram. To do so, let’s explore the systems and components used by a specific process: a remote backup operation. Level 1 diagrams are usually more complex, and as a result need to show as many data stores as possible, and optionally identify the order of data flows. While TMT doesn’t natively give you the option to document the sequence of your data flow, you can simply name each data flow by adding a number in front of it to achieve a similar result. By convention, I use 0 as initialization tasks, 1 as the starting request, and sometimes I even use decimals to document what happens within a specific step. But feel free to use any mechanism you think works for you if you need to document the sequence of your data flows.
My Level 1 diagram below shows that a human starts the backup request through Enzo Cloud Backup, which then sends a request through a Queue. The backup service then picks up the work request and starts a backup thread that performs the actual work. The thread itself is the one creating entries in the history data store that the client reads to provide a status to the user. As we can see in this diagram, the cross-boundary communications are as expected from our Level 0 diagram. Also worth noting is that the backup agent reads from a configuration file; from a security standpoint this could represent a point of failure and disrupt the backup process if it is tempered with. The client depends on the local machine registry which is also a store to properly secure as a result. Last but not least, the numbering provided in front of each data flow allows you to walk through the steps taken during the backup request.
As mentioned previously, you can configure each item in the diagram with important properties which will ultimately help TMT provide recommendations. For example, I selected an HTTPS data flow for the Monitoring Status reading from the History Data store. Since I selected an HTTPS data flow, the tool automatically set some of the security attributes; I also provided information about the payload itself (it is a REST payload for example). Other properties, not shown below, are also available. And you can create your own properties if necessary, for documentation purposes.
Going Further with TMT
TMT is being used by large corporations to provide more detailed application diagrams, going as far as internal memory access. In fact the tool allows you to add notes, and have a checklist of important security verifications for your diagrams. TMT also comes with a build-in security report that gives you which steps you should consider in making you system more secure. The following diagram is a short sample output of this report for the Registry Hive access. The more information you provide, including the properties on your data stores, data flows, processes and trust boundaries, the better.
Last but not least, the tool comes with an Analysis view of your diagram, which is the basis for generating the report shown above. For example TMT identified that the History Data store could become unavailable; while this sounds like a simple problem to solve through a retry mechanism, this could be used as a Denial of Service attack against the tool. Note that TMT will highlight the component in question to make it easy to understand the area at risk.
Give it a ride! TMT is easy to use and provides a solid framework for documenting and analyzing your systems; and since most corporations have a vested interested in securing they applications in the cloud, TMT offers the framework to do so. To learn more about TMT, check out this link: http://blogs.microsoft.com/cybertrust/2014/04/15/introducing-microsoft-threat-modeling-tool-2014/.
About Herve Roggero
Herve Roggero, Microsoft Azure MVP, @hroggero, is the founder of Blue Syntax Consulting (http://www.bluesyntaxconsulting.com). Herve's experience includes software development, architecture, database administration and senior management with both global corporations and startup companies. Herve holds multiple certifications, including an MCDBA, MCSE, MCSD. He also holds a Master's degree in Business Administration from Indiana University. Herve is the co-author of "PRO SQL Azure" and “PRO SQL Server 2012 Practices” from Apress, a PluralSight author, and runs the Azure Florida Association.