What Can Go Wrong When You Trust Nobody? Threat Modeling Zero Trust


Authors:   James Callaghan


The presentation discusses the use of threat modeling in a fictitious example of a workload architecture, and the importance of prototyping early to understand how technologies integrate with each other and what can go wrong.
  • The example architecture includes an external facing service using TLS, mutual TLS for service communication, and web identity federation for accessing AWS services
  • Two approaches are presented: a simple web service and a service mesh approach using Istio and OPA
  • Data flow diagrams are essential for threat modeling and can be used to apply STRIDE to individual communications
  • Prototyping early helps to understand technology integration and potential issues
  • The presentation includes a relevant anecdote about a last-minute issue with AWS policies on S3 buckets
During the presentation, the speaker encountered an issue with AWS policies on S3 buckets that had changed the day before. This caused panic as the demo was not working, but after some troubleshooting, the issue was resolved and the demo was successful.


With the prevalence of cloud-native technologies continually growing, and organisations increasingly adopting multi-cloud and hybrid architectures, it has never been more important to discuss the principles of Zero Trust. In order to fully apply the philosophy of ‘never trust, always verify’, we must build systems with a sound understanding of the adversaries who may wish to compromise our data, how such a compromise could occur, and how we can protect ourselves by implementing proportionate, layered security controls. The foundation on which we can construct this ‘secure by design’ approach is threat modeling. In this talk, we will: - introduce the fundamental concepts of threat modeling, and how they can be applied to systems made up of many distributed cloud-native workloads; - demonstrate a simple system built using Zero Trust principles, with workloads running on an Istio service mesh within a Kubernetes cluster; - show how cryptographically strong workload identities can be provided by a SPIRE server; - demonstrate how Istio External Authorization can delegate layer 7 authorization decisions to OPA sidecars; - build our threat model and introduce controls following the Zero Trust philosophy, including a demonstration of custom signing and verification of OPA bundles.