The crux of the matter with complex application systems is, that they are composed of lots of components which communicate which each other. Most of the users, and sometimes even the IT application administrators, associate a single component, e.g. the web-service they use with their browser application, with the entire application system.
When it comes to information classification this limited view prevents the identification of the really important components, namely those where the critical information is stored and processed. As a result money is wasted for the protection of less relevant system components while critical components remain unprotected.
In these cases the development of a threat model will lead to a far better understanding of the application system.
Just start with the user’s view of the system. Arrange meetings with application developers and administrators, key user’s, system architects and administrators. Show them your model and ask them to add more details. After some time you will get a more detailed model and a much better understanding of the application system, the really important components and the information flow between the components.
On Wednesday I had such a light-bulb moment. We discussed information stored in an EH&S system. From this system Material Safety Data Sheets (MSDS) are created for shipment of dangerous goods. The carrier receives a copy and has to show this copy to the authorities on request. Why should we keep this information secret?
After some discussions we identified the system component where the really important information was stored and managed. The EH&S system holds only an extract of the information which is required to create the MSDS.
The threat model was of great help in this case. As soon as we added the new component the STRIDE approach showed us the direction to a stronger protection of the critical information.
Have a good weekend.