Threat Modeling: A Blog Series
When HighSide does anything, we carefully consider the "threat model" to ensure we have eliminated 99.99% of the possibilities of data compromise. While I'd like to say 100%, unfortunately there is no perfect system - but with HighSide, our system starts with a metaphorical solid cement box. If your data were inside, it would be completely secure - however it would not be very usable. We then offer permissions and controls to the admins to "poke holes" in the box, put bars on those holes, install security cameras, and even self detonate the contents of the box if needed.
This approach is in pretty stark contrast with the general application development world. Typically applications are developed with access as the first and fundamental priority - but this means security is a bolt on afterthought. think about it like this... is it easier to secure your valuables if your house has one door with a biometric lock and no other access points? Or... if your house is made completely out of doors with standard keys for access shared with every person of your family and friend circle?
Puts it into perspective eh?
HighSide maintains an internal threat model document that guides all our application design decisions. Our goal is to eliminate every possible internal and external threat by default, and provide the admin with the tools to determine who, what, when, and where the access should be granted. For example, we look at the physical device as a weak point - this is the device a user installs the HighSide application on. That device could be lost, stolen, or remotely compromised. Now, this is a hard task as it usually involves physical intervention by an adversary, but some of our customers operate in a world where it's not too out of the question.
While the need for a specific user to install and run an application is the decision by the administrator of HighSide, we can also give them safeguards even against this most egregious type of threat. For example: the ability to remote wipe the encrypted contents of a users HighSide application including all their files and communications. Additionally, an admin can select forced MFA (going beyond the device-centric & passwordless authentication HighSide is known for) to further ensure the user of the physical device is who they say they are.
But what about insider threats? Yep, we've got this covered to. One way is to use our event API in a tool like Splunk or Sumologic and run correlation rules for anomalous behavior. With the right set logic we can identify a bad actor simply by their actions. Another way give admins tools to protect against insider threat is simply limiting the ability to access data that isn't explicitly shared with your user. With a decentralized private root of trust encryption model, there is no threat of an admin or privileged user gaining access to data they are not explicitly authorized to use. Even if that admin is a data manager, the data is not available to them for access or use - and nothing they can do will change that.
These are just some examples of the types of threats we think about and solve for. It's why HighSide is the most secure, compliant and controlled file-sharing & collaboration platform on the market. Over the next handful of weeks we'll be publishing more deep-dive blogs on various threats we address, including some of the aforementioned ones.
Stay tuned for more fun security noodles. Oh, and don't forget to start testing HighSide today (it's free!)