Hey friend! This week in the community, we want to talk about trust boundary and its definition.
According to SOTM 2024-2025, 72% of orgs use trust boundaries in their modeling. The most common definition: “a grouping of things that share the same level of trust / all trust each other.”
64% of people use that definition of a trust boundary, so that argument is finally settled, right? Right? (/throws grenade; /runs for cover)
This post is part of our new weekly ‘Peer Perspectives’ series! Each week, we’ll explore a new threat modeling topic and open it up for community discussion. For the coming weeks ahead, we’ll discuss one key finding from the newly-released State of Threat Modeling Report 2024-2025 each week.
Things inside the same trust zone, like with flood fill and neighbor pixels with the same color, have the “When I am here, I can easily get there” property.
With trust zones there must be a notion of inside and outside. And a trust zone only makes sense if there’s something in between that really enforces that border. “If I am here, I can NOT easily get there”.
With my home, it’s only because of the door that I can speak about inside (home) and outside (big wide world). When the door is open or unlocked, yes, there’s still inside and outside on a conceptual level, but not in terms of actual protection.
To use your home and door analogy, it’s easy to establish a trust boundary because you know the ways in which an adversary can get in (the door). However, when an adversary can just “appear” inside your house without using a door, the trust boundary is redefined, and becomes moot. When teams threat model without experience, they assume the ways adversaries will get in will be through conventional ways (doors, windows, SSH remote access), but throw a reverse shell in there and the adversary now “appears” inside the house, the trust boundary becomes the weakness.
I tend to view this from a functional standpoint. A “Trust Boundary” is where you have to reestablish your level of trust (usually in the form of identity) in order to cross it. For example, on my iPad/Computer/Other Personal device, once I login the trust boundary is most of the applications on the device. Some functions/applications have a finer trust boundary (e.g., brokerage app), in order to cross that boundary, I have to authenticate again, perhaps with additional devices for 2FA.
