In this assignment, you will use the Microsoft Threat Modeling Tool (TMT-2016). You are a security analysts at a large university. Your CIO has asked you to draft a threat model for the university Single Sign-On (SSO) system. You are to do this in the Microsoft Threat Modeling tool. The SSO system is used by Faculty, Administration, and Students to access the following University systems:
System Faculty Admin Students
Email Y Y Y
BlackBoard Y Y Y
Finance N Y Y *
Curriculum Development Y Y N
*(To pay tuition)
Given Assumptions:
Different roles require different permissions. (For example, a faculty member needs to see all student grades but a student should only see their own grade.)
Faculty and administrative staff have access to the applications from both internal workstations and remote systems using a VPN connection; students will not be using a VPN for their remote access, but must use an encrypted channel (SSL/TLS) – you can decide how this is implemented
You can create some of your own additional assumptions, as long as they are fully explained
Further Assignment instructions:
The Microsoft Threat Modeling Tool (TMT-2016) should be downloaded and installed on your own computer. File is linked below. If you are using a Mac computer, you will need to create a VM running Windows 8.1 or 10 to install TMT-2016.
Your model should cover the entire STRIDE model (which is the default analysis method in TMT-2016) – you need to explain and address all six types/categories of threats.
Within the completed threat model, you must show mitigations (with justifications) for at least 20% of the identified threats.
The data flow diagram created in TMT-2016 should show all necessary elements/components, including Trust Boundaries, with appropriate data flow connections – be sure to modify the Attributes within the Element Properties to include security settings that will reduce the risks/threats. (Take advantage of the Overview and Example of using TM-2016 in the reference documents below – it takes you through the necessary steps.)