Threat Modeling and Mitigations

Most relevant for 🔥 Advisors and 🔍 Technical Evaluators

As discussed in the introduction to this section, threat modeling is a process of identifying, analyzing, and prioritizing the potential security threats and vulnerabilities in a software system. In response to those threats, risk mitigation offers a process of designing, implementing, and otherwise taking steps to reduce or eliminate identified risks (threats and vulnerabilities!) in a software development project or technology solution.

A Wide Variety of Approaches

While we took a specific approach to this work in our technical assessments, there is a long history of diverse approaches to understanding threat and risk. Here are a few outside links to broader, useful resources on the web.

Sample Threat Model

Below is an example of a threat modeling process performed on a recently reviewed solution. The Threat, Likelihood, Impact, and Severity columns listed below are in reference to the world, and specific places where solutions are implemented, and not specific to the vendor, platform, or solution itself. This gives the reader an idea of what kind of mitigations could be put in place for a solution.

Likelihoods range from Unlikely to Likely, while Severity can be Minor to Critical.

Threat Likelihood Impact Severity Mitigations
Describe the potential threat, attack vector, bad actor How likely is it that this could happen? What will happen if the threat/attack is successful? How severe will the impact be? How does the solution reduce the risk, impact, and severity of the attack?
Identity theft or fraud Likely Personal data, including that of children, is increasingly in demand by identity thieves Moderate
  1. Encryption and decryption of fields stored in the database (2) Support for OpenID Connect(OIDC) Identity Layer with access controls and flexible deployment of authentication systems
Privacy Violation Moderately likely Digital transmission, networked storage and increased sharing of birth data may expose personal information to individuals and uses that are against the wishes of families participating in registration Minor

  1. Encryption of data on the network and at rest
    (2) Multiple Access Control roles that limit the scope of access to data and capabilities.

    1. Data retention policies and features

      1. Training, education, and guidance provided by community

Targeting based on personal characteristics Very unlikely The ability to rapidly gather and process large amounts of population data could contribute to targeted advertising, other forms of exploitation, and targeted physical threats and violence. Severe

  1. Multiple roles that limit the scope of access to data and capabilities

    1. Limit in user experience for mass search and export

Personal security violation or exploitation Moderately likely Registration happening outside a controlled institutional environment, such as a hospital or registrar’s office, could place families at risk of physical violence and economic or other exploitation by registration agents. Severe

  1. Easy access to mobile interface, even with limited connectivity, keeps as much data reporting “in the system” and private as possible

    1. Focus on defined user roles, control who has access to accounts can help fight corruption and exploitation

Incorrect or Insecure Deployment* Moderately likely Deployment of services by unqualified staff or into unvetted or untested environments could lead to data exfiltration, watering hole attacks, and other harms to the users and administrators Critical

  1. Availability of deployment docs, training, and support

    1. “Platform” approach creates potential for an ecosystem of certified/trusted partners for deployment
      (3) Transparency of open-source and iterative development means vulnerabilities and updates can be fixed and deployed quickly