Privacy Threat Modeling Step 1: Identify Assets [Work in Progress]
Added 2022-07-14 12:00:00 +0000 UTCTransactional vs contextual data
Generally, you can divide your data assets into transactional data and contextual data. Transactional data refers to the content of the data flow, whereas contextual data involves the metadata. Sometimes, the same data item can be communicated in both transactional and contextual data. For example, location information can be shared in the content of a private message, but it is also inherently embedded in the metadata of the message via the sender’s IP address. For strong privacy, both data categories need to have mitigation strategies.
Asset inventory
To have a thorough overview of your assets, it is important to build an asset inventory. This could be a list of apps, services, files and credentials you use. This inventory is required for proper mapping of assets and relevant vulnerabilities that can lead to data threats.
Many services will involve sensitive information in both the content and the metadata. Since applicable threats and mitigation strategies are going to be different for these types of data, it’s beneficial to record them in both categories.
Visualizing your data flow
In a system analysis, a full threat model involves the creation of data flow diagrams. DFDs are useful for mapping the flow and the storage of data. This can help identify sensitive points and potential vulnerabilities. Privacy and security threat modeling both use data flow diagrams but they usually require insider knowledge of the analyzed system.
A general user is not necessarily going to have access to the system architecture of every app and service nor the expertise to understand it. The most available information rests inside privacy labels and privacy policies. You should read these documents and try to infer as much information as you can about how much data each service collects and how they handle and share your data with third parties. Keep in mind these documents will only offer an incomplete overview of where your data resides and how it’s treated.
When evaluating your data assets, you can use LINDDUN’s mapping components. These five components describe
- what data is sent to the service and how it leaves the service
- where your data is stored
- what entities are involved with your data
- and how your data is processed.
Knowing these elements helps you better visualize where the data assets in your inventory reside and how they’re used. For privacy threat modeling, it is not necessary to decompose internal processes in too much detail. You are mainly going to be concerned with data collection, storage and sharing.
Once you build your inventory, you can move on to threat intelligence.
Comments
Transactional.
The Hated One
2022-07-15 16:19:04 +0000 UTCTransnational? In the first sentence
Sakii
2022-07-15 12:22:45 +0000 UTCAlso, I think the idea of having a personal threat score that classifies the mitigation/remediation plan is a good idea. Possibly use something similar to the old Microsoft DREAD model as a basis to calculate the personal threat score.
Jose Vanduka
2022-07-14 17:15:32 +0000 UTCSome thoughts. I have done a lot of threat modeling and threat assessments over the years and I have always seen people stumble on knowing what all the relevant metadata is. I think it is a good idea to probably have a reasonable listing of metadata for each variable.
Jose Vanduka
2022-07-14 17:14:04 +0000 UTC