Waiting for input...
Star SPIKE on GitHub

ADR-0006: Trust Boundary Definition and Security Assumptions

  • Status: accepted
  • Date: 2024-11-03
  • Tags: Security, Threat Model, Trust

Context

We need to clearly define our system’s trust boundaries and security assumptions to:

  • Establish realistic security expectations
  • Guide security hardening efforts
  • Define the scope of security measures
  • Inform deployment strategies
  • Guide incident response planning

The system includes multiple critical components (SPIKE Nexus, SPIKE Keeper, SPIRE) that handle sensitive data, particularly the root key.

Decision

We will establish the following trust boundary model:

  • Primary Trust Boundary:

    • Set at the machine/host level
    • Consider the machine as the primary security perimeter
    • Treat machine compromise as a complete system compromise

  • Component Security Approach:

    • Implement defense-in-depth while acknowledging its limitations
    • Focus on container hardening for containerized deployments
    • Accept that component-level security provides diminishing returns after machine compromise

Consequences

Positive

  • Clear security expectations and boundaries
  • Focused security efforts
  • Realistic threat modeling
  • Efficient resource allocation for security measures
  • Clear incident response triggers
  • Simplified security architecture

Negative

  • Accepting certain security limitations
  • Dependency on host-level security
  • Need for strong physical security measures
  • Higher requirements for host hardening
  • Increased importance of access control

Security Implications

Machine-Level Security

Critical Areas

  • Physical security
  • OS-level hardening
  • Access control
  • Host monitoring
  • System integrity

Attack Vectors Accepted as Valid Threats

  • Memory inspection/modification
  • Process manipulation
  • Workload injection
  • SPIRE entry manipulation
  • Root key exposure through memory access

Component-Level Security

SPIKE Nexus

  • Implement container hardening
  • Minimize attack surface
  • Monitor for anomalies
  • Restrict capabilities

SPIKE Keeper

  • Treat compromise as machine compromise
  • Implement memory protection measures
  • Restrict access and capabilities
  • Monitor for unauthorized access

Implementation Requirements

Host Security

Physical Security:

  • Secure data center access
  • Hardware security modules where applicable
  • Physical access logging
  • Tamper detection

OS Security:

  • Regular security updates
  • Minimal running services
  • Secure boot
  • Kernel hardening
  • Access control lists

Container Security

Container Hardening:

  • Minimal base images
  • No privileged containers
  • Resource limitations
  • Read-only filesystems
  • Security context constraints

Runtime Protection:

  • Container scanning
  • Runtime security monitoring
  • Behavioral analysis
  • Resource isolation

Monitoring and Detection

Host-Level

  • System integrity monitoring
  • Privilege escalation detection
  • Resource usage anomalies
  • Access pattern analysis

Component-Level:

  • Memory access patterns
  • Process behavior
  • API call patterns
  • Resource utilization

Incident Response Triggers

  • Unauthorized physical access
  • Anomalous system calls
  • Unexpected memory access patterns
  • SPIRE entry modifications
  • Container escape attempts

References

Notes

This ADR should be reviewed when:

  • New deployment models are considered
  • Significant architecture changes occur
  • New security threats emerge