I am very confused with Trust Boundary. How does this work?
Do I draw a trust boundary in between the application tier and the web tier because my servers in the web tier has a higher chances of getting hacked? Or should I draw it in between my end user PCs and my web server?
Does it also mean that communication going through this must be validated and encrypted? Can I just do one of them?
Trust boundaries are places where the different sides of the boundary operate at different privilege levels.
Imagine the following scenario: on one side there is some code operating with low permissions. On the other side there is another code operating with higher permissions. There is a trust boundary when the code on the side with low permissions can communicate with the code on the side with higher permissions. Each side of a true boundary is a trust zone.
For example, in Linux, there is a trust boundary between code executed in userland and code executed by the kernel.
It is expected that there is some control that checks if the code with low permission is in fact allowed to perform that communication and in what conditions.
If there is no permission check necessary between two zones, are they the same trust zone? For example, a public website and Internet. The answer to this ma be different depending on the source, but in my opinion, if one zone cannot trust the other, although it does not require authentication, they are different trust zones and there is a trust boundary. For example, a public web application should validate the data that comes from a user from Internet.
Further reading: Shostack, A. (2008). Experiences Threat Modeling at Microsoft. Microsoft. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-413/paper12.pdf
When data crosses from one "system" to another, draw a trust boundary line. This would certainly be anyplace where data traverses a network interface, or passes between two processes.
Data entering from across a trust boundary indicates every place where the receiving systems need to validate the inbound data. Data crossing a trust boundary also means that you have identified a place where you should examine the security of the data. It doesn't mean you must encrypt or that you must authenticate, but as you analyze the connection for vulnerabilities, you may discover that encryption and/or authentication remediates the issues.
