For about a year now we have been getting questions from folks about basic trust maps, what they are and how they are used. After answering several times person to person, we thought it might be time for a simple blog post to refer folks to.
The purpose of a trust map is to graphically demonstrate trust between components of your organization or business process. It is a graphic map of how authentication occurs, what systems share accounts and what systems trust what other systems in an environment.
Trust maps are very useful for explaining your organization to new IT folks, helping auditors understand your authentication and security models, and especially for using as reference in incident response. Done properly, they become a powerful tool with a real payoff. For example, when an attack occurs and some mechanism gets compromised in your environment, you can use your trust map to quickly examine how to isolate the affected portions of the authentication model and learn what additional systems the attacker may have been able to trivially leverage given the access they gained. It really makes incident response much more effective and truly helps your teams respond to problems in a more intelligent and effective way.
It might take a little time to map complex organizations. If that proves to be a challenge, try starting with key business processes until you get to a point where you can create a holistic map with drill down process maps. This has proven to be an effective approach for larger/more complex organizations. If you need assistance with gathering the data or getting some additional political alliances to help the project along, our experience has been that the Disaster Recovery and Business Continuity folks usually have good starting data and are often easy to get engaged pushing the project through, especially since, in the long run, they get value from the maps too!
Here is an example map for you to use. It is pretty simple, but should give you the idea.
For more information or help creating your own trust maps, drop us a line or give us a call. We’d be happy to help or even get engaged to make the maps for you as a part of other security testing and projects. As always, thanks for reading and stay safe out there!