About the customer
This is an agency of the US federal government working in the medical research space. Their mission involves building secure environments where researchers, both inside and outside the agency, can access sensitive medical and biometric data for legitimate research purposes. These environments, known as Trusted Research Environments or TREs, need to enable data access while guaranteeing that the right data goes only to the right people, and that regulators can have absolute confidence in the controls. The agency was building a new TRE platform and had invested heavily in doing it properly.
The challenge
Managing security with our development partners felt daunting: high-stakes meetings before go-live with a seemingly arbitrary list of security 'features' that needed to be added to scope. All extra time and cost that we couldn't argue with because we didn't understand it.
With Threatplane's approach, it became clear what we needed to protect, how, and when the risk was sufficiently mitigated and we could stop. No longer were we beholden to arbitrary requirements from a distant security team at a partner incentivised to just keep adding more.
Customer Project Lead
An existing customer, familiar with the challenges and aware of what threat modelling could produce, suggested the agency speak to Threatplane.
The platform was built to capture and process highly sensitive data sets with significant commercial and scientific value. A breach would cause serious reputational and regulatory damage to the agency and its partners. We saw that this would require a careful assessment of security against the mission of the programme and the finite resources available.
The project had a large team around it. A leading cloud provider was on the engagement delivering professional services. Contractors and consultants were advising at multiple levels. Security was, on paper, covered.
But there was a question nobody could answer objectively: were these parties giving advice that served the agency, or advice that served themselves? A cloud provider has every reason to recommend more cloud. Contractors have every reason to keep the engagement running. The agency needed someone with no stake in the answer.
Our role
Risk-based threat modelling, with its emphasis on balancing competing priorities, was a natural fit. And because the platform was being developed by a third party, the threat models would also act as an independent quality check on that work. The development partner had assured the agency the platform was secure. The models would test whether that was actually true.
Our role was to ensure that the work being done by other parties was secure for the client's definition of secure, rather than those companies' definition of secure.
Threatplane engagement lead
We ran a series of four-week threat modelling engagements, one for each application in the system and one for the shared backend. These showed the agency where the real risks lay and highlighted architectural weaknesses they were then in a position to ask the development partner to address, with the threat models as documented justification.
It was really refreshing to have frank, down-to-earth security conversations. They took the mystery out of which security controls to implement, and made it about real things the customer cared about.
Lead Developer
The models also identified areas where development time was being spent on security measures that did not in fact matter. In some cases, a breach of a small portion of data in an anonymised state posed no meaningful risk. In others, certain attack paths into the environment were blocked by design at the point of data exfiltration. Skipping implementation of these redundant features freed up budget and engineering time without reducing actual security.
The outcome
Through the process, the agency developed a genuine ability to measure and assess security risk in a methodical way. That was a significant shift. Previous third-party contractors had relied on technology-focused controls assessments that added time and cost without producing a clear risk picture.
Really happy with Threatplane's involvement in this for keeping costs under control and holding other contractors to account over their desire to over-cook security, while still protecting us against the risks that mattered.
Project Sponsor
The result was meaningful savings in time to delivery, driven by a shared, objective understanding of where the real risks were and where they were not. The threat models directly prompted the implementation of specific security controls in both cloud infrastructure and application code. By the time the final deliverables were assessed, residual risk was minimal. The agency was satisfied that acceptable security had been achieved, and had a thorough body of evidence to demonstrate this to internal stakeholders.