Threat Model: Admin Portal
| Owner |
Classification |
Review Date |
Status |
| Security |
Confidential |
April 2027 |
Draft |
Scope
This threat model covers the Simpaisa internal Admin Portal — the web application used by Simpaisa operations, compliance, finance, and engineering staff to manage merchants, review transactions, configure platform settings, handle disputes, and access sensitive operational data. The Admin Portal represents the highest-privilege internal attack surface in the Simpaisa platform.
This model does not cover the Merchant Self-Service Portal (separate merchant-facing surface) — see Threat Model: Merchant Portal.
Architecture Overview
| Component |
Technology |
Trust Zone |
Exposure |
| Admin Portal frontend |
Astro / TypeScript (ADR-WEB-016, ADR-PLATFORM-015) |
Internal |
VPN-gated or IP-restricted HTTPS only |
| Admin API backend |
Go microservice |
Internal |
Not directly exposed; accessed via API Gateway with elevated scopes |
| Authentication |
SSO (SAML/OIDC) + OTP (ADR-SECURITY-007) |
Internal |
Corporate IdP; MFA mandatory |
| Audit trail |
Immutable log store (ADR-SECURITY-048) |
Internal |
Write-only from services; read by compliance team |
| Session management |
Server-side sessions; short TTL |
Internal |
Session tokens never in URL |
| Role-based access control |
Attribute-based (ABAC); role hierarchy |
Internal |
Roles assigned by identity governance process |
Admin Role Taxonomy
| Role |
Capabilities |
Risk Level |
| Super Admin |
Full platform access; user management; fee configuration; settlement override |
🔴 Critical |
| Compliance Officer |
KYC/AML review; transaction holds; SAR filing; data export |
🔴 Critical |
| Operations |
Merchant onboarding; dispute management; refund processing |
🟠 High |
| Finance |
Settlement review; reconciliation; fee configuration read-only |
🟠 High |
| Engineering (read-only) |
Log access; configuration read; no transaction data access |
🟡 Medium |
| Support |
Transaction lookup; merchant contact; no financial operations |
🟡 Medium |
Trust Boundaries
| Boundary |
Description |
Controls |
| Internet to VPN/IP restriction |
Admin Portal only accessible from corporate network or VPN |
IP allowlist at Cloudflare / WAF; VPN certificate required |
| VPN to Admin Portal |
Authenticated staff access the portal |
SSO + mandatory MFA; session timeout; device compliance check |
| Admin Portal to Admin API |
Frontend calls privileged API endpoints |
Elevated JWT scopes; ABAC enforcement at API layer; mTLS |
| Admin API to Core services |
Admin operations fan out to payment, KYC, settlement services |
Service identity (mTLS); operation-level audit logging |
| Admin API to Audit trail |
Every admin action written to immutable log |
Write-only from API; no delete permission; integrity hashed |
STRIDE Threat Register
Spoofing
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-S-01 |
Admin credential compromise via phishing |
Staff authentication |
Targeted spear-phishing of admin staff to capture SSO credentials and OTP codes |
Full admin access under stolen identity; financial fraud; data exfiltration |
Medium |
🔴 Critical |
FIDO2/hardware token MFA (phishing-resistant); anti-phishing training; login anomaly alerting (new IP, unusual hours) |
Low |
| ADM-S-02 |
Session token theft via XSS |
Admin session |
Stored or reflected XSS in admin portal injects script that exfiltrates session cookie |
Admin session hijack without credentials |
Low |
🔴 Critical |
Content Security Policy (CSP); HttpOnly + Secure + SameSite=Strict cookie flags; output encoding; React/Astro framework XSS protections; WAF XSS rules |
Low |
| ADM-S-03 |
Insider passing credentials to external party |
Staff authentication |
Malicious insider shares their admin credentials with an external attacker |
Same as credential compromise; harder to detect |
Low |
🔴 Critical |
Concurrent session detection; device fingerprinting; impossible travel alerting; quarterly access review |
Medium — insider threat is structurally difficult to eliminate |
Tampering
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-T-01 |
Unauthorised fee or FX rate modification |
Platform configuration |
Compromised or malicious admin modifies merchant fee schedules or FX rates to extract value |
Financial loss; merchant contractual violation |
Low |
🔴 Critical |
Dual approval for fee/rate changes (maker-checker); change recorded in immutable audit trail; alerting on configuration changes above threshold |
Low |
| ADM-T-02 |
Fraudulent refund or settlement override |
Financial operations |
Operations staff processes unauthorised refunds or overrides settlement to divert funds |
Direct financial loss |
Low |
🔴 Critical |
Maker-checker for refunds above threshold; settlement overrides require dual approval from Finance + Compliance; all actions logged immutably |
Low |
| ADM-T-03 |
Audit log tampering |
Immutable audit trail |
Super Admin attempts to delete or modify audit records to conceal fraudulent actions |
Forensic investigation failure; regulatory non-compliance |
Low |
🔴 Critical |
Write-once storage; no delete API exposed (ADR-SECURITY-048); SIEM integration with out-of-band integrity verification; Super Admin cannot access raw log store |
Low |
| ADM-T-04 |
KYC decision manipulation |
Compliance workflow |
Compliance officer manipulates KYC outcomes (approve/reject) outside normal process or under duress |
Regulatory violation; facilitating money laundering |
Low |
🟠 High |
KYC decisions logged with full context; supervisor review for high-risk decisions; automated rules cannot be overridden without documented reason |
Low |
Repudiation
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-R-01 |
Admin denies performing a privileged action |
Audit accountability |
Staff member claims they did not perform a specific admin action (e.g. fee change, refund) |
Inability to attribute misconduct; regulatory audit failure |
Low |
🟠 High |
All admin actions attributed to authenticated session identity; immutable audit log with action, actor, timestamp, before/after state; non-repudiation by design (ADR-SECURITY-048) |
Low |
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-I-01 |
Excessive data access by support staff |
Customer / merchant PII |
Support role accesses transaction details, PII, or financial data beyond their operational need |
PII breach; data protection regulatory violation |
Medium |
🟠 High |
ABAC enforces data access by role; support role cannot access full card numbers or bank details; data masking in UI; access logged per record |
Low |
| ADM-I-02 |
Bulk data export by compromised admin |
Platform database |
Compromised Super Admin or Compliance Officer exports large volumes of customer data |
Mass PII breach; regulatory sanction |
Low |
🔴 Critical |
Export rate limiting; bulk export requires dual approval; DLP alerting on large data transfers; exports watermarked for traceability |
Medium |
| ADM-I-03 |
Admin portal accessible from untrusted network |
Network exposure |
Admin portal not properly IP-restricted; accessible from public internet |
Increased attack surface; brute force / credential stuffing |
Low |
🟠 High |
IP allowlist enforced at Cloudflare WAF; VPN required for remote access; health check endpoint only exposed publicly |
Low |
Denial of Service
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-D-01 |
Admin portal unavailability during incident |
Operational capability |
DDoS or infrastructure failure takes down admin portal during a live payment incident requiring immediate intervention |
Inability to halt fraudulent transactions; extended incident duration |
Low |
🟠 High |
Admin portal on separate infrastructure from merchant-facing APIs; out-of-band break-glass access procedure; offline runbook for critical operations |
Low |
| ADM-D-02 |
Account lockout abuse |
Admin account access |
Attacker deliberately triggers repeated failed logins on known admin accounts to lock them out during a critical operational period |
Key personnel locked out during incident |
Low |
🟡 Medium |
Progressive lockout with email notification (not silent); admin unlock procedure bypasses normal SSO; out-of-band identity verification for unlock |
Low |
Elevation of Privilege
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| ADM-E-01 |
Horizontal privilege escalation between admin roles |
ABAC enforcement |
Operations staff exploits ABAC misconfiguration to access Compliance Officer or Super Admin functions |
Unauthorised financial operations; compliance data access |
Low |
🔴 Critical |
ABAC policies tested in CI; quarterly access review; principle of least privilege strictly enforced; role assignment requires HR + Security approval |
Low |
| ADM-E-02 |
IDOR — accessing another merchant's admin data |
Admin API |
Admin accesses merchant data by manipulating resource IDs in API requests (Insecure Direct Object Reference) |
Cross-merchant data exposure; privacy violation |
Medium |
🟠 High |
Server-side authorisation on every resource request; resource IDs are UUIDs (non-sequential); admin access to merchant data scoped by assigned merchant list for support roles |
Low |
| ADM-E-03 |
Temporary elevated access not revoked |
Access governance |
Admin granted temporary Super Admin access for an incident response task; access not revoked afterwards |
Persistent privilege beyond operational need; insider risk |
Medium |
🟠 High |
Time-bound elevated access via PAM (Privileged Access Management); automated expiry; access review alert on non-expiry; all elevated-access sessions recorded |
Low |
Risk Summary
| Risk Level |
Count |
Threats |
| 🔴 Critical |
7 |
ADM-S-01, ADM-S-02, ADM-S-03, ADM-T-01, ADM-T-02, ADM-T-03, ADM-I-02, ADM-E-01 |
| 🟠 High |
8 |
ADM-T-04, ADM-R-01, ADM-I-01, ADM-I-03, ADM-D-01, ADM-E-02, ADM-E-03 |
| 🟡 Medium |
1 |
ADM-D-02 |