Cloud Security Alliance Publishes Guide to Help with Cloud Threat Modeling

Cloud Threat Modeling is the latest guide from the Cloud Security Alliance (CSA), a large global organization committed to creating standards, certifications, and best practices to help assure a safe cloud computing environment. The paper, written by the CSA Top Threats Working Group, would provide essential information on conducting threat modeling for cloud applications, their services, and surrounding security decisions to cloud and cybersecurity practitioners accountable for system preparation.

The newly published paper includes cloud threat modeling cards (Threat, Vulnerability, Asset, and Control) as well as a reference model that businesses can use to develop their own cloud threat model, hone their risk management approach, and mature their entire cybersecurity program.

Threat modeling is a critical technique for software and systems security, and it would be much more important for cloud software, systems, and services. In order to successfully predict and mitigate cyberattacks, companies must create a systematic and repeatable strategy for modeling threats, stated the CSA.

“The fast pace of cloud adoption has surpassed some security methodologies that were honed over the course of 40 years of information technology development,” said Alex Getsin, co-chair, Top Threats Working Group and the paper’s lead author. “Threat modeling is one of those security methodologies that, unfortunately, hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal of benefit to be had in aligning the critical practice of threat modeling with cloud services, technologies, and models. This guide serves to close the gap and set enterprises off on their own threat modeling journey.”

Cloud Security

Photo John Yeoh, Global Vice President of Research, Cloud Security Alliance
“Cloud threat modeling provides organizations with a framework for developing appropriate mitigation steps,” said John Yeoh, Global Vice President of Research, Cloud Security Alliance.

While conventional and cloud threat modeling share fundamental techniques and a common goal, the document just released by the CSA points out that there are significant variations, particularly in terms of the threats themselves, consideration of the Cloud Service Model, and how the result is eventually employed. By means of illustration, the guide addresses several concerns from the group’s previous publication, Top Threats to Cloud Computing: Egregious Eleven.

“Cloud threat modeling paves the way for deeper security discussions,” said John Yeoh, Global Vice President of Research, Cloud Security Alliance. “It provides organizations with a framework for not only assessing their security controls and hence, their gaps, but a means of developing appropriate mitigation steps. In today’s cloud-dominant business environment, where a great deal of abstraction and poorly defined shared responsibility boundaries still persist, cloud threat modeling allows organizations to reach cloud design and threat mitigation decisions faster and more efficiently.”

The goal of the CSA Top Threats Working Group is to give companies an up-to-date, expert-informed awareness of cloud security risks, threats, and vulnerabilities so that they can make informed risk-management decisions about cloud adoption strategies. The working group is open to anybody interested in participating in Top Threats’ future research and efforts.

The guide published by the Cloud Security Alliance can be downloaded here.