CSA Releases Cloud Threat Modeling
July 30, 2021
Cloud Security Alliance (CSA) released its latest guide, Cloud Threat Modeling.
Written by the CSA Top Threats Working Group, the document provides cloud and
security practitioners responsible for system preparedness with critical
guidance on conducting threat modeling for cloud applications, their services,
and surrounding security decisions. To facilitate the exercise, the guide
features cloud threat modeling cards (Threat, Vulnerability, Asset, and Control)
and a reference model that organizations can use to create their own cloud
threat model, thereby honing their risk management process and maturing their
overall cybersecurity program in the process.
Threat modeling is an essential practice for software and systems security —
doubly so for cloud software, systems, and services — and it’s imperative that
organizations develop a structured and repeatable approach for modeling threats
in order to successfully anticipate and mitigate cyberattacks.
“The fast pace of cloud adoption has surpassed some security methodologies that
were honed over the course of 40 years of information technology development.
Threat modeling is one of those security methodologies that, unfortunately,
hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal
of benefit to be had in aligning the critical practice of threat modeling with
cloud services, technologies, and models. This guide serves to close the gap and
set enterprises off on their own threat modeling journey,” said Alex Getsin,
co-chair, Top Threats Working Group and the paper’s lead author.
document notes that while standard and cloud threat modeling share basic
methodologies and a joint purpose, there are meaningful differences, especially
those pertaining to the threats themselves, consideration of the Cloud Service
Model, and how the output is ultimately used. By means of illustration, the
guide addresses several concerns from the group’s previous publication, Top
Threats to Cloud Computing: Egregious Eleven. [A tabletop exercise based on the
guidance and an announcement of top threats for 2021 will take place at CSA’s
premier event, SECtember (Sept. 13-17, Bellevue, Wash.).] Moreover, cloud threat
modeling requires highly specific industry knowledge and encompasses
cloud-unique considerations such as defining the security responsibilities of
both the cloud service provider and its users.
"Cloud threat modeling paves the way for deeper security discussions. It
provides organizations with a framework for not only assessing their security
controls and hence, their gaps, but a means of developing appropriate mitigation
steps. In today’s cloud-dominant business environment, where a great deal of
abstraction and poorly defined shared responsibility boundaries still persist,
cloud threat modeling allows organizations to reach cloud design and threat
mitigation decisions faster and more efficiently," said John Yeoh, Global Vice
President of Research, Cloud Security Alliance.