CSA Releases Cloud Threat Modeling Guide

July 30, 2021

The Cloud Security Alliance (CSA) released its latest guide, Cloud Threat Modeling. Written by the CSA Top Threats Working Group, the document provides cloud and security practitioners responsible for system preparedness with critical guidance on conducting threat modeling for cloud applications, their services, and surrounding security decisions. To facilitate the exercise, the guide features cloud threat modeling cards (Threat, Vulnerability, Asset, and Control) and a reference model that organizations can use to create their own cloud threat model, thereby honing their risk management process and maturing their overall cybersecurity program in the process.

Threat modeling is an essential practice for software and systems security — doubly so for cloud software, systems, and services — and it’s imperative that organizations develop a structured and repeatable approach for modeling threats in order to successfully anticipate and mitigate cyberattacks.

“The fast pace of cloud adoption has surpassed some security methodologies that were honed over the course of 40 years of information technology development. Threat modeling is one of those security methodologies that, unfortunately, hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal of benefit to be had in aligning the critical practice of threat modeling with cloud services, technologies, and models. This guide serves to close the gap and set enterprises off on their own threat modeling journey,” said Alex Getsin, co-chair, Top Threats Working Group and the paper’s lead author.

The document notes that while standard and cloud threat modeling share basic methodologies and a joint purpose, there are meaningful differences, especially those pertaining to the threats themselves, consideration of the Cloud Service Model, and how the output is ultimately used. By means of illustration, the guide addresses several concerns from the group’s previous publication, Top Threats to Cloud Computing: Egregious Eleven. [A tabletop exercise based on the guidance and an announcement of top threats for 2021 will take place at CSA’s premier event, SECtember (Sept. 13-17, Bellevue, Wash.).] Moreover, cloud threat modeling requires highly specific industry knowledge and encompasses cloud-unique considerations such as defining the security responsibilities of both the cloud service provider and its users.

"Cloud threat modeling paves the way for deeper security discussions. It provides organizations with a framework for not only assessing their security controls and hence, their gaps, but a means of developing appropriate mitigation steps. In today’s cloud-dominant business environment, where a great deal of abstraction and poorly defined shared responsibility boundaries still persist, cloud threat modeling allows organizations to reach cloud design and threat mitigation decisions faster and more efficiently," said John Yeoh, Global Vice President of Research, Cloud Security Alliance.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement