Cloud Security Alliance Releases Guide to Facilitate Cloud Threat ModelingJuly 29, 2021
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released its latest guide, Cloud Threat Modeling. Written by the CSA Top Threats Working Group, the document provides cloud and security practitioners responsible for system preparedness with critical guidance on conducting threat modeling for cloud applications, their services, and surrounding security decisions. To facilitate the exercise, the guide features cloud threat modeling cards (Threat, Vulnerability, Asset, and Control) and a reference model that organizations can use to create their own cloud threat model, thereby honing their risk management process and maturing their overall cybersecurity program in the process.
Threat modeling is an essential practice for software and systems security – doubly so for cloud software, systems, and services – and it’s imperative that organizations develop a structured and repeatable approach for modeling threats in order to successfully anticipate and mitigate cyberattacks.
“The fast pace of cloud adoption has surpassed some security methodologies that were honed over the course of 40 years of information technology development. Threat modeling is one of those security methodologies that, unfortunately, hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal of benefit to be had in aligning the critical practice of threat modeling with cloud services, technologies, and models. This guide serves to close the gap and set enterprises off on their own threat modeling journey,” said Alex Getsin, co-chair, Top Threats Working Group and the paper’s lead author.
The document notes that while standard and cloud threat modeling share basic methodologies and a joint purpose, there are meaningful differences, especially those pertaining to the threats themselves, consideration of the Cloud Service Model, and how the output is ultimately used. By means of illustration, the guide addresses several concerns from the group’s previous publication, Top Threats to Cloud Computing: Egregious Eleven. [A tabletop exercise based on the guidance and an announcement of the top threats for 2021 will take place at CSA’s premier event, SECtember (Sept. 13-17, Bellevue, Wash.).] Moreover, cloud threat modeling requires highly specific industry knowledge and encompasses cloud-unique considerations such as defining the security responsibilities of both the cloud service provider and its users.
“Cloud threat modeling paves the way for deeper security discussions. It provides organizations with a framework for not only assessing their security controls and hence, their gaps, but a means of developing appropriate mitigation steps. In today’s cloud-dominant business environment, where a great deal of abstraction and poorly defined shared responsibility boundaries still persist, cloud threat modeling allows organizations to reach cloud design and threat mitigation decisions faster and more efficiently,” said John Yeoh, Global Vice President of Research, Cloud Security Alliance.
The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies. Individuals interested in becoming involved in Top Threats future research and initiatives are invited to join the working group.