The Cloud Security Alliance (CSA) has released a new Cloud Threat Modeling guide to help provide guidance on threat modeling for cloud applications, their services, and related security decisions. 

The guide was written by the CSA Top Threats Working Group. The group hopes that the Cloud Threat Modeling guide will provide organizations with an up-to-date understanding of risks so that they can make informed decisions about cloud adoption strategies. 

“The fast pace of cloud adoption has surpassed some security methodologies that were honed over the course of 40 years of information technology development. Threat modeling is one of those security methodologies that, unfortunately, hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal of benefit to be had in aligning the critical practice of threat modeling with cloud services, technologies, and models. This guide serves to close the gap and set enterprises off on their own threat modeling journey,” said Alex Getsin, co-chair of the Top Threats Working Group and the paper’s lead author.

The Cloud Threat Modeling guide provides cloud threat modeling cards and a reference model that can be used by companies to create their own threat model to mature their cybersecurity program.

According to the CSA, threat modeling is an essential security practice and it’s important that it be done in a structured and repeatable way so that companies can anticipate and mitigate attacks. 

“Cloud threat modeling paves the way for deeper security discussions. It provides organizations with a framework for not only assessing their security controls and hence, their gaps, but a means of developing appropriate mitigation steps. In today’s cloud-dominant business environment, where a great deal of abstraction and poorly defined shared responsibility boundaries still persist, cloud threat modeling allows organizations to reach cloud design and threat mitigation decisions faster and more efficiently,” said John Yeoh, global vice president of research at the Cloud Security Alliance.