Threat Modeling in the Cloud: Considerations for Modern Architectures
Threat modeling is a practice familiar to most security practitioners. It involves looking at your computing environment and assuming the worst case scenario about what a hacker could do and the resulting impact on operations. While threat modeling in the cloud takes the same basic approach, there are unique “cloudy” things to consider. In this post, I’ll cover nuances to consider when threat modeling in cloud environments.
The primary source for this guidance is the Cloud Security Alliance’s (CSA) Top Threats Working Group. You can find their resources on threat modeling and other cloud security topics at their publications page. In their threat-model focused paper, they discuss the STRIDE, PASTA, and DREAD methods.
STRIDE was developed by Microsoft and stands for:
· Spoofing
· Tampering
· Repudiation
· Information Disclosure
· Denial of Service
· Elevation of Privilege
The actions listed above coincide with various erosions of trust in an information system or data. For example, spoofing an identity on a system compromises the integrity of an authenticated principal. Suppose a cloud developer named Julie had her credentials stolen. An attacker could use them to spoof her identity and modify (Tamper) the code or the environment for nefarious purposes.
Now think of the concept of an identity in the cloud… As I wrote in a previous post, Identity and Access Management is a critical component of cloud security. So, in addition to Julie’s username and password, the security team must consider the access her cloud instance has to the data store and the CI/CD environment. Perhaps the biggest challenge is keeping pace with the ever-growing service offerings in the cloud. The CSA publication captures it well by stating “Threat modeling is one of those security methodologies that has not kept up with/been on par with/matched the rate of cloud adoption.”
Another method in threat modeling is PASTA. The Process for Attack Simulation and Threat Analysis. PASTA is a seven-stage approach where each step builds on the next in order to identify and manage risks in an environment. The seven stages are:
1. Define your Objectives
2. Define the Technical Scope
3. Decompose the Application
4. Analyze the Threats
5. Vulnerability Analysis
6. Attack Analysis
7. Risk and Impact Analysis
For more on PASTA check out this Video:
A common reason for cloud adoption is the speed at which a company can innovate and capitalize on those innovations. So an approach like PASTA might strike fear into some product managers who think “is it worth it? Won’t this slow down time to market?” Like any good answer, it depends. If the security team is part of the discussion early on, then some of the work involved with PASTA may be automated into the CI/CD pipeline as an automated test. This ideal scenario requires expertise in both security knowledge, automation, and cloud architecture. The CSA paper calls this out as a potential hinderance for many organizations. Finding this kind of talent may be difficult.
Adopting threat modeling is an important step for your security program maturity. While your team may have existing skills, its important to consider the unique factors for threat modeling in the cloud. If you’re in need of a cloud security professional consider reaching out to me for a chat on ways to bring your security program to the next level.
