An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.
If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.
A model for this surely exists, but I wanted something very simple that could be used to classify unavoidable threats based on the two primary means of mitigating them: technical controls and monitoring. This has obvious utility when threat modeling applications built atop cloud platforms, but is similarly applicable when building atop any platform that you don’t fully control (hint: this is virtually all of them).
In this model, threats end up in one of three states:
- Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
- Yellow, which is probably the most common. In this state, you’re able to rely on either technical controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
- Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.
Discussion on LinkedIn