Need for CISOs to Build Threat Modelling in Evolving Cloud Applications

Article by Tejas Sheth, Cloud Security Architect, Trend Micro

“What is my security responsibility in the cloud when I am using IaaS, PaaS and/or Serverless application?” This is one of the most common questions we get asked by companies that are considering moving to the cloud and/or modernize their application with microservice architecture. This is because today the application uses multiple services from single/multiple cloud service provider and each service in the cloud has differently shared security responsibility.

Shared security responsibility in the cloud environment change based on application architecture and type of cloud services it integrates to.

Generally speaking, the cloud service provider, such as AWS or Azure, takes care of the infrastructure and security of the cloud. The customer, on the other hand, is responsible for securing everything in the cloud.

This shared responsibility model gives businesses the ownership and control of their data, applications, and operating system, just like in the on-premise environment. But not all cloud services provide the same type of controls on the operating system platform. It means that companies that are using PaaS, and containerized application have different security responsibility than companies using pure IaaS and/or Serverless applications.

The companies may find themselves confronted by different security challenges as they move through different stages of cloud adoption. Therefore, it is important for CISOs and solution architects to create threat modelling for the evolving application architecture in the cloud.