Cloud 101CircleEventsBlog
Call for Presentations: Share your expertise at 2024! Submit your proposals by June 28th.

CSA Official Press Release

Published 07/29/2021

Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling

Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling

Document provides tangible exercise for organizations to create their own cloud threat model

SEATTLE July 29, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released its latest guide, Cloud Threat Modeling. Written by the CSA Top Threats Working Group, the document provides cloud and security practitioners responsible for system preparedness with critical guidance on conducting threat modeling for cloud applications, their services, and surrounding security decisions. To facilitate the exercise, the guide features cloud threat modeling cards (Threat, Vulnerability, Asset, and Control) and a reference model that organizations can use to create their own cloud threat model, thereby honing their risk management process and maturing their overall cybersecurity program in the process.

Threat modeling is an essential practice for software and systems security — doubly so for cloud software, systems, and services — and it’s imperative that organizations develop a structured and repeatable approach for modeling threats in order to successfully anticipate and mitigate cyberattacks.

“The fast pace of cloud adoption has surpassed some security methodologies that were honed over the course of 40 years of information technology development. Threat modeling is one of those security methodologies that, unfortunately, hasn’t kept pace with the rate of cloud adoption. As such, there is a great deal of benefit to be had in aligning the critical practice of threat modeling with cloud services, technologies, and models. This guide serves to close the gap and set enterprises off on their own threat modeling journey,” said Alex Getsin, co-chair, Top Threats Working Group and the paper’s lead author.

The document notes that while standard and cloud threat modeling share basic methodologies and a joint purpose, there are meaningful differences, especially those pertaining to the threats themselves, consideration of the Cloud Service Model, and how the output is ultimately used. By means of illustration, the guide addresses several concerns from the group’s previous publication, Top Threats to Cloud Computing: Egregious Eleven. [A tabletop exercise based on the guidance and an announcement of top threats for 2021 will take place at CSA’s premier event, SECtember (Sept. 13-17, Bellevue, Wash.).] Moreover, cloud threat modeling requires highly specific industry knowledge and encompasses cloud-unique considerations such as defining the security responsibilities of both the cloud service provider and its users.

"Cloud threat modeling paves the way for deeper security discussions. It provides organizations with a framework for not only assessing their security controls and hence, their gaps, but a means of developing appropriate mitigation steps. In today’s cloud-dominant business environment, where a great deal of abstraction and poorly defined shared responsibility boundaries still persist, cloud threat modeling allows organizations to reach cloud design and threat mitigation decisions faster and more efficiently," said John Yeoh, Global Vice President of Research, Cloud Security Alliance.

The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies. Individuals interested in becoming involved in Top Threats future research and initiatives are invited to join the working group.

Download this free document.

Interested in attending CSA’s SECtember, the first global event dedicated to the intersection of cloud and cybersecurity? Register now and take advantage of early registration pricing of $399 through July 31. Afterward, rates will increase to $599. The registration rate is $250 for students and government employees.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.