Skip to main content
SpringerLink
Log in

Threat Modeling in Cloud Computing - A Literature Review

  • Conference paper
  • First Online:
Ubiquitous Security (UbiSec 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1768))

Included in the following conference series:

Abstract

Cloud computing has significantly changed the operational models of companies. This adoption has consequently caused impact on security, resulting in a wider attack surface. Due to the diverse deployment models of the cloud computing architecture, securing the environment has become a challenging task. This paper provides a narrative review of threat modeling approaches in cloud computing. It seeks to identify research challenges and gaps that new research potentially needs to address. It reviews 10 recent related studies and identifies two main types of approaches. Findings show that the next-generation threat modeling needs to introduce more formal methodologies, including a quality assessment of the threat modeling process and its output. Furthermore, automation-enabled methods are vital for advancing the threat modeling process and enabling live integration with cyber threat intelligence for developing threat identification, management, and mitigation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cybersecurity in 2022 - a fresh look at some very alarming stats. https://www.forbes.com/sites/chuckbrooks/2022/01/21/cybersecurity-in-2022-a-fresh-look-at-some-very-alarming-stats/?sh=3b5eccd46b61, (Accessed 01 December 2022)

  2. Ananthapadmanabhan, A., Achuthan, K.: Threat modeling and threat intelligence system for cloud using splunk. In: Varol, A., Karabatak, M., Varol, C. (eds.) 10th International Symposium on Digital Forensics and Security, ISDFS 2022, Istanbul, Turkey, 6–7 June 2022, pp. 1–6. IEEE (2022). https://doi.org/10.1109/ISDFS55398.2022.9800787

  3. Alam, T.: Cloud computing and its role in the information technology. IAIC Trans. Sustain. Digital Innov. (ITSDI) 1(2), 108–115 (2020)

    Article  Google Scholar 

  4. Alhebaishi, N., Wang, L., Singhal, A.: Threat modeling for cloud infrastructures. EAI Endorsed Trans. Security Safety 5(17), e5 (2019). https://doi.org/10.4108/eai.10-1-2019.156246

  5. Andrei, B.: Threat modeling of cloud systems with ontological security pattern catalog. Int. J. Open Inf. Technol. 9(5), 36–41 (2021)

    Google Scholar 

  6. Andrei-Cristian, I., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: Wang, G., Choo, K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) UbiSec 2021. CCIS, vol. 1557, pp. 171–188. Springer (2022). https://doi.org/10.1007/978-981-19-0468-4_13

  7. Bernsmed, K., Cruzes, D.S., Jaatun, M.G., Iovan, M.: Adopting threat modelling in agile software development projects. J. Syst. Softw. 183, 111090 (2022). https://doi.org/10.1016/j.jss.2021.111090

  8. Brazhuk, A.: Security patterns based approach to automatically select mitigations in ontology-driven threat modelling (2020)

    Google Scholar 

  9. Buyya, R., Broberg, J., Goscinski, A.M.: Cloud computing: Principles and paradigms. John Wiley & Sons (2010)

    Google Scholar 

  10. Cauli, C., Li, M., Piterman, N., Tkachuk, O.: Pre-deployment security assessment for cloud services through semantic reasoning. In: Silva, A., Leino, K.R.M. (eds.) CAV 2021. LNCS, vol. 12759, pp. 767–780. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81685-8_36

    Chapter  Google Scholar 

  11. Chandran, S., Hrudya, P., Poornachandran, P.: An efficient classification model for detecting advanced persistent threat. In: Mauri, J.L., et al. (eds.) 2015 International Conference on Advances in Computing, Communications and Informatics, ICACCI 2015, Kochi, India, 10–13 August 2015, pp. 2001–2009. IEEE (2015). https://doi.org/10.1109/ICACCI.2015.7275911

  12. Farhat, V., McCarthy, B., Raysman, R., Canale, J.: Cyber attacks: prevention and proactive responses. In: Practical Law. pp. 1–12 (2011)

    Google Scholar 

  13. Gupta, R., Tanwar, S., Tyagi, S., Kumar, N.: Machine learning models for secure data analytics: A taxonomy and threat model. Comput. Commun. 153, 406–440 (2020). https://doi.org/10.1016/j.comcom.2020.02.008

  14. Hacks, S., Katsikeas, S., Ling, E.R., Xiong, W., Pfeiffer, J., Wortmann, A.: Towards a systematic method for developing meta attack language instances. In: Augusto, A., Gill, A., Bork, D., Nurcan, S., Reinhartz-Berger, I., Schmidt, R. (eds.) Enterprise, Business-Process and Information Systems Modeling - 23rd International Conference, BPMDS 2022 and 27th International Conference, EMMSAD 2022, Held at CAiSE 2022, Leuven, Belgium, 6–7 June 2022, Proceedings. LNBIP, vol. 450, pp. 139–154. Springer (2022). https://doi.org/10.1007/978-3-031-07475-2_10

  15. Kumar, S., Goudar, R.: Cloud computing-research issues, challenges, architecture, platforms and applications: a survey. Int. J. Future Comput. Commun. 1(4), 356 (2012)

    Article  Google Scholar 

  16. Manzoor, S., Zhang, H., Suri, N.: Threat modeling and analysis for the cloud ecosystem. In: Chandra, A., Li, J., Cai, Y., Guo, T. (eds.) 2018 IEEE International Conference on Cloud Engineering, IC2E 2018, Orlando, FL, USA, 17–20 April 2018, pp. 278–281. IEEE Computer Society (2018). https://doi.org/10.1109/IC2E.2018.00056

  17. Mell, P., Grance, T., et al.: The nist definition of cloud computing (2011)

    Google Scholar 

  18. Pandi, G.S., Shah, S., Wandra, K.: Exploration of vulnerabilities, threats and forensic issues and its impact on the distributed environment of cloud and its mitigation. Proc. Comput. Sci. 167, 163–173 (2020)

    Article  Google Scholar 

  19. Saatkamp, K., Krieger, C., Leymann, F., Sudendorf, J., Wurster, M.: Application threat modeling and automated vnf selection for mitigation using tosca. In: 2019 International Conference on Networked Systems (NetSys), pp. 1–6. IEEE (2019)

    Google Scholar 

  20. Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P., Woody, C.: Threat modeling: a summary of available methods. Tech. rep., Carnegie Mellon University Software Engineering Institute Pittsburgh United (2018)

    Google Scholar 

  21. Shostack, A.: Threat modeling: Designing for security. John Wiley & Sons (2014)

    Google Scholar 

  22. Soares, L.F.B., Fernandes, D.A.B., Freire, M.M., Inácio, P.R.M.: Secure user authentication in cloud computing management interfaces. In: IEEE 32nd International Performance Computing and Communications Conference, IPCCC 2013, San Diego, CA, USA, 6–8 December 2013. pp. 1–2. IEEE Computer Society (2013). https://doi.org/10.1109/PCCC.2013.6742763

  23. Tatam, M., Shanmugam, B., Azam, S., Kannoorpatti, K.: A review of threat modelling approaches for apt-style attacks. Heliyon 7(1), e05969 (2021)

    Article  Google Scholar 

  24. Torkura, K.A., Sukmana, M.I.H., Meinig, M., Cheng, F., Meinel, C., Graupner, H.: A threat modeling approach for cloud storage brokerage and file sharing systems. In: 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018, Taipei, Taiwan, 23–27 April 2018. pp. 1–5. IEEE (2018). https://doi.org/10.1109/NOMS.2018.8406188

  25. Torquato, M., Vieira, M.: Moving target defense in cloud computing: A systematic mapping study. Comput. Secur. 92, 101742 (2020). https://doi.org/10.1016/j.cose.2020.101742

  26. UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: process for attack simulation and threat analysis. John Wiley & Sons (2015)

    Google Scholar 

  27. Uzunov, A.V., Fernández, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36(4), 734–747 (2014). https://doi.org/10.1016/j.csi.2013.12.008

  28. Välja, M., Heiding, F., Franke, U., Lagerström, R.: Automating threat modeling using an ontology framework. Cybersecurity 3(1), 1–20 (2020). https://doi.org/10.1186/s42400-020-00060-8

    Article  Google Scholar 

  29. Xiong, W., Hacks, S., Lagerström, R.: A method for quality assessment of threat modeling languages: The case of enterpriselang. In: Barn, B., Sandkuhl, K., Asensio, E.S., Stirna, J. (eds.) Proceedings of the Forum at Practice of Enterprise Modeling 2021 (PoEM-Forum 2021) (PoEM 2021), Riga, Latvia, 24–26 November 2021. CEUR Workshop Proceedings, vol. 3045, pp. 49–58. CEUR-WS.org (2021), http://ceur-ws.org/Vol-3045/paper06.pdf

  30. Xiong, W., Lagerström, R.: Threat modeling - A systematic literature review. Comput. Secur. 84, 53–69 (2019). https://doi.org/10.1016/j.cose.2019.03.010

  31. Yeng, P.K., Wulthusen, S.D., Bian, Y.: Comparative analysis of threat modeling methods for cloud computing towards healthcare security practice. Int. J. Adv. Comput. Sci. Appli. 11(11) (2020)

    Google Scholar 

  32. Youseff, L., Butrico, M., Da Silva, D.: Toward a unified ontology of cloud computing. In: 2008 Grid Computing Environments Workshop, pp. 1–10. IEEE (2008)

    Google Scholar 

  33. Yskout, K., Heyman, T., Landuyt, D.V., Sion, L., Wuyts, K., Joosen, W.: Threat modeling: from infancy to maturity. In: Rothermel, G., Bae, D. (eds.) ICSE-NIER 2020: 42nd International Conference on Software Engineering, New Ideas and Emerging Results, Seoul, South Korea, 27 June - 19 July, 2020. pp. 9–12. ACM (2020). https://doi.org/10.1145/3377816.3381741, https://doi.org/10.1145/3377816.3381741

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Birzeit University, Birzeit, Palestine

    Mohammed Kharma & Adel Taweel

Authors
  1. Mohammed Kharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adel Taweel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammed Kharma .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Temple University, Philadelphia, PA, USA

    Jie Wu

  4. Khalifa University of Science and Technology, Abu Dhabi, United Arab Emirates

    Ernesto Damiani

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kharma, M., Taweel, A. (2023). Threat Modeling in Cloud Computing - A Literature Review. In: Wang, G., Choo, KK.R., Wu, J., Damiani, E. (eds) Ubiquitous Security. UbiSec 2022. Communications in Computer and Information Science, vol 1768. Springer, Singapore. https://doi.org/10.1007/978-981-99-0272-9_19

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-0272-9_19

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-0271-2

  • Online ISBN: 978-981-99-0272-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation