A Threat-Specific Risk Evaluation Tool For Cloud Environments

Abstract

With the spread of using cloud computing; both as organizations and individual, it has become a target for attackers. The cloud environment has several weaknesses that pose threats to its users’ assets. To assess any type of attacks, security administrators must regularly apply threat modelling techniques and run risk evaluation on cloud infrastructures. This allows them to identify risky assets and identify appropriate security controls to mitigate the risks. One of the key challenges with current risk evaluation approaches is that they do not distinguish the risks posed by different threats. The computation of the risk value compounds all threats. In this project, we propose a threat-specific risk evaluation tool for security administrators. The tool allows security administrators to model topologies of their organization’s networks. Then, using specific formulas, the tool will calculate the risk values for the entire system and for each component of the system with respect to specific threats based on Microsoft’s STRIDE threat categorization. The key features of the tool are demonstrated through its application to cloud deployment example.