NEMESIS: Automated Architecture for Threat Modeling and Risk Assessment for Cloud Computing

Vulnerabilities, STRIDE Model, Security Risk Assessment, Ontologies

Assessing the security of software services in Clouds is challenging because of vulnerabilities in the shared technologies comprising infrastructure, platform and applications. In a recent report by the Cloud Security Alliance, shared technology vulnerabilities were ranked among the top threats facing Cloud computing: "A compromise of an integral piece of shared technology such as the hypervisor, a shared platform component, or an application in a SaaS environment exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach." Thus small businesses that hope to take advantage of Cloud computing's pay-as-you-go model are exposed to the security threats which were not directly aimed at them. In most cases, the small business has little ability to demand or afford higher levels of security. However, the ability to assess one's risk will permit businesses to plan their migration to Cloud computing.

Currently risk assessment is conducted semi-manually by experts which is very expensive. Automated tools that provide a qualitative and quantitative assessment of threats faced by small business services can be very valuable.