Following the establishment of the event-based methodology, the workshop transitions to the practical application of structural frameworks for identifying architectural vulnerabilities prior to deployment. Threat modelling is a foundational security engineering technique that forces software architects and security teams to systematically analyse a system from an adversarial perspective, ideally integrating this analysis seamlessly into the design phase of the Software Development Life Cycle (SDLC).

Systematically Deconstructing Cloud Architectures

The most broadly adopted and academically rigorous threat modelling methodology is the STRIDE framework, initially developed by Microsoft. STRIDE is a mnemonic that categorises threats into six distinct domains: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. While originally designed for monolithic, on-premises software architecture, STRIDE scales effectively across microservices, distributed cloud services, and complex platforms due to its highly prescriptive nature and its direct alignment with robust security control libraries.

Applying STRIDE to Platform-as-a-Service (PaaS) and serverless architectures introduces unique, highly complex analytical challenges. Cloud-native applications dissolve the traditional, easily defined network perimeter, replacing it with abstract, identity-based boundaries and a reliance on managed cloud APIs. In these environments, the concept of a "trust boundary", the critical point where data changes its level of trust, validation, or execution privilege, is radically altered. Trust boundaries in PaaS deployments exist not just between subnets, but between the application code and the managed cloud services it consumes (for example, the boundary between an AWS Lambda execution environment and a managed Amazon S3 storage bucket, or between a serverless Azure Function and a Cosmos DB instance).

A threat modelling exercise requires creating detailed Data Flow Diagrams (DFDs) to visually represent these complex interactions, followed by the systematic enumeration of potential threats at each identified trust boundary. In PaaS environments, the underlying infrastructure is abstracted away, so misconfigured Identity and Access Management (IAM) policies, overly permissive execution roles, and poor API authentication are often the most critical vulnerabilities.

Practical Application: Data Flows and Trust Boundaries in PaaS

To systematically deconstruct cloud architectures, evaluate each STRIDE category against the unique threat vectors present in PaaS and serverless deployments and map specific vulnerabilities to the core security property they violate.

Identifying Spoofing, Elevation of Privilege, and Information Disclosure

Within a PaaS context, certain STRIDE categories require close attention due to the environment's abstracted nature. Spoofing threats are particularly dangerous in microservice architectures. If a single, low-privilege service is compromised, it may attempt to impersonate a highly privileged service to access internal APIs. Mitigating this requires shifting away from network-based trust and implementing robust mutual TLS (mTLS) to cryptographically verify the identity of every service involved in the interaction.

Elevation of Privilege in PaaS is almost entirely due to IAM misconfiguration. Because the cloud control plane operates via APIs, an attacker who gains access to a poorly scoped IAM role attached to a serverless function can elevate their privileges to modify infrastructure, create new administrative users, or disable security logging.

Information Disclosure is arguably the most pervasive threat in cloud environments, frequently manifesting as cross-tenant data leakage. The ephemeral and shared nature of PaaS platforms creates specific risks: misconfigured access policies on object storage (e.g., an S3 bucket lacking block public access controls) can expose highly sensitive intellectual property or customer data to the public internet without requiring sophisticated hacking techniques. Furthermore, sensitive information can be extracted through non-obvious, subtle leakage paths, such as highly detailed error messages generated by serverless functions that inadvertently map the internal database schema for an attacker.

 Challenges, Advantages, and Disadvantages of Cloud Threat Modelling

The primary advantage of utilising STRIDE combined with Data Flow Diagrams is that it provides security engineering teams with a structured, visual, and highly repeatable cognitive framework. It forces proactive security thinking, drastically reducing the cost of remediating vulnerabilities by identifying them before a single line of code is written.

However, the disadvantages and challenges are non-trivial. The threat modelling process can be incredibly time-consuming and often leads to "analysis paralysis" as engineers become overwhelmed by the sheer number of potential theoretical threats arising from complex microservice architectures. Maintaining living threat models in a rapidly evolving CI/CD pipeline is notoriously difficult; models quickly become outdated as agile teams continuously deploy new cloud services.