DRAFT — This article is in progress. Content is placeholder only.
Moving to cloud does not make your applications more secure by default. It changes your security risk profile — often in ways that are not immediately obvious. The shared responsibility model means the cloud provider secures the infrastructure; you are responsible for everything you build on top of it. For businesses running bespoke applications on AWS or other cloud platforms, understanding what that means in practice — and securing accordingly — requires more than a cloud security posture scan.
What changes when you move to cloud
The shared responsibility model is conceptually simple: AWS secures the cloud, you secure what you put in it. In practice, the boundary is more nuanced — and the "what you put in it" side includes not just your application code but your IAM configuration, your network segmentation, your logging and monitoring, your data classification, and every integration between your services. For a business running custom applications, that is a substantial and highly specific security surface.
The risks specific to custom applications in cloud
A cloud security scanner can tell you that a bucket is publicly accessible or that an IAM role has excessive permissions. It cannot tell you that the way your microservices communicate creates an implicit trust relationship that an attacker could abuse, or that your data pipeline makes a copy of sensitive records at a stage where the access controls are weaker than the primary store. Those risks come from the architecture you chose — and finding them requires understanding your system, not running a benchmark.
Governance at scale: the multi-team problem
When fifty engineering teams are building on a shared cloud platform, each making reasonable local decisions, the aggregate security picture becomes difficult to see. Teams optimize locally, fixing the risks they know about and adding the controls they think they need. Without a shared threat model, some teams overcorrect (spending effort on low-risk areas) while others miss risks entirely. The result is security effort that does not map to where the real risks are.
What threat modeling adds to a cloud security program
A cloud security audit gives you a snapshot of your current configuration against a known baseline. That is a useful starting point. What it does not give you is a picture of how your architecture is likely to be attacked — which services are high-value targets, which trust relationships create implicit risk, which integration patterns create unexpected attack paths. That is what threat modeling adds.
Practical steps for a cloud migration threat model
A cloud migration threat model should cover the things a cloud security scanner cannot: what data is at risk and why it matters to your business, how your services trust each other and whether that trust is appropriate, what an attacker with partial access could do across your environment, and what the business impact of different failure modes would be. Those questions require a different kind of analysis than a configuration benchmark.
Cloud migration is a genuine security inflection point. The architecture decisions made during a migration are hard to undo, and the risks specific to your custom applications will not appear in a CSPM dashboard. Threat modeling — run alongside the migration program rather than after it — is the practical way to build a cloud security posture that reflects your actual threat model, not just a generic benchmark.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →