Threat Modeling in Large-Scale Distributed Systems
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V1I4P104Keywords:
Threat Modeling, Distributed Systems, Large-Scale Systems, STRIDE, DREAD, PASTA, Trike, Risk Assessment, Attack Surface, Cybersecurity, Microservices, Cloud Security, Data Flow Diagrams, Attack Trees, Asset-Centric Modeling, DevSecOps, API Security, Access Control, Security Architecture, Continuous Threat ModelingAbstract
Since modern digital infrastructure is based on their broad distributed systems which include cloud platforms, global applications & also connected services the requirement of thorough threat modeling has become even more crucial. These systems provide a broad variety of possible vulnerabilities because of their size, heterogeneity & more dynamic properties even if they provide scalability, flexibility & also more resilience. The risk terrain is always changing and consists of improperly set up APIs, unsecured channels of their communication, insider threats, and sophisticated ongoing attacks. Prior to their spread into actual breaches, threat modeling provides a methodical technique for finding, evaluating & lowering risks. Still, huge scale implementation of this raises unique problems like the management of distributed trust borders, the preservation of visibility across components & the guarantee of consistency in security protocols. To fit the distributed paradigm, data flow diagrams, attack trees, STRIDE and DREAD models, and any other approaches have been changed or invented. This article investigates many approaches with an emphasis on their benefits & also disadvantages in pragmatic uses. We provide a case study of a global microservices architecture used by a financial organization to help to frame the discussion. The case study shows that early discovery of more vulnerabilities including privilege escalation channels and unsecured data propagation led to significant improvements to the general security posture of the system by means of their iterative threat modeling & mitigating strategies. The results draw attention to the need of multidisciplinary collaboration, automation in risk detection & also continuous review as systems grow. This work finally supports the integration of threat modeling as a continuous, basic activity in the design and administration of their distributed systems, therefore proposing a culture shift towards proactive security thinking instead of seeing it as a simple checklist
References
[1] Grabowski, Martha, et al. "Risk modeling in distributed, large-scale systems." IEEE Transactions on Systems, Man, and Cybernetics-part A: Systems and Humans 30.6 (2002): 651-660.
[2] Breakspear, Michael. "Dynamic models of large-scale brain activity." Nature neuroscience 20.3 (2017): 340-352.
[3] Josuttis, Nicolai M. SOA in practice: the art of distributed system design. " O'Reilly Media, Inc.", 2007.
[4] Zhu, Sencun, Sanjeev Setia, and Sushil Jajodia. "LEAP+ Efficient security mechanisms for large-scale distributed sensor networks." ACM Transactions on Sensor Networks (TOSN) 2.4 (2006): 500-528.
[5] Coulouris, George F., Jean Dollimore, and Tim Kindberg. Distributed systems: concepts and design. pearson education, 2005.
[6] Schroeder, B., & Gibson, G. A. (2009). A large-scale study of failures in high-performance computing systems. IEEE transactions on Dependable and Secure Computing, 7(4), 337-350.
[7] Yasodhara Varma Rangineeni, and Manivannan Kothandaraman. “Automating and Scaling ML Workflows for Large Scale Machine Learning Models”. JOURNAL OF RECENT TRENDS IN COMPUTER SCIENCE AND ENGINEERING ( JRTCSE), vol. 6, no. 1, May 2018, pp. 28-41
[8] Sheikh, Hafiz Fahad, et al. "Energy-and performance-aware scheduling of tasks on parallel and distributed systems." ACM Journal on Emerging Technologies in Computing Systems (JETC) 8.4 (2012): 1-37.
[9] Anusha Atluri, and Teja Puttamsetti. “The Future of HR Automation: How Oracle HCM Is Transforming Workforce Efficiency”. JOURNAL OF RECENT TRENDS IN COMPUTER SCIENCE AND ENGINEERING ( JRTCSE), vol. 7, no. 1, Mar. 2019, pp. 51–65
[10] Zhou, Yunhong, et al. "Large-scale parallel collaborative filtering for the netflix prize." Algorithmic Aspects in Information and Management: 4th International Conference, AAIM 2008, Shanghai, China, June 23-25, 2008. Proceedings 4. Springer Berlin Heidelberg, 2008.
[11] Hwang, Kai, Jack Dongarra, and Geoffrey C. Fox. Distributed and cloud computing: from parallel processing to the internet of things. Morgan kaufmann, 2013.
[12] Yasodhara Varma Rangineeni. “End-to-End MLOps: Automating Model Training, Deployment, and Monitoring”. JOURNAL OF RECENT TRENDS IN COMPUTER SCIENCE AND ENGINEERING ( JRTCSE), vol. 7, no. 2, Sept. 2019, pp. 60-76
[13] Burrows, Mike. "The Chubby lock service for loosely-coupled distributed systems." Proceedings of the 7th symposium on Operating systems design and implementation. 2006.
[14] Anusha Atluri. “Data Migration in Oracle HCM: Overcoming Challenges and Ensuring Seamless Transitions”. JOURNAL OF RECENT TRENDS IN COMPUTER SCIENCE AND ENGINEERING ( JRTCSE), vol. 7, no. 1, Apr. 2019, pp. 66–80
[15] Ahmed, Amr, et al. "Distributed large-scale natural graph factorization." Proceedings of the 22nd international conference on World Wide Web. 2013.
[16] Kupunarapu, Sujith Kumar. "AI-Enabled Remote Monitoring and Telemedicine: Redefining Patient Engagement and Care Delivery." International Journal of Science And Engineering 2.4 (2016): 41-48.
[17] Buyya, Rajkumar. "Economic-based distributed resource management and scheduling for grid computing." arXiv preprint cs/0204048 (2002).
[18] Anusha Atluri. “The Security Imperative: Safeguarding HR Data and Compliance in Oracle HCM”. JOURNAL OF RECENT TRENDS IN COMPUTER SCIENCE AND ENGINEERING ( JRTCSE), vol. 7, no. 1, May 2019, pp. 90–104
[19] Dikaiakos, Marios D., et al. "Cloud computing: Distributed internet computing for IT and scientific research." IEEE Internet computing 13.5 (2009): 10-13.
[20] Ford, Daniel, et al. "Availability in globally distributed storage systems." 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI 10). 2010.
[21] Francalanza, Adrian, Jorge A. Pérez, and César Sánchez. "Runtime verification for decentralised and distributed systems." Lectures on Runtime Verification: Introductory and Advanced Topics (2018): 176-210.
