Cloud Architectural Risk Analysis

Discover where your cloud security controls are insufficient and how to improve them


Public cloud providers supply services that organizations use to develop cloud applications. Unfortunately, an inherent flaw of these services is that their globally accessible nature may lead to unauthenticated access. Helping mitigate this risk is the shared security model, in which the cloud provider exposes security features that organizations can use to protect their cloud applications.

Whether you are developing a cloud-native application or migrating an existing application to the Cloud, it is critical to have the appropriate infrastructure and application design. A well-thought-out design is a template you can use to implement cloud provider services effectively and securely. It provides a general overview of the system and simplifies your decisions regarding where to implement security controls.

Synopsys Cloud ARA

Synopsys Cloud Architectural Risk Analysis (ARA) is an interview-driven application and cloud infrastructure assessment process that evaluates a cloud application’s design and security controls. Cloud ARA can help you design security controls for a cloud migration or assess the effectiveness of controls in an existing application.

Cloud ARA identifies all platform components in a cloud application and their architectural relevance. We analyze the security threats affecting these components and crossreference the security controls in place to determine how effective these controls are at reducing threats. The output is a design document that highlights areas where controls are sufficient, insufficient, or absent and proposes remedies to improve the application’s security posture. Security areas examined include the following, among others:

Authentication, authorization, and identity management

  • Access controls for the cloud provider’s management and monitoring interfaces
  • Access controls for the application hosted on the cloud platform
  • Life cycle management of access controls, including the creation and revocation of entitlements

Cloud networking

  • Architecture of the cloud networking infrastructure and security protections for data in motion
  • Solutions to protect the application from unauthorized traffic
  • Approach to isolating sensitive compute workloads from the network

Cloud computing

  • Measures to harden and protect compute nodes and continuously assess their security posture
  • Approach to preventing rogue compute instances from participating in workloads

Cloud storage

  • Controls to protect data at rest on cloud service components, including blocks, blobs, files, queues, and other services
  • Access controls to protect data from untrusted parties, including anonymous users

Other services

  • Integration of other platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) services—including SQL and NoSQL stores, orchestration managers, container solutions, automation for deployment (infrastructure-as-code), and continuous integration system solutions
  • Security controls in these solutions to prevent leaking of trusted data to unauthorized parties
  • Security controls in place to protect the cloud application’s secrets (usernames, passwords, and database and other service credentials, such as API keys) from unauthorized access

Operational management processes

  • Measures to properly log and audit security activity by management interfaces and the cloud application
  • Software update and patching processes for services deployed in an IaaS configuration
  • Protection against malware for services that retrieve data from untrusted users or sources

Business risks

  • Any concerns affecting the business elicited during interviews, including disaster recovery and resilience to cloud infrastructure failure

Our Cloud ARA methodology factors in best practices from cloud service providers and security standards from reputable sources (including hardening guides such as the Centre for Internet Security [CIS] Benchmarks). We periodically realign the methodology to the compliance and regulatory standards that many organizations have to adhere to when implementing computing services (HIPAA/HITEC, ISO/IEC 27001, ISO/IEC 27017, PCI DSS 3.x, etc.).

The artifacts produced by Cloud ARA can serve as blueprints for teams migrating applications with a similar risk profile. Cloud ARA during initial development of new applications can also provide recommendations that influence their design.


Synopsys Cloud ARA offers significant benefits because its multipurpose nature focuses on the design of cloud applications and on cloud infrastructure support of application and security controls. Additionally, Cloud ARA can be used to prioritize activities—for example, by highlighting services that deal with sensitive information or are likely to have weak security controls, which customers can focus on during implementation reviews. Possible follow-on assessments include configuration review, penetration testing, and vulnerability analysis or code review of the cloud application.

As a stand-alone service, Synopsys Cloud ARA fulfills many regulatory standards’ requirement for a security architectural assessment. For example, the ARA diagram meets the ISO/IEC 27017 requirement for network diagrams to clearly identify high-risk environments and the dataflows into and out of them. Cloud ARA also lists the security controls used to protect this data and makes recommendations when they are insufficient.