We work closely with people who help us create a solid description of the architecture: how it works, what the key components are, how data flows between them, what kind of data they process, and the points at which the data syncs.
2. What could go wrong?
Once you’ve accurately described your architecture, the next step is to figure out what could go wrong. We work with experts from various security and developer backgrounds to identify potential security or privacy risks and create a comprehensive list of threats.
As you work through the system, use methodologies such as STRIDE to enumerate threats to each component and critical data flow. We also rely heavily on insider threat libraries gathered through previous threat models and vulnerability research.
To understand this process further, you will find it helpful to actually use the software or system to really understand all its properties and how they work.
We also leverage threat intelligence to learn from past incidents, investigate how similar software has been compromised, and analyze real-world exploits. At Google, you benefit from extensive threat intelligence visibility and resources, including Google Threat Intelligence..
Additionally, as an AI-first company, Google is focused on both protecting AI and using AI for security. We are actively pursuing ways to use generative AI to support threat modeling, experimenting with multimodal Gemini models to gather information about systems, generate architectural descriptions, and enumerate threats.
One particularly promising application is combining Gemini with computer vision to analyze architecture diagrams and automatically provide a list of components, data flows, and potential threats.
3. What are you going to do about it?
Threat modeling can be difficult to operationalize. Google’s massive scale makes it doubly difficult. Despite investing significant time and resources in developing threat models, many organizations tend to underutilize them to reduce risk.
