SPECTRA — Artifacts Package virtualization area needs clarification

Review 16-05-2025

• is Virtualized – need to provide a lot more details on what this means. There are lots of different types of “virtualization” available and without more clarity on what is expected to be “true” versus “false” it is unclear how to use this property.
• hostedIn – “stuff” is hosted in more than just Cloud Infrastructure as the description states. The Cloud is just someone else’s server after all. It could be hosted on a server, a virtual server, a mobile device, a laptop etc. Also, unless there are most restrictions than shown, it looks like a valid model would have a “Cloudinfrastructure” hostedIn a “Firmware” hostedIn a “Library” hostedIn a “Dsp” etc. One side effect of mushing all these OSI layer elements together.
• Cloud Infrastructure – having an enumeration with a single value makes no sense modeling wise. The enumeration value is also the same as the name. I would think at least different sorts of cloud infrastructure would be modeled here. If the goal is to model virtualization options, then it should also include more than cloud virtualization such as processor emulation and local virtualization. The use case for this enumeration is not clear for modeling tools.

NM: This area is very important as there are many regulatory controls for cybersecurity that specifically address virtualized environments. Understanding virtualization in the model of a given system of interest is therefore critical to the objectives of risk assessment and has profound implications to the shape of the attack surface.