The Cloud Working Group met on Wednesday morning, December 11, mostly by teleconference. Claude Baudoin, co-chair, led the meeting. David Harris of Boeing, one of the other co-chairs, was on the phone.

In person:

• Claude Baudoin (cébé IT & Knowledge Management, co-chair)
• Fred Cummins (Agile Enterprise Design)
• Yong Xue (DoD/DISA)

Via teleconference:

• David Harris (Boeing, co-chair)
• Helmut Brunner (Vation)
• Tim Cavanaugh (Maiden Global Servicing)
• Beniamino DiMartino (Second University of Naples)
• Awad Guirguis (Schlumberger)
• Steve MacLaird (OMG)
• Mario Panagakis (IBM Greece)
• Anil Sharma (IBM)
• Steve Woodward (Cloud Perspectives)

Claude provided an update of what happened since the September meeting. He updated the wiki page last week to reflect this.

• The discussion paper entitled Cloud Service Agreements: What to Expect and What to Negotiate, v3.0 was approved for issuance on Sep. 27. A webinar was given on Nov. 13, with Jyoti Chawla (IBM) and Dominick Grillas (Damo Consulting) presenting with Claude. There were 40+ online attendees, and we don’t yet know how many people replayed the webinar later.
• An RFI on Cyber Insurance was started – see below.

Thanks to an initiative by Dave Harris, we obtained from OMG staff the count of downloads of each of our papers between January 1 and mid-October. This has been reflected in a column added to section 4.1.1 of the wiki. There were some comments about this data. We will refresh it with a full-year count when available in January. Claude noted that some older papers with a relatively low count may have been downloaded a lot prior to January 2019.

Claude noted that if we revise the Cloud Customer Architecture for IoT paper, we need to do it in coordination with the Industrial Internet Consortium (IIC). IIC is already struggling with the fact that its Distributed Computing Contribution Group is trying to define terms such as “cloud” or “data center” in a draft position paper, sometimes inconsistently with the IIC's Vocabulary Task Group. Regardless, the apparent disconnect that the Cloud Standards Customer Council (CSCC), predecessor to the CWG, issued a paper related to IoT without IIC participation should be eliminated in the next version, notwithstanding the fact that the IIC is about Industrial IoT only, not consumer-oriented IoT.

David said that we need to achieve better integration between papers in the future, consistent with a trend toward integrated standards and orchestration. This need will come up again in the Roadmap section below.

David Harris, co-chair of this group, created a draft RFI on Cyber Insurance with the help of Tim Cavanaugh from Maiden Global Servicing (a reinsurance company), consistent with the discussions held during the September meeting where we agreed that such an RFI, sent to “the Cloud WG mailing list and beyond – cloud customers, cloud providers, insurers – might elicit information about what may already exist, and about the risks that users may be willing to insure against, or how they value the potential losses.”

The Cyber Insurance (CI) industry is growing at a 30% CAGR. It mostly covers breaches of personally identifiable information (PII), but there is a lack of a methodology to assign a cost to data loss. OMG can provide value by firming up the areas that are too “soft” right now in those agreements. We are trying to get from a broad cross-section of respondents a sense of how sensitive they are to the need to secure financial compensation for losses, and how urgent this is.

Fred Cummins said that some data accidents can put a company out of business, and asked how one can insure for that. Claude replied that there is a whole range of potential impacts; some of them may be too severe to be insurable, but some are a direct financial cost to a surviving company, such as having to provide an identity theft protection service to all customers for a couple of years – a common practice today. Reimbursing a company for lost sales during a cloud outage may be the next type of insurable loss. Besides, it will be up to the cloud service customer to decide how much insurance they want to carry. At that point, the insurance carrier needs to calculate a premium, and today they do not have much guidance to evaluate the level of risk. For example, they may need advice to evaluate the “cybermaturity” of both the cloud customer and the cloud provider.

The working group spent some significant time improving the text of the draft RFI, culminating in a consensus to bring it up to the Middleware and Related Services (MARS) Task Force for a vote.

The following actions took place after the Cloud Working Group adjourned:

• Claude prepared a revised version of the RFI.
• It was presented to the MARS Task Force, which gave it a first new document number.
• The MARS Task Force made a few small recommendations for edits, resulting in a new document number, mars/19-12-22. The earlier document number will not be published to avoid confusion.
• MARS voted to recommend the RFI for issuance.
• During the plenary TC meetings on Friday morning, the PTC voted to issue the RFI.

We reviewed the roadmap, which is described in the main page of this wiki (section 4.1.3).

• There has been no progress yet on the Catalog of Cloud-Related Standards since it was suggested in June. During this meeting, Yong Xue (DISA) asked about our relationship with cloud standards groups. Claude commented that:
  • We routinely mention relevant standards from ISO and others in our various papers. The catalog we’re envisioning would at minimum collect all these references (listing the most up-to-date version) in one place.
  • OMG being a standards development organization, we have the possibility to create new standards, but we should of course not overlap needlessly with what others do.
  • OMG has a liaison mechanism that we can use to formalize our collaboration with other groups. In particular, we raised the possibility of a liaison with the Cloud Security Alliance at the September meeting, but have not acted on it yet.
  • Claude said that he would ask Steve Woodward (who had left the meeting when Yong asked his question) to comment on this, since he is very involved in ISO standards.
• There has been communication between Jyoti Chawla (IBM) and the co-chairs of the Retail Domain Task Force about a Practical Guide to Cloud in Retail, but they have not provided a specific update.
• Karolyn Schalk (IBM) is willing to take the lead on the paper suggested by Alex Tumashov of Schlumberger on Data Governance in the Cloud. While we have a recent paper on Cloud Governance, there is a sense (Mario Panagakis explicitly concurred) that this is a sufficiently distinct topic to merit its own paper. Karolyn had mentioned to Claude a couple of days before the meeting that Neil Catton, Director of Digital, Data and Integration Architecture at British Telecom, is interested in learning more and is encouraging some of his staff to participate. He is being added to the CWG mailing list.
• John Weiler (IT Acquisition Advisory Council) has offered ideas on the scope of a revision to both the Migrating Applications to Public Cloud Services: Roadmap for Success and the Migrating Applications to the Cloud: Assessing Performance and Response Time Requirements papers. In his message, he had listed six topics:
  1. How to assess repair vs. redevelop decisions – cost, value, risk
  2. Open APIs and standards for middleware/containers
  3. Automated code conversion
  4. Application security in the Cloud
  5. Edge computing
  6. Cloud broker and service level management standards

Beniamino said that is way too big of a scope. We should look at those six topics and separate some of them into separate papers or revisions to existing papers. For example, “application security in the cloud” is not just relevant to migration, and if we do not address it well enough in the existing papers, then it should probably be added to a revision of the Practical Guide to Cloud Security. The edge computing topic could be part of an update to Cloud Customer Architecture for IoT. And so on.

Beniamino announced the CCPI cloud workshop to be held in Caserta, Italy, on April 15-17, 2020 in conjunction with IEEE’s 34th International Conference on Advanced Information Networking and Applications (AINA 2020). He invited CWG members to propose talks or to attend.

Claude said that there seems to be enough material to discuss in Reston in March 2020 to extend the meeting to a full day. This is in part because we expect representatives from several U.S. government agencies to be interested, given the proximity to their offices. We had also mentioned a possible “cloud security forum” involving NIST, NTIA, the Cloud Security Alliance, and more. The recent controversy about the JEDI contract may motivate people to hear what we have to say about best practices to select a cloud provider. However, meeting space in Reston is always hard to get, as several groups are already in line to hold a special event then. In the end, the consensus was to have a longer meeting, but not a “special day” -– which we can do later, perhaps in Boston in June.

Initial agenda items for the March meeting:

• An overview of our group and its deliverables for new attendees.
• A review of any responses received to the Cyber Insurance RFI.
• An overview of work in progress or imminent, slanted towards attracting new participants.
• Invite the Cloud Security Alliance to give another talk on their work on Software Defined Perimeter – especially given that we may be on course to establish a liaison agreement with them.
• A talk by John Weiler (IT-AAC) on cloud acquisitions and the needs he sees to define more aspects of migration.
• Frederic de Vaulx (Prometheus Computing) suggests to include the non-profit association ACT-IAC (American Council for Technology and Industry Advisory Council), which has several communities of interest working on cyber security, blockchain and government.
• A talk by NIST, possibly by Robert Bohn, NIST Cloud Computing Program Manager (see www.nist.gov/itl/cloud).
• A panel on cloud standards, if we have the right people present in person.

The meeting will be on March 25 or 26, and the date choice will be constrained by other events, such as an AI Forum that Claude also needs to chair. We need to take into account that we will be on the US East Coast, and cannot start too early if we have interested participants from the West Coast. Claude will work to resolve this.