The Cloud Working Group met on Tuesday, 14 Sep 2019, from mid-morning to mid-afternoon, mostly by teleconference. Claude Baudoin, co-chair, led the meeting in the absence of the other co-chairs (Lisa Schenkewitz of IBM and David Harris of Boeing).

• Claude Baudoin (cébé IT & Knowledge Management, co-chair) in person
• David Harris (Boeing, co-chair) on the phone
• John Glaubitz (Cisco), Leonid Rubakhin (Aptos), and Andy Mattice (Lexmark) representing the OMG Retail Domain Task Force – in person, but not all three at the same time
• Shamun Mahmud, Michael Roza, Matt Gervais and Juanita Koilpillai, representing the Cloud Security Alliance (CSA) – on the phone
• Mick Talley (IT Acquisition Advisory Council) – on the phone
• Helmut Brunner (Vation) – on the phone
• Jyoti Chawla (IBM) – on the phone
• …and a few others whose names were given to OMG staff for recording.

Claude presented the progress to date:

• The Practical Guide to Cloud Service Agreements v3.0, approved in February, was published in March 2019 and presented in a BrightTalk webinar in April.
• The Practical Guide to Cloud Deployment Technologies v1.0, approved at the regular March meeting, was published in April 2019 and presented in a webinar in May.
• The Practical Guide to Cloud Governance v1.0 was approved at the June meeting, published in July, and presented in a webinar in September.
• The discussion paper entitled Cloud Service Agreements: What to Expect and What to Negotiate, v3.0 was just completed, sent out for review four weeks before the start of this meeting, and presented to the MARS Task Force on Monday morning. A vote is scheduled in MARS on Thursday. Assuming it is approved, a webinar will be scheduled in October or November. Claude took the action item to poll the contributors for possible dates and interest in co-presenting.

Shamun Mahmud presented, with Juanita Koilpillai sharing the virtual podium, the current work of the CSA, which is focused on the principle of “Zero Trust” and a proposed Software-Defined Perimeter to enhance protection for cloud applications. His slides are OMG document cwg/19-01-01. Michael Roza said that CSA will soon produce a paper entitled Software Defined Perimeter as a DDOS Prevention Mechanism.

CSA welcomes additional collaborators – we can connect them with the co-authors of the CWG papers on security. Conversely, we should consider revising the CWG paper on the “security 10 steps for success” in 2020, involving co-authors from CSA, and including the Zero Trust and Software Defined Perimeter ideas in the new version. Shamun said that he likes the way the OMG CWG uses the phrase “ten steps to success” in that paper. It is a pragmatic way to explain to people how to safely migrate workloads to the cloud.

CSA has a Health Information Management Working Group. They are interested in talking further with Mick Talley, who is experienced in healthcare IT and in particular in healthcare identity management.

David Harris said that the Boeing person who represented them at the CSA has left the company, and he wanted to be introduced to CSA in order to participate. Claude said he would send a mutual introduction message.

We reviewed the roadmap, which appears on this wiki's main page, Section 4.1.3.

We agreed that the Catalog of Cloud-Related Standards should be a living web page rather than a static document, and that a Wikipedia page would be a good solution – assuming one does not exist yet. This would allow other Wikipedians to add content.

Prasad Siddabathuni (Edifecs) had volunteered to start an effort toward a paper on Cyber Insurance for the Cloud, but has not yet gotten to it.

• It was suggested that a “mini-RFI” to the Cloud WG mailing list and beyond – cloud customers, cloud providers, insurers – might elicit information about what may already exist, and about the risks that users may be willing to insure against, or how they assign a number of the losses.
• Jyoti Chawla (IBM) volunteered to help, David Harris is willing to lead the effort, and he knows Tim Cavanaugh, the CISO at Maiden Global Servicing Company, a reinsurance firm, who is interested in helping.
• On the other hand, Michael Brunner thought that this is a theoretical issue and a paper would be premature, because no one offers insurance yet for the business losses resulting from cloud failures. He also argued that the situation is going to be very different from country to country.

Practical Guide to Cloud in Retail – There has been little progress since we started discussing this with Karen Shunk (no longer with OMG) and Bart McGlothin (no longer with Cisco), but the idea is still current. We discussed this paper both in the morning (with remote people attending) and in the afternoon (with just Claude, Andy and Leonid).

• Jyoti is also interested in participating. Claude will inform Bart, who was no longer in the room when Jyoti made her comment.
• Andy, who is a new RDTF co-chair, is very interested. However, he and Leonid differ significantly about the scope: Andy thinks it would be a short paper, Leonid that it would be quite extensive.
• Mick Talley advised to “not be too prescriptive, as the technology will change.” Claude answered that we are rarely at risk of being too prescriptive, since so far, we are only publishing guides and papers, not standards.
• One of the specific issues in retail is that a store needs to continue to operate if the network goes down. This may mean, among other impacts, that some invalid credit card will be accepted, since real-time verification is impossible; but it is better that having to stop selling.

Alex Tumashov of Schlumberger raised the idea of a paper on Data Governance in the Cloud. We would need to make sure that it does not duplicate too much the Practical Guide on cloud governance we just produced. CSA people would also be interested in participating. Karolyn Schalk of IBM is specifically interested in this.

Claude said that the meeting in Long Beach in December was likely to be held on the morning of December 11 (this has been confirmed since).

Should we try to organize a full-day Cloud Security Forum in Reston in March? We should be able to involve CSA, NIST, the Retail DTF, the Finance DTF, the National Telecommunications and Information Administration (NTIA), and perhaps the Global Blockchain Alliance (GBA). Mick Talley recommended talking to Donna Dodson (Office of Chief Cybersecurity Advisor at NIST) about this.