The Cloud Working Group met on Wednesday morning, December 11, mostly by teleconference. Claude Baudoin, co-chair, led the meeting. David Harris of Boeing, one of the other co-chairs, was on the phone.
Claude provided an update of what happened since the September meeting. He updated the wiki page last week to reflect this.
Thanks to an initiative by Dave Harris, we obtained from OMG staff the count of downloads of each of our papers between January 1 and mid-October. This has been reflected in a column added to section 4.1.1 of the wiki. There were some comments about this data. We will refresh it with a full-year count when available in January. Claude noted that some older papers with a relatively low count may have been downloaded a lot prior to January 2019.
Claude noted that if we revise the Cloud Customer Architecture for IoT paper, we need to do it in coordination with the Industrial Internet Consortium (IIC). IIC is already struggling with the fact that its Distributed Computing Contribution Group is trying to define terms such as “cloud” or “data center” in a draft position paper, sometimes inconsistently with the IIC's Vocabulary Task Group. Regardless, the apparent disconnect that the Cloud Standards Customer Council (CSCC), predecessor to the CWG, issued a paper related to IoT without IIC participation should be eliminated in the next version, notwithstanding the fact that the IIC is about Industrial IoT only, not consumer-oriented IoT.
David said that we need to achieve better integration between papers in the future, consistent with a trend toward integrated standards and orchestration. This need will come up again in the Roadmap section below.
David Harris, co-chair of this group, created a draft RFI on Cyber Insurance with the help of Tim Cavanaugh from Maiden Global Servicing (a reinsurance company), consistent with the discussions held during the September meeting where we agreed that such an RFI, sent to “the Cloud WG mailing list and beyond – cloud customers, cloud providers, insurers – might elicit information about what may already exist, and about the risks that users may be willing to insure against, or how they value the potential losses.”
The Cyber Insurance (CI) industry is growing at a 30% CAGR. It mostly covers breaches of personally identifiable information (PII), but there is a lack of a methodology to assign a cost to data loss. OMG can provide value by firming up the areas that are too “soft” right now in those agreements. We are trying to get from a broad cross-section of respondents a sense of how sensitive they are to the need to secure financial compensation for losses, and how urgent this is.
Fred Cummins said that some data accidents can put a company out of business, and asked how one can insure for that. Claude replied that there is a whole range of potential impacts; some of them may be too severe to be insurable, but some are a direct financial cost to a surviving company, such as having to provide an identity theft protection service to all customers for a couple of years – a common practice today. Reimbursing a company for lost sales during a cloud outage may be the next type of insurable loss. Besides, it will be up to the cloud service customer to decide how much insurance they want to carry. At that point, the insurance carrier needs to calculate a premium, and today they do not have much guidance to evaluate the level of risk. For example, they may need advice to evaluate the “cybermaturity” of both the cloud customer and the cloud provider.
The working group spent some significant time improving the text of the draft RFI, culminating in a consensus to bring it up to the Middleware and Related Services (MARS) Task Force for a vote.
The following actions took place after the Cloud Working Group adjourned:
We reviewed the roadmap, which is described in the main page of this wiki (section 4.1.3).
Beniamino said that is way too big of a scope. We should look at those six topics and separate some of them into separate papers or revisions to existing papers. For example, “application security in the cloud” is not just relevant to migration, and if we do not address it well enough in the existing papers, then it should probably be added to a revision of the Practical Guide to Cloud Security. The edge computing topic could be part of an update to Cloud Customer Architecture for IoT. And so on.
Beniamino announced the CCPI cloud workshop to be held in Caserta, Italy, on April 15-17, 2020 in conjunction with IEEE’s 34th International Conference on Advanced Information Networking and Applications (AINA 2020). He invited CWG members to propose talks or to attend.
Claude said that there seems to be enough material to discuss in Reston in March 2020 to extend the meeting to a full day. This is in part because we expect representatives from several U.S. government agencies to be interested, given the proximity to their offices. We had also mentioned a possible “cloud security forum” involving NIST, NTIA, the Cloud Security Alliance, and more. The recent controversy about the JEDI contract may motivate people to hear what we have to say about best practices to select a cloud provider. However, meeting space in Reston is always hard to get, as several groups are already in line to hold a special event then. In the end, the consensus was to have a longer meeting, but not a “special day” -– which we can do later, perhaps in Boston in June.
Initial agenda items for the March meeting:
The meeting will be on March 25 or 26, and the date choice will be constrained by other events, such as an AI Forum that Claude also needs to chair. We need to take into account that we will be on the US East Coast, and cannot start too early if we have interested participants from the West Coast. Claude will work to resolve this.