The Cloud Working Group met on Tuesday, 14 Sep 2019, from mid-morning to mid-afternoon, mostly by teleconference. Claude Baudoin, co-chair, led the meeting in the absence of the other co-chairs (Lisa Schenkewitz of IBM and David Harris of Boeing).
Claude presented the progress to date:
Shamun Mahmud presented, with Juanita Koilpillai sharing the virtual podium, the current work of the CSA, which is focused on the principle of “Zero Trust” and a proposed Software-Defined Perimeter to enhance protection for cloud applications. His slides are OMG document cwg/19-01-01. Michael Roza said that CSA will soon produce a paper entitled Software Defined Perimeter as a DDOS Prevention Mechanism.
CSA welcomes additional collaborators – we can connect them with the co-authors of the CWG papers on security. Conversely, we should consider revising the CWG paper on the “security 10 steps for success” in 2020, involving co-authors from CSA, and including the Zero Trust and Software Defined Perimeter ideas in the new version. Shamun said that he likes the way the OMG CWG uses the phrase “ten steps to success” in that paper. It is a pragmatic way to explain to people how to safely migrate workloads to the cloud.
CSA has a Health Information Management Working Group. They are interested in talking further with Mick Talley, who is experienced in healthcare IT and in particular in healthcare identity management.
David Harris said that the Boeing person who represented them at the CSA has left the company, and he wanted to be introduced to CSA in order to participate. Claude said he would send a mutual introduction message.
We reviewed the roadmap, which appears on this wiki's main page, Section 4.1.3.
We agreed that the Catalog of Cloud-Related Standards should be a living web page rather than a static document, and that a Wikipedia page would be a good solution – assuming one does not exist yet. This would allow other Wikipedians to add content.
Prasad Siddabathuni (Edifecs) had volunteered to start an effort toward a paper on Cyber Insurance for the Cloud, but has not yet gotten to it.
Practical Guide to Cloud in Retail – There has been little progress since we started discussing this with Karen Shunk (no longer with OMG) and Bart McGlothin (no longer with Cisco), but the idea is still current. We discussed this paper both in the morning (with remote people attending) and in the afternoon (with just Claude, Andy and Leonid).
Alex Tumashov of Schlumberger raised the idea of a paper on Data Governance in the Cloud. We would need to make sure that it does not duplicate too much the Practical Guide on cloud governance we just produced. CSA people would also be interested in participating. Karolyn Schalk of IBM is specifically interested in this.
Claude said that the meeting in Long Beach in December was likely to be held on the morning of December 11 (this has been confirmed since).
Should we try to organize a full-day Cloud Security Forum in Reston in March? We should be able to involve CSA, NIST, the Retail DTF, the Finance DTF, the National Telecommunications and Information Administration (NTIA), and perhaps the Global Blockchain Alliance (GBA). Mick Talley recommended talking to Donna Dodson (Office of Chief Cybersecurity Advisor at NIST) about this.