At the risk of upsetting your cart, I think there is a 4th option, which seems to make sense to me: instead of taking the three items in red at the bottom right of Option 2, and moving them to the orange branch on the left, which is what you did to get to Option 3, merge them into the green branch (Secure Development and Delivery).
Thus, in this putative Option 4, you would have, at the bottom right of the mindmap:
- Secure Development and Delivery
- DevSecOps WG
- ERP WG
- Application and Interface security Domain
- Containers and Microservices WG
- Infrastructure and Virtualization Security Domain
- Serverless WG
Another point is, three related technologies (Blockchain, IoT, IA) are listed because there are WGs associated with them. But does this really belong in the Guidance document? Would it make more sense to call out the vertical domains and their specific requirements for security? Healthcare, Finance (which would probably include Blockchain, although of course there are other use cases for DLTs), Industrial Automation (which would include IoT), Power Distribution, Transportation, ...
Feel free to criticize or ignore...
------------------------------
Claude Baudoin
cébé IT Knowledge Management
Co-Chair, OMG Cloud Working Group
https://www.omg.org/cloud------------------------------
Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals
CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.
The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.