Hello again Paul,
First, I am glad that you found our work interesting -- thanks for the kind words.
In several of our other papers (we've issued about 30), there is more detail about certain aspects such as those you mention. The Practical Guide to Cloud Computing was the first document published by our group in 2011, and all subsequent papers can be seen as deeper dives into certain aspects. There is a paper specifically on migration, for instance. Also one from last year on Cloud Deployment Technologies, to help people choose among the growing list of options (such as serverless, FaaS, CaaS, etc.). We talk about disaster recovery, at least to some extent, in the Practical Guide to Cloud Service Agreements. Etc.
We really welcome input on where is the "white space" that we should try to fill -- either through a new paper, or through revisions of existing ones. Revisions don't have to be big projects -- they can be a version N.1, not N+1, depending on the extent of the changes. We're not ANSI or ISO, so it can take a couple of months, not years, to do this.
For example, penetration testing in the cloud context is obviously a tricky issue that may need to be covered better. CSPs are understandably loathe to allow customers to request certain measures (be it audits or pen tests). This is mentioned in some of our papers, but if it doesn't get proper coverage in, say, Practical Guide to Cloud Security: Ten Steps to Success, then I'd be keen to get some help in revising it.
"What I would have in mind," to respond to your concluding question, is a small team of OMG and CSA people (3 to 6, perhaps) working together to create a deliverable. We've actually done this only once -- between the CSCC when it was a separate entity, and OMG, for a paper on the challenges of data residency. But I have a pretty clear idea of what the process would be:
(a) scope what's missing in our work.
(b) have a few people meet and decide on the proper course -- a new paper or a revision of an existing one? Two separately branded versions or a joint publication under both logos?
(c) on OMG's side, get our working group's agreement to agree to (a) and (b), and use this approval process to also enlist any additional co-authors or reviewers.
(d) go through the draft-review-revise cycle once or twice (I am a pretty thorough copy editor, by the way -- no repetition, vagueness or cliché tends to remain untouched by my red pen), typically using a Google Doc to allow shared editing.
(e) get the paper voted on by OMG's Middleware & Related Services Task Force -- CSA would pursue whatever its similar process is.
(f) publish, publicize (press release), educate (webinar -- we have a BrightTalk channel for this).
This can be done for any paper that any of you would suggest we improve. We really welcome those requests, because we can't always see the needs for improvement in our own work.
I have time to chat next week if you want, including during the coming holiday weeks or during the week of Jan. 4).
Claude
------------------------------
Claude Baudoin
cébé IT Knowledge Management
Co-Chair, OMG Cloud Working Group
https://www.omg.org/cloud------------------------------
Original Message:
Sent: Dec 17, 2020 12:06:53 AM
From: Paul Rich
Subject: where is guidance on general cloud adoption?
Hello Claude,
Thank you for the reference, and for educating me about the existence of OMG and the Cloud Standards Customer Council. I read the paper you suggested and it is really good. It doesn't quite have the level of detail that I had in mind, but it is certainly a great start. I will distribute your email to my co-chair and Working Group members for consideration and discussion of just how far this would get us, specifically in the context of our goal for 2021.
On the broader question of documented guidance for adoption of cloud services, I know that we could do more for the world than what you've covered in the Practical Guide to Cloud Computing, going to an additional level of detail on the actual adoption and integration phases (versus the earlier phases covering education, sponsorship, resourcing, planning, and evaluating). There are common considerations across a range of scenarios that are not the initial "get to know cloud" scenario. Examples can include change management and disaster recovery as well as identity, logging, and penetration testing impacts. I don't yet know precisely how this would all fit together but I'm sure that it is fertile ground to be explored. You indicated an interest in a collaborative effort. I'm game, and so would ask for more details regarding what you have in mind.
------------------------------
Paul Rich
Executive Director
JPMorgan Chase & Co.
Original Message:
Sent: Dec 16, 2020 10:23:32 PM
From: Claude Baudoin
Subject: where is guidance on general cloud adoption?
Paul, I don't know if there is anything done by CSA in particular, but the OMG Cloud Working Group has a Practical Guide to Cloud Computing that you may find useful for this person (and if you don't, then it means we've totally messed up, and I'd like to know why and how :-) )
You'll find it, and a number of other documents, at https://www.omg.org/cloud/published-deliverables.
In case anyone thinks I'm writing an unrelated commercial for another organization, OMG and CSA have a liaison agreement, which was initiated by Shamun Mahmud of CSA and myself, and which was precisely put in place to allow this sort of mutual help and involvement.
And speaking of such collaboration, we'd be quite open to a joint effort on any report CSA people are planning. Some of our other 30 papers surely require an update, and we'd be happy to replace an older version of any of our papers related to security or data protection with a jointly authored version that would serve as a revision for us and a new paper (or a revision) for CSA. We could either have a joint cover page, or separate cover pages with identical contents. No need to do the work twice... Food fo thought?
------------------------------
Claude Baudoin
cébé IT & Knowledge Management LLC
Co-Chair, OMG Cloud Working Group
Original Message:
Sent: Dec 15, 2020 05:26:49 PM
From: Paul Rich
Subject: where is guidance on general cloud adoption?
During today's working group meeting for cloud key management we were talking about the document we have just begun working on and a question arose for the broader CSA community. The paper we plan to write and publish for 2021 is guidance for how to think about, plan for, and implement a multi-cloud and hybrid KMS model. There are a huge number of considerations that we could write about and as we started capturing our ideas it became apparent that a large percentage of the considerations have to do with cloud adoption in general, rather than the specifics of key management and encryption. With that in mind, we would like to "outsource" a good deal of our recommendations regarding "stuff you should do" when adopting a cloud service. I went looking through all CSA publications back to 2015 and cannot find a best practice guide for adopting cloud services. Does anyone know if such a document has ever been published by CSA? Any opinions regarding the need to do so?
------------------------------
Paul Rich
Executive Director
JPMorgan Chase
------------------------------