The Inner Circle

 View Only
  • 1.  where is guidance on general cloud adoption?

    Posted Dec 15, 2020 05:27:00 PM
    During today's working group meeting for cloud key management we were talking about the document we have just begun working on and a question arose for the broader CSA community. The paper we plan to write and publish for 2021 is guidance for how to think about, plan for, and implement a multi-cloud and hybrid KMS model. There are a huge number of considerations that we could write about and as we started capturing our ideas it became apparent that a large percentage of the considerations have to do with cloud adoption in general, rather than the specifics of key management and encryption. With that in mind, we would like to "outsource" a good deal of our recommendations regarding "stuff you should do" when adopting a cloud service. I went looking through all CSA publications back to 2015 and cannot find a best practice guide for adopting cloud services. Does anyone know if such a document has ever been published by CSA? Any opinions regarding the need to do so?

    ------------------------------
    Paul Rich
    Executive Director
    JPMorgan Chase
    ------------------------------


  • 2.  RE: where is guidance on general cloud adoption?

    Posted Dec 16, 2020 08:52:00 AM
    This is something I have addressed the Enterprise Architecture group in doing come 2021. Because of how the architecture is laid out it acts almost as a gap analysis tool for cloud adoption, as well as providing key areas of responsibility for each component of a business. I think what you have now presented could very well be used with this also. Maybe we could begin that discussion?

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------



  • 3.  RE: where is guidance on general cloud adoption?

    Posted Dec 16, 2020 01:20:00 PM

    Sean, can you please send me the description of what the Enterprise Architecture working group will tackle? I'd like to not only take a look to see if we are actually aligned toward the same goal, I'd also like to consider getting involved with the EA WG. 

    Thank you,

    Paul



    ------------------------------
    Paul Rich
    Executive Director
    JPMorgan Chase & Co.
    ------------------------------



  • 4.  RE: where is guidance on general cloud adoption?

    Posted Dec 16, 2020 01:30:00 PM
    Absolutely. Give me some time to gather that and I will get it over to you as quickly as I can.

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------



  • 5.  RE: where is guidance on general cloud adoption?

    Posted Dec 16, 2020 10:24:00 PM
    Edited by Claude Baudoin Dec 16, 2020 10:26:40 PM

    Paul, I don't know if there is anything done by CSA in particular, but the OMG Cloud Working Group has a Practical Guide to Cloud Computing that you may find useful for this person (and if you don't, then it means we've totally messed up, and I'd like to know why and how :-) )

    You'll find it, and a number of other documents, at https://www.omg.org/cloud/published-deliverables.

    In case anyone thinks I'm writing an unrelated commercial for another organization, OMG and CSA have a liaison agreement, which was initiated by Shamun Mahmud of CSA and myself, and which was precisely put in place to allow this sort of mutual help and involvement.

    And speaking of such collaboration, we'd be quite open to a joint effort on any report CSA people are planning. Some of our other 30 papers surely require an update, and we'd be happy to replace an older version of any of our papers related to security or data protection with a jointly authored version that would serve as a revision for us and a new paper (or a revision) for CSA. We could either have a joint cover page, or separate cover pages with identical contents. No need to do the work twice... Food fo thought?



    ------------------------------
    Claude Baudoin

    cébé IT & Knowledge Management LLC

    Co-Chair, OMG Cloud Working Group
    ------------------------------



  • 6.  RE: where is guidance on general cloud adoption?

    Posted Dec 17, 2020 12:07:00 AM

    Hello Claude,

    Thank you for the reference, and for educating me about the existence of OMG and the Cloud Standards Customer Council. I read the paper you suggested and it is really good. It doesn't quite have the level of detail that I had in mind, but it is certainly a great start. I will distribute your email to my co-chair and Working Group members for consideration and discussion of just how far this would get us, specifically in the context of our goal for 2021.

    On the broader question of documented guidance for adoption of cloud services, I know that we could do more for the world than what you've covered in the Practical Guide to Cloud Computing, going to an additional level of detail on the actual adoption and integration phases (versus the earlier phases covering education, sponsorship, resourcing, planning, and evaluating). There are common considerations across a range of scenarios that are not the initial "get to know cloud" scenario. Examples can include change management and disaster recovery as well as identity, logging, and penetration testing impacts. I don't yet know precisely how this would all fit together but I'm sure that it is fertile ground to be explored. You indicated an interest in a collaborative effort. I'm game, and so would ask for more details regarding what you have in mind.



    ------------------------------
    Paul Rich
    Executive Director
    JPMorgan Chase & Co.
    ------------------------------



  • 7.  RE: where is guidance on general cloud adoption?

    Posted Dec 17, 2020 01:34:00 AM

    Hi,

    Time for me to chime in.

    This is all great stuff that I see fitting into a separate WG if actual adoption scenarios as described by Paul are to developed and published.

    The areas Paul mentioned plus others can be found in Security Guidance 4.0 https://cloudsecurityalliance.org/artifacts/security-guidance-v4/

    However, even this document is not all-inclusive domain-wise or coverage-wise within domains. Also, this document does not cover actual adoption or integration procedures.

    This is a significant effort that deserves and should have a separately focused and resourced Cloud Adoption / Migration WG.



    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------



  • 8.  RE: where is guidance on general cloud adoption?

    Posted Dec 18, 2020 11:08:00 PM

    Hello again Paul,

    First, I am glad that you found our work interesting -- thanks for the kind words.

    In several of our other papers (we've issued about 30), there is more detail about certain aspects such as those you mention. The Practical Guide to Cloud Computing was the first document published by our group in 2011, and all subsequent papers can be seen as deeper dives into certain aspects. There is a paper specifically on migration, for instance. Also one from last year on Cloud Deployment Technologies, to help people choose among the growing list of options (such as serverless, FaaS, CaaS, etc.). We talk about disaster recovery, at least to some extent, in the Practical Guide to Cloud Service Agreements. Etc.

    We really welcome input on where is the "white space" that we should try to fill -- either through a new paper, or through revisions of existing ones. Revisions don't have to be big projects -- they can be a version N.1, not N+1, depending on the extent of the changes. We're not ANSI or ISO, so it can take a couple of months, not years, to do this.

    For example, penetration testing in the cloud context is obviously a tricky issue that may need to be covered better. CSPs are understandably loathe to allow customers to request certain measures (be it audits or pen tests). This is mentioned in some of our papers, but if it doesn't get proper coverage in, say, Practical Guide to Cloud Security: Ten Steps to Success, then I'd be keen to get some help in revising it.

    "What I would have in mind," to respond to your concluding question, is a small team of OMG and CSA people (3 to 6, perhaps) working together to create a deliverable. We've actually done this only once -- between the CSCC when it was a separate entity, and OMG, for a paper on the challenges of data residency. But I have a pretty clear idea of what the process would be:

    (a) scope what's missing in our work.

    (b) have a few people meet and decide on the proper course -- a new paper or a revision of an existing one? Two separately branded versions or a joint publication under both logos?

    (c) on OMG's side, get our working group's agreement to agree to (a) and (b), and use this approval process to also enlist any additional co-authors or reviewers.

    (d) go through the draft-review-revise cycle once or twice (I am a pretty thorough copy editor, by the way -- no repetition, vagueness or cliché tends to remain untouched by my red pen), typically using a Google Doc to allow shared editing.

    (e) get the paper voted on by OMG's Middleware & Related Services Task Force -- CSA would pursue whatever its similar process is.

    (f) publish, publicize (press release), educate (webinar -- we have a BrightTalk channel for this).

    This can be done for any paper that any of you would suggest we improve. We really welcome those requests, because we can't always see the needs for improvement in our own work.

    I have time to chat next week if you want, including during the coming holiday weeks or during the week of Jan. 4).

    Claude



    ------------------------------
    Claude Baudoin
    cébé IT Knowledge Management
    Co-Chair, OMG Cloud Working Group
    https://www.omg.org/cloud
    ------------------------------



  • 9.  RE: where is guidance on general cloud adoption?

    Posted Dec 23, 2020 05:51:00 AM

    Hi Paul.

    I just put a section into a isc2 whitepaper... it can be found here

    https://www.isc2.org/Landing/Expert-Cloud-Security/Tips-Cloud-Migration

    Has some good stuff around cloud migration, and things to look out for.



    ------------------------------
    Abhishek Vyas
    Security Architect
    Admiral
    ------------------------------