The duo wants consistent cybersecurity, resiliency & compliance controls for financial services clouds and for cloud service providers (CSPs).
Financial services giant Citi and the Fintech Open Source Foundation (FINOS) are launching an open standard project that will formulate “consistent controls” for cloud computing cybersecurity, resiliency, and compliance that cloud service providers (CSPs) can use as the basis for a common set of services.
The “Common Cloud Controls (CCC)” push is intended to bring a new unity to cloud protection in the financial services industry.
FINOS, an independent nonprofit organization “promoting open innovation” for financial services, will also be working with similar prior standards efforts.
“This open standard is expected to expand on existing efforts like NIST’s OSCAL, the MITRE ATT&CK framework, and FINOS’ own Compliant Financial Infrastructure project, to build taxonomies on common cloud services, common threat techniques and associated mitigations, logical control descriptions, as well as cloud service specific data flow diagrams to understand common attack vectors in the service,” according to FINOS.
“By aligning the controls specific to a service-focused threat model, we can consistently implement controls that map to the actual threats we need to mitigate,” says Jon Meadows, head of cloud, application and software supply chain security at Citi, Citi Tech Fellow, and chair of the OpenSSF End User working group, in a prepared statement.
“A cloud control standard is urgently needed to enhance security and governance protocols in the financial services sector, as well as to streamline and universalize access for all institutions to efficiently utilize the public cloud,” according to FINOS. “Cooperating amongst financial services peers and CSPs is crucial to ensure uniformity across various cloud service providers, thereby enabling the industry to implement effective multi-cloud strategies.”
Due to the “intricate nature and economic implications of this task, no single service provider, financial entity, or regulatory body can precisely outline what constitutes a compliant financial cloud deployment. The only viable path is through open engagement among stakeholders,” FINOS officials say. “Moreover, from a security standpoint, by coordinating the measures specific to a service-oriented threat model, we can systematically apply controls that correspond to the actual threats we seek to neutralize.”
The development of a unified taxonomy of common services and associated threats will help “alleviate the systemic risk of cloud concentration, an issue highlighted in recent reports from the U.S. Department of the Treasury, the U.K. HMT, the European Council, and the Monetary Authority of Singapore,” according to the announcement from FINOS, which is part of the Linux Foundation.
The idea for the project began with Citi and won the approval of the FINOS Governing Board, officials say.
The effort “quickly garnered participation from more than 20 FINOS member firms” such as Bank of Montreal (BMO), Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), London Stock Exchange Group (LSEG), NatWest Group, Google Cloud, GitHub, Red Hat, Symphony, Adaptive, Container Solutions, ControlPlane, GitLab, and Scott Logic, officials add.
“It is important to collaborate with our peers to ensure consistency across cloud service providers, ensuring the industry can realize true multi-cloud strategies,” says Jim Adams, chief technology officer (CTO) and head of technology infrastructure at Citi, in a prepared statement.
“The project will begin a formation stage in August and become available under the Community Specification License later this year,” officials say. “Firms interested to join can apply here: https://bit.ly/3OjObmi .”
Need a Reprint?