Citi CTO spearheads new pan-industry ‘Common Cloud Controls’ project at FINOS
Citi, Goldman, Morgan Stanley, LSEG, Natwest Group, and RBC are all participating amid concerns at the opacity of public cloud security and resilience tests and controls.
Citigroup and the Linux Foundation’s FINOS have launched an open standard project to describe “consistent controls” for public cloud deployments in financial services – as banking multinationals fret over a range of issues, including their lack of access to public cloud resilience and security test results of the kind that are robustly demanded of banks themselves by financial regulators in most jurisdictions.
The project, called Common Cloud Controls, will be run by FINOS – a non-profit with a mandate to drive innovation in financial services through open source. It has brought in financial services heavyweights like Bank of Montreal, Citi, Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), London Stock Exchange Group (LSEG), and Natwest.
As The Stack published, Google Cloud was the only large cloud provider participating, with SaaS providers like Adaptive, Container Solutions, ControlPlane, GitHub, GitLab, Red Hat, Scott Logic, and Symphony.
Others have been invited and those interested to join can apply here.
FINOS, which has become an increasingly lively forum for open source collaboration in financial services, said that the new project “aims to develop a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers.”
Common Cloud Controls comes amid security concerns
The project is in part a response to a rapidly growing and not always impeccably documented set of public cloud services and the controls around them – earlier this year the US Treasury reflected [pdf] that the financial services industry was “considering and implementing a range of alternative approaches to one-to-one audits, like pooled audits, certifications, or real-time updates to customers…” amid industry interest in/concern about cloud “(i) internal software dependencies within the public cloud environment; (ii) subcontractor and other supply chain risks; (iii) CSP [cloud service provider] protection against pervasive cyber vulnerabilities; (iv) results of testing resilience and security capabilities; and (v) information regarding operational incidents, including real-time updates and after-action reports.”
FINOS hopes that by developing a unified taxonomy of common services and associated threats, the Common Cloud Controls project will help “alleviate the systemic risk of cloud concentration, an issue highlighted in recent reports from the U.S. Department of the Treasury, the UK HMT, the European Council, and the Monetary Authority of Singapore.”
Jim Adams, CTO and Head of Technology Infrastructure at Citi, the world’s fifth largest bank, said, “There is a need for a Cloud Standard that will improve certain security and control measures across the Financial Services industry, whilst simplifying and democratizing access for all institutions to operate and benefit by leveraging the public cloud.
“It is important to collaborate with our peers to ensure consistency across cloud service providers, ensuring the industry can realize true multi-cloud strategies,” he added in a statement on July 27, 2023.
"Due to the sheer complexity and economic drivers of this challenge, no single vendor, financial institution, or regulator can define what it means for a financial cloud deployment to be compliant,” added Gabriele Columbro, FINOS Executive Director: “The only way forward is open collaboration across constituents, hence why I’m truly excited to see so many FINOS Members quickly rallying around this project, which has the potential to become one of the most valuable and transformational initiatives in our open source community.”
This open standard is expected, said FINOS, to expand on existing efforts like NIST’s OSCAL, the MITRE ATT&CK framework, and FINOS’ own Compliant Financial Infrastructure project, to build taxonomies on common cloud services, common threat techniques and associated mitigations, logical control descriptions, as well as cloud service specific data flow diagrams to understand common attack vectors.
"By aligning the controls specific to a service-focused threat model, we can consistently implement controls that map to the actual threats we need to mitigate," said Jon Meadows, Citi’s Head of Cloud, Application and OpenSSF end user working group Chair – The project will begin a formation stage in August and become available later this year.