The Fintech Open Source Foundation (FINOS) announced the formation of an open standard project based upon an approach developed by Citi to describe consistent controls for compliant public cloud deployments in the financial services sector.
As the pace of cloud adoption accelerates in a highly fragmented global regulatory landscape, this collaborative project aims to develop a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs).
By developing a unified taxonomy of common services and associated threats, the project also sets out to alleviate the systemic risk of cloud concentration, an issue highlighted in recent reports from the US Department of the Treasury, the UK HMT, the European Council, and the Monetary Authority of Singapore.
The project, initiated by Citi and approved in July by the FINOS Governing Board, has quickly garnered participation from more than 20 FINOS Member firms globally, including Bank of Montreal (BMO), Citi, Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), London Stock Exchange Group (LSEG), Natwest Group, cloud service provider Google Cloud, and leading vendors such as GitHub, Red Hat, Symphony, Adaptive, Container Solutions, ControlPlane, GitLab, and Scott Logic.
Jim Adams, CTO and head of Technology Infrastructure at Citi, said in a statement: “There is a need for a Cloud Standard that will improve certain security and control measures across the Financial Services industry, whilst simplifying and democratizing access for all institutions to operate and benefit by leveraging the public cloud. It is important to collaborate with our peers to ensure consistency across cloud service providers, ensuring the industry can realize true multi-cloud strategies.”
“Due to the sheer complexity and economic drivers of this challenge, no single vendor, financial institution, or regulator can define what it means for a financial cloud deployment to be compliant. The only way forward is open collaboration across constituents” said Gabriele Columbro, FINOS executive director and Linux Foundation Europe’s general manager.
“By aligning the controls specific to a service-focused threat model, we can consistently implement controls that map to the actual threats we need to mitigate,” said Jon Meadows, head of Cloud, Application and Software Supply Chain Security at Citi, Citi Tech Fellow, and chair of the OpenSSF End User working group, in a statement.
This open standard is expected to expand on existing efforts like NIST’s OSCAL, the MITRE ATT&CK framework, and FINOS’ own Compliant Financial Infrastructure project, to build taxonomies on common cloud services, common threat techniques and associated mitigations, logical control descriptions, as well as cloud service specific data flow diagrams to understand common attack vectors in the service.