The recent open sourcing of FINOS Common Cloud Controls (FINOS CCC) has presented businesses with a set of open standards that describes consistent controls for compliant cloud deployments in the financial services sector. What does this mean for the corporate world going forwards?
Gabriele Columbro, Executive Director of the Fintech Open Source Foundation (FINOS), and General Manager of the Linux Foundation Europe. Columbro tells Digital Journal about the need for a cloud deployment standard.
Digital Journal: What is FINOS Common Cloud Controls? What’s the story behind this project being open sourced?
Gabriele Columbro: FINOS Common Cloud Controls, or FINOS CCC, is a set of open standards that describes consistent controls for compliant cloud deployments in the financial services sector. It’s an open source, collaborative project which aims to develop a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs).
The project was championed by Citi, a Platinum Member of FINOS, and approved by FINOS’s board in July this year. We then entered our formation phase, where FINOS members could get involved on the ground floor and start to shape the open standard’s roadmap to ensure broad representation of all constituents involved in cloud deployment in financial services. In October, we announced the project is now open sourced and available for public use.
DJ: What are some examples of the organizations involved and the role they have played/are playing in this project?
Columbro: We received astounding feedback and involvement from our community during the formation phase that has formed the basis for FINOS CCC to be a pivotal open source project on our platform. We garnered more than 100 participants from 20+ financial institutions, including Citi, Goldman Sachs, Morgan Stanley, and BMO, Google Cloud, a key cloud service provider representative, technology vendors such as Red Hat, Compliance Cow and Control Plane, industry associations, and public sector organizations, such as NIST. All of these participants and their varying backgrounds play a key part in making FINOS CCC successful, as we are able to understand concerns from all angles and create a set of open standards that truly addresses these concerns.
DJ: What needs does FINOS Common Cloud Controls address?
Columbro: There are many concerns around cloud deployment in financial services that FINOS Common Cloud Controls aims to address. Cloud deployment currently operates in a highly fragmented regulatory landscape. We want to establish open standards for this process in financial services, so there’s an agreed upon understanding of what that process looks like, and how to do it securely and compliantly. There are also massive cybersecurity and cloud concentration risks associated with the current cloud service provider landscape. Currently, there are a limited number of CSPs offering their services to financial institutions, and if just one of them were to experience a cyber risk, it could shut down the entire financial system – the narrow playing field for cloud deployment in and of itself presents a high cloud service portability and cyber security risk.
DJ: What are the goals of FINOS Common Cloud Controls?
Columbro: As mentioned above, we want to mitigate regulatory, cloud concentration and cybersecurity risks associated with cloud deployment in financial services. Ultimately, we want to establish FINOS Common Cloud Controls as a Rosetta stone of sorts for cloud deployment, for the betterment of the industry and all of its constituents. We also want to continue to foster FINOS’s ecosystem of collaboration in what has been a historically siloed industry in financial services. FINOS CCC has brought many financial institutions, tech vendors, public sector bodies, and more to the same table to tackle industry-wide issues, and that’s what our foundation is all about.
DJ: With the recent White House RFI on Cyber Regulatory Harmonization, does FINOS Common Cloud Controls address these concerns in any way?
Columbro: Regulators are concerned with the financial sector’s growing dependence on a limited number of CSPs. The security implications of this cannot be understated. When you have large portions of the financial services sector all relying on a handful of CSPs, one cloud outage or cyber incident can jeopardize the entire financial ecosystem in an instant. By bringing both banks and CSPs to the same table in the development and implementation of FINOS CCC, we are able to establish a unified taxonomy of common cloud services and threat mitigations. The FINOS CCC project is more than just a response to regulatory concerns, however. This is a proactive step towards shaping the future of cloud deployments in the financial sector. By tackling the complexity of cloud concentration and its associated security concerns, FINOS is setting the foundation for a more resilient and inventive financial environment.
DJ: What’s on the horizon for FINOS Common Cloud Controls? What can we expect to see in terms of updates for this project in 2024?
Columbro: In the year ahead, FINOS Common Cloud Controls will grow to encapsulate further contributions from banks, tech firms, and cloud experts from across the FINOS ecosystem to enable the standard to truly define how common cloud services are provided to the financial services industry. As FINOS CCC scales, the National Institute of Standards and Technology (NIST) will continue to provide expertise and consultation on the use of OSCAL, and MITRE will enable collaboration on the MITRE ATT&CK Framework to ensure FSI cyber security risks are further embedded within the financial services cloud offering. As the FINOS CCC standard is developed, we fully expect to see CSP adoption of the FINOS CCC standard and the first cloud services rolled out to the financial services industry.