FINOS ANNOUNCES FORMATION OF AN OPEN STANDARD PROJECT FOR FINANCIAL SERVICES COMMON CLOUD CONTROLS TO ADDRESS COMPLIANCE AND CLOUD CONCENTRATION RISKS
The Linux Foundation | 27 July 2023
Championed by Citi and joined by over 10 global financial firms, the project welcomes broad industry participation across financial services, technology and cloud service providers.
NEW YORK, July 27, 2023 – The Fintech Open Source Foundation (FINOS), the foundation of open innovation in financial services and part of the Linux Foundation, today announced the formation of an open standard project, based upon an approach developed by FINOS Platinum Member Citi, to describe consistent controls for compliant public cloud deployments in the financial services sector.
As the pace of cloud adoption accelerates in a highly fragmented global regulatory landscape, this collaborative project aims to develop a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs). By developing a unified taxonomy of common services and associated threats, the project also sets out to alleviate the systemic risk of cloud concentration, an issue highlighted in recent reports from the U.S. Department of the Treasury, the UK HMT, the European Council, and the Monetary Authority of Singapore.
The project, initiated by Citi and approved in July by the FINOS Governing Board, has quickly garnered participation from more than 20 FINOS Member firms globally, including Bank of Montreal (BMO), Citi, Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), London Stock Exchange Group (LSEG), Natwest Group, cloud service provider Google Cloud, and leading vendors such as GitHub, Red Hat, Symphony, Adaptive, Container Solutions, ControlPlane, GitLab, and Scott Logic. The project will begin a formation stage in August and become available under the Community Specification License later this year. Firms interested to join can apply here.
Jim Adams, Chief Technology Officer and Head of Technology Infrastructure at Citi, said, “There is a need for a Cloud Standard that will improve certain security and control measures across the Financial Services industry, whilst simplifying and democratizing access for all institutions to operate and benefit by leveraging the public cloud. It is important to collaborate with our peers to ensure consistency across cloud service providers, ensuring the industry can realize true multi-cloud strategies.”
"Due to the sheer complexity and economic drivers of this challenge, no single vendor, financial institution, or regulator can define what it means for a financial cloud deployment to be compliant,” said Gabriele Columbro, FINOS Executive Director and Linux Foundation Europe’s General Manager. “The only way forward is open collaboration across constituents, hence why I’m truly excited to see so many FINOS Members quickly rallying around this project, which has the potential to become one of the most valuable and transformational initiatives in our open source community, and across the industry.”
"By aligning the controls specific to a service-focused threat model, we can consistently implement controls that map to the actual threats we need to mitigate," said Jon Meadows, Head of Cloud, Application and Software Supply Chain Security at Citi, Citi Tech Fellow, and Chair of the OpenSSF End User working group.
This open standard is expected to expand on existing efforts like NIST’s OSCAL, the MITRE ATT&CK framework, and FINOS’ own Compliant Financial Infrastructure project, to build taxonomies on common cloud services, common threat techniques and associated mitigations, logical control descriptions, as well as cloud service specific data flow diagrams to understand common attack vectors in the service.
The project is inviting participation from financial institutions globally, CSPs, fintech and technology vendors, industry associations, and regulators to ensure broad representation of all constituents involved in the shared responsibility model.
For more information or to get involved, please visit https://www.finos.org/common-cloud-controls-project.
About FINOS
The Fintech Open Source Foundation (FINOS) is an independent nonprofit organization focused on promoting open innovation during a period of unprecedented technological transformation within financial services. FINOS believes that organizations that embrace open source software and common standards will be best positioned to capture the growth opportunities presented by this transformation.
About Citi
Citi is a preeminent banking partner for institutions with cross-border needs, a global leader in wealth management and a valued personal bank in its home market of the United States. Citi does business in more than 160 countries and jurisdictions, providing corporations, governments, investors, institutions and individuals with a broad range of financial products and services.
Additional information may be found at www.citigroup.com | Twitter: @Citi | YouTube: www.youtube.com/citi | Blog: http://blog.citigroup.com | Facebook: www.facebook.com/citi | LinkedIn: www.linkedin.com/company/citi
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.