FINOS Common Cloud Controls (FINOS CCC), a set of open standards that describes consistent controls for compliant cloud deployments in the financial services sector, is now open sourced through FINOS under the Community Specification License. FINOS CCC was prominently showcased at FINOS’s annual event, the Open Source in Finance Forum (OSFF) in New York on November 1, 2023.
Gabriele Columbro introduces this panel on FINOS Common Cloud Controls (FINOS CCC). The panel includes Jim Adams, CTO at Citi; Kim Prado, CIO for US Capital Markets at BMO; and David Homovich from the Office of the CISO at Google Cloud. Matt Ashare from CIO Dive moderates the session. They discuss the importance of the FINOS CCC project in establishing open standards for cloud security in the financial services industry.
Jim Adams emphasizes Citi's multi-cloud strategy to reduce vendor dependencies and addresses the complexity and costs involved in securing services across different cloud providers. He explains the need for an open standard to normalize security controls and threat models across cloud providers. The goal is to create a standard that allows collaboration within the industry and facilitates regulatory alignment.
Kim Prado shares how FINOS CCC is crucial for BMO's multi-cloud environment, enabling the setting of standards and collaboration with cloud providers. She sees it speeding up the development of applications and gaining regulatory approval, emphasizing the potential for FINOS CCC to shape future reg tech solutions.
David Homovich from Google Cloud highlights the shared responsibility model and the shared fate philosophy, emphasizing the importance of collaboration between financial institutions and cloud providers. He sees FINOS CCC providing a consistent blueprint for security across the industry.
The panelists discuss the gray area in the shared responsibility model, emphasizing the need for regulators to have a common understanding. They see FINOS CCC as a way to address regulatory concerns and facilitate collaboration between industry stakeholders.
The discussion ends with the panelists expressing optimism about FINOS CCC's potential impact beyond financial services and the significance of its open-source nature in fostering collaboration, transparency, and industry-wide adoption. They encourage industry professionals to join FINOS and actively participate in shaping the FINOS CCC project.
Gabriele Columbro: Now I'm gonna put on my MC hat and welcome our first panel. As I get to it. I want to bring on stage we're gonna talk about Common Cloud Controls. I want to bring on stage Jim Adams, who is the CTO for Operations and Technology at Citi. Kim Prado, who's on our board and she's the CIO for US Capital Markets.
David Homovich from the Office of the CISO at Google Cloud and moderating the session, Matt Ashare from CIO Dive. Thank you, folks. Welcome.
Matt Ashare: Ah, close together here. Nice. Hello. Thanks to FINOS and the Linux Foundation. My name is Matt Ashare. I'm a reporter at CIO Dive where cloud and financial services are primary area of coverage for me. So if you or anybody you know is doing something interesting in that [00:01:00] space, get in touch. I'm at easytofind@ciodive.Com.
And we have a great panel here today. I think what I'm going to start is just let each of you introduce yourselves quickly and your sort of relationship with FINOS and the CCC.
Jim Adams: Thank you, Matt. So, Jim Adams. I'm the Chief Technology Officer for Citi. Part of my responsibilities there was developed our multi cloud strategy and really from that we distilled out some of the core principles and approaches that we seeded into the FINOS Common Cloud Controls project. So very, very pleased to be here. Very privileged to be and very pleased to see so many of you here. So thank you.
David Homovich: Good morning. I am David Homovich. I am in the Office of the CISO at Google Cloud. I primarily cover financial service customers. The Office of the CISO at Google Cloud works a lot with our customers on their digital transformation, providing different strategic guidance and advice as they are going on their journey to the cloud. So, this is a very exciting topic for us at Google. [00:02:00]
Kim Prado: Hi, I'm Kim Prado. I'm the CIO of Capital Markets at BMO and I am passionate about FINOS. I've been part of the organization for over six years and a heavy user of all the contributed projects. And happy to be here.
Matt Ashare: Great. I think we'll start with you, Jim.
I have a question for you. We've already heard a little bit about Citi's involvement with FINOS and prioritization of open source and finance financial services. I wanted, I wonder if you could drill down on that a little bit in terms of the CCC, given that that Citi was one of the, one of the original members of this project. Tell me a little bit about why you prioritized this.
Jim Adams: So, as I mentioned we had a multi cloud strategy from the get go, and that was for good reasons. We know that we wanted to reduce any vendor dependencies we might have had. But what we very, very quickly realized was the complexity and costs that were involved when you try to develop a secure services across cloud providers.
We purposefully worked with more than one [00:03:00] CSP concurrently, so we really could make sure that we were trying to normalize the best approach. And it truly, when you look across the cloud providers, I'm sure many of you here know, how controls are implemented, the types of controls you have, vary greatly, from one CSP to the next.
Now, about the same time, we also saw a massive increase in the level of scrutiny that our global regulators were applying to us and asking us to prove to them the efficacy of our cloud programs. Were they truly secure? And again, with that complexity of these very varied approaches by which you go about securing services, that was quickly becoming very, very challenging.
Recognizing it wasn't going to be the CSP's responsibility to give us a secure cloud. This was our responsibility. CSP's give us a secure cloud, we secure the workloads within them. We quickly realized that it was an opportunity perhaps for us to create a open standard that we could all work towards.
As technologists, I think we all recognize abstraction often is the answer to many problems. And when you look at specific implementations of controls, it's very hard to [00:04:00] normalize. So our approach was to elevate the level of scrutiny to the threat models that a specific service had to mitigate.
So what threats does a relational database have to address? And what you find when you do that is actually there's not so much variation when you go across cloud providers. There is some, because there are implementation specific threats you need to overcome. But on the whole, there's a very common set of threats that a relational database may have to protect against.
Securing your data, encryption, exfiltration. And then when we looked at that, we looked at defining a set of logical controls. So not the actual implementations, but logical controls that have a way of validating the efficacy of the control to address that threat. And why that's very powerful is that different CSPs may have very, very different ways of how they would implement the actual implementations of a control but could still evidence against that validate statement.
So our belief was that if we were able to create that, a CSP could [00:05:00] join the party, could tell us how they would configure the service. It doesn't break the shared responsibility model, because they're not actually securing it for us. But it means that they give us that head start.
And when I talk about that cost and complexity, we really did find there was a, often we'd be a long way down securing a service before we'd find that a fairly rudimentary control was absent or insufficient. So, having that head start of the CSPs tell us how we can evidence a logical control to, to address a threat will be incredibly powerful.
And secondly, if you think about the regulators, the regulators are looking at different programs about controls and we think if we can elevate their scrutiny to the level of the threats, because let's face it, the regulations exist to address threats, not to tell us how to actually implement the controls, we can get the regulators to somewhat harmonize. Because globally they're very, very fragmented. We're hoping that a standard like FINOS Common Cloud Controls can really bring the regulators [00:06:00] together and have them focus at that lens. And FINOS is, we've spoken about it and just seen the attendance here, it's really important that we collaborate as an industry across all the financial services, because the weight and credibility that will bring to the discussions of the regulators is incredibly important.
Matt Ashare: Yeah. Yeah. And obviously you also have the internal risk management that you have to deal with.
And I'm going to skip over the CSP for a sec here and go to BMO. Kim, if you could tell us what for you, what the advantages of having a project like this, and what sort of hurdles that allows you to overcome just on a practical level.
Kim Prado: Yeah. Honestly, on a practical level, if, this is huge for us because as we started down our cloud journey, we, obviously, like every other financial institution, we are multi cloud and there's, that's never going to change. I don't see that changing.
And If you've got different rules of the road for each cloud provider, it makes building applications really difficult and it slows down time to market, the [00:07:00] whole bit, but even harder than that is getting the approval to go ahead and build your application.
And so by, participating in this. In this, we're able to, actually be at the table now to set the standards and actually drive with the individual cloud providers to enable our dev community to actually move faster and, time is money. We're all on tight budgets and anything we can do once is huge, right?
And then tying in the regulation is the other big one. And I think that's where we have the golden opportunity to actually come together as an industry. And drive the regulation, and help the regulators define it, versus being driven.
Matt Ashare: So getting out in front of.
Kim Prado: Hundred percent.
Matt Ashare: Yeah, that makes a lot of sense.
Now obviously cloud providers are, you're not regulated in the same way. But whenever I talk to people at Google cloud or other hyperscalers they seem to be particularly interested in their customers having success. So [00:08:00] clearly you have a vested interest in this and we've already mentioned the shared responsibility model this this morning.
But as the, as also the shared Shared state model. And I wonder if you could, if you want to get into that and why something like this and the open source nature of this is so important or has become a priority for Google and what, and your involvement.
David Homovich: Yeah, absolutely. It's funny because what Kim and what, Jim are saying are things that I talk about with our customers on a regular basis.
Matt Ashare: Right.
David Homovich: And so Google is completely in support of developing an open source security standard for cloud deployments, particularly in the financial services industry. You mentioned kind of shared fate, so that's really our philosophy at Google to address some of the challenges that we've seen with shared responsibility in the past.
Which is to say, for example, all of the controls in column A would be implemented by a cloud service provider. All of the controls in column B are going to be implemented by our financial services institutions. Sort of the security of the cloud versus security in the cloud. But there's this gray area then that kind [00:09:00] of develops in the middle where there's a lack of collaboration, a lack of communication.
And so what I think I, I really love about this project is that it's bringing all of the stakeholders together to promote some transparency here of the financial sector organizations, both large ones, with smaller ones as well that may not have huge technology teams or huge cybersecurity teams.
It also provides I think a consistent blueprint for financial sector organizations as well when it comes to first line of defense, second line of defense, even audit to speak the same language. So I think there's a lot of benefit in that and that really aligns with the shared fate responsibility that we talk about a lot at Google.
So Phil Venables, who's the CISO for Google Cloud, talks about how we're not only responsible for securing our customers data, but really for securing the public cloud and by extension, I think, securing part of the planet, really. Because there are so many services now that are coming onto the cloud infrastructure.
So we definitely are supportive of this. I think the call to action is really to get others [00:10:00] involved, to build and nurture the relationships that will make this successful in the long term. And Google is certainly committed to open source. We're committed to a lot of the security initiatives at the Linux Foundation that some of my colleagues are going to talk about later today. Certainly we're a Gold Member of FINOS and we'll continue to support the CCC. So I think there's a, an awesome opportunity here and I look forward to working with our colleagues on this.
Matt Ashare: Got it. Yeah. I'm wondering if either Jim or if you'd want to, if you'd want to comment on that gray area and how the CCC or Kim, either one of you, how the CCC sort of addresses that or how you're trying to address that, because that I think is an interesting part of this.
Jim Adams: Yeah. I think the key thing there is as we, the gray area really for us is making sure that the regulators, when they assess the accuracy of what we're doing, they're in agreement. It's that simple. So for us, it's, one of the key things that , believe that the CCC project will bring is if you like a kind of Rosetta Stone that really brings together these very disparate [00:11:00] set of regulations and have an anchor point by which they can all rally around a sort of a single focal point.
I think the complexity we see is different regulators have different comprehensions of the clouds, different views on what it should and shouldn't do. So again, if we can just move that to something which is a different level of attention, then we'll be able to move forward with them in a more consistent manner.
I will say that one of the things that we did before we even came to FINOS was really seeing all the different regulators and seeing the different types of programs and RFIs that they were establishing. We took a proposal to them and said, Hey, would you be interested if we were able to get the industry as a whole to rally around this approach?
Do you think this would go some way to addressing your concerns? To be clear, FINOS CCC doesn't address all security requirements that are necessary to secure a service. It really is the common threats and the common controls that will always be implementation specifics that are, and value adds, that have specific CSP can add.
But they were extremely supportive, whether it was them as the OTC [00:12:00] the ARC there, there was a lot of consensus that this was going to help.
Matt Ashare: Got it. Got it. All right. I think I'm going to ask each one of you a version of the same question, which is how you see how you see this potentially improving or changing the relationship between what you do and the regulators.
If you want, do you want us to start with that, Kim?
Kim Prado: Sure. I see it changing our relationship with the regulators in two ways. One, I think if they come in and they're, they're doing their review and they're typical shakedown. At least if you have this implemented, you have a fighting chance.
That's one. And the second is that, I think it will also help us on the other end around reg tech in general, right? Every, I feel like every hour of every day we get a new regulation we have to code for. So at least if we have these standards in place, maybe that can also help lead us to a common maybe another project down the road around common controls around how we deliver reg tech solutions too. So that ties in a [00:13:00] little bit with the reg tech working group that's already going on.
Matt Ashare: Yeah, obviously this is going to change. This potentially will help change your relationship with your customers, really, particularly your customers in the financial services space.
David Homovich: Yeah, I think that's right as our customers. And then by extension, I think the regulators, right? And obviously our customers need high assurances on security, privacy, compliance, risk management, resiliency, all of those hot topics that we're talking about.
And this is a great start in us being able to get there using a common lexicon. From a cloud service provider perspective as well, we are also in the bounds of some of these regulations as we think about innovation and how we want to evolve our own cloud technology to make sure that we're still in line with what's out there in the regulatory space as well.
I think one of the other great things about this from a regulatory perspective is that NIST has come on early and is supporting this. And I think having that commitment really indicates that this could be used for oversight purposes in the future. So I think it's great that we're seeing so many folks get involved in this early on.[00:14:00]
Matt Ashare: Numbers matter.
David Homovich: Absolutely.
Matt Ashare: Yeah. What, I think that we've got sort of a broad outline of this, but any, anything you want to add to that, Jim?
Jim Adams: No, I think just reinforcing some of what David and Kim said, I think NIST's engagement, really, I think what we have with CCC isn't just something for financial services.
Any regulated industry or entity, has to address the same kinds of threats. So I really think there's an opportunity for this to be more far reaching than even just financial services. I'm glad it's starting in financial services, but I think it can have a much broader impact.
Matt Ashare: Got it. Now I covered this when it first was introduced, I think earlier this year, but last week, I think just about exactly a week ago is when the open source announcement was made, correct?
And we really haven't talked about that too much. So I figured maybe we can finish up by just maybe, if you could dive in a little bit into the importance of it being open source and I'll let either one of you take the lead on that.
David Homovich: I think I guess like the meritocracy of it all, the fact that it's not a pay to play, that we can get some of the smaller institutions [00:15:00] involved as well. Provide that transparency across CSPs, financial sector institutions. Provide the transparency to regulators and to public policymakers, I think is hugely beneficial to this being open source.
Jim Adams: Yeah. And I think bluntly, if it wasn't open source, it would fail. It's that straightforward. Some of the conversations we had internally when we were discussing this with, hey, isn't this Citi IP, isn't this competitive advantage what we're doing? It was really education internally that no, this is something which has to benefit the industry as a whole and that, yeah, any short term gains we might have by having a secure cloud platform, we're going to be atrophied over time.
When we saw how the regulators were going to perhaps start defining, as Kim said, we don't want them telling us how to do it. We want to make sure that we're in control of our destiny. It has to be in the open source. It has to be an open standard. It has to be contributed from all of you.
So please do engage, become part of this project. I truly and firmly believe you'll be shaping a fairly monumental shift in how cloud infrastructure is leveraged by all [00:16:00] regulated firms.
Kim Prado: I would just add that the FINOS organization is it's huge, right? Look at us today, right? Who knew? And it's just amazing how far it's come. And, we've got agreements in place across the street, like all legal agreements are in place. Everything's there, right? And so the fact that this is with this organization, it's going to work, right? In the past, things like this failed because they weren't part of a broader organization. I think this is gonna be a real change.
Matt Ashare: Great.
Kim Prado: And join FINOS if you're not a member.
David Homovich: Yeah, absolutely. This will make all of our lives a lot easier, I think.
Matt Ashare: Got it. Listen, I think that we are gonna finish up just a little bit under time, which is probably a good thing, since I think we're a little over.
But listen thanks to all of you, and certainly thanks to the three of you for sharing your insights and your thoughts.
Jim Adams: Thank you very much.[00:17:00]
Interested in FINOS open source projects? Click the link below to see how to get involved in the FINOS Community.