- The Fintech Open Source Foundation is developing a unified set of compliance, resilience and security control standards for public cloud deployments in the financial services industry, the nonprofit organization announced Thursday.
- The project, which was initiated by FINOS member Citi, will begin forming in August and an initial framework is expected before the end of the year, FINOS said.
- By rationalizing controls and creating a shared taxonomy of cloud services and associated threats, the project hopes to ease concerns about cloud market consolidation raised by the U.S. Department of the Treasury in a February report, Gabriele Columbro, FINOS executive director and Linux Foundation Europe’s general manager, told CIO Dive.
Banking and financial services, initially cautious adopters, have embraced cloud as security and control measures improved and service providers introduced industry-specific solutions. Unifying standards for common services across major cloud platforms should remove additional roadblocks, paving the way for broader adoption.
Partnerships and joint ventures between specific cloud service providers and individual financial institutions have yet to yield industrywide standards, according to Columbro.
Open collaboration across constituents is the best path forward, Columbro said. The industry is too varied and complex for a single vendor, institution or regulator to define what it means for cloud deployments to be compliant.
The project has garnered support from twenty FINOS members, including Citi, Goldman Sachs and Morgan Stanley. Google Cloud, GitHub and Red Hat are among the vendor participants.
“We’re in a member-only phase of formation where we are giving members a chance to structure the project and define the initial workstream and governance,” Columbro said.
Once the initial phase is complete, which Columbro expects will take roughly two months, the project will become fully open source and invite broader participation, including cloud service providers beyond FINOS member Google Cloud.
“What has the potential of making this effort different from others is that it's no single vendor or no single bank defining it,” Columbro said. “We will be doing this in the open and through consensus, not through back channels or a single vendor defining what it means to be compliant.”
The goal is to build on existing frameworks, such as NIST’s Open Security Controls Assessment Language, the MITRE Adversarial Tactics, Techniques and Common Knowledge framework and the existing FINOS Compliant Financial Infrastructure project.
“The beauty of open source and open standards is that we don't have to reinvent the wheel and we don’t have to do everything in our project” said Columbro. “We can enhance upstream efforts that are already critical to mitigations and regulations.”