Citi’s internal cloud project gets open-sourced

In late 2019, executives at Citi took a step back to examine the bank’s cloud strategy. The aim was to make sure its concentration risk was mitigated by being able to operate on multiple cloud infrastructure platforms. Jim Adams, CTO and head of Citi technology infrastructure, tells WatersTechnology that lessons were definitely learned soon after the project started.

“In doing [this examination] and engineering those solutions, we quickly realized there was an awful lot of complexity and cost associated with replicating the controls that we need as a highly regulated firm.”

While many of the large cloud providers offer similar services, their engineering services are what sets them apart from one another. For firms looking to implement multiple providers into their tech stack, this could create gaps, particularly when capital markets firms need security to be top of mind. 

Internally, Citi looked to create a detailed model that would describe the logical controls that would address these threats. Adams says that they began assessing industry standards available at that point but quickly realized that they had a different need. “We recognized there was a need for an industry standard that would really act as an accelerant, a way of helping us understand how to create the necessary controls to secure the services that are running in public cloud,” he says. 

We can all look and say we agree these are the threats that a relational database has to defend against

Jim Adams, Citi

Today, that initiative has set the groundwork for the Fintech Open Source Foundation’s Common Cloud Controls project. In July of this year, Finos announced the formation of an open standard to describe common controls across public cloud providers in the financial services sector. Alongside Citi, initial participants included Goldman Sachs, Morgan Stanley, Bank of Montreal, Royal Bank of Canada, and London Stock Exchange Group, among others. The announcement of the standard comes as more regulators put forward reports about the risks around cloud concentration. The US Department of Treasury, the Monetary Authority of Singapore, and the European Council are among the bodies issuing their findings. 

The project is looking to provide a consistent approach to how the threats that a service has to mitigate are described. “A CSP can then contribute and give us the implementation details of their controls that would match that logical control that would address that threat,” Adams says. One provider might say there is a single control that they can use, while another may have two or three. The expectation is that the providers will be able to map to the standard. 

“By putting this into open source, we get the collective wisdom of the industry,” Adams says. “We can all look and say we agree these are the threats that a relational database has to defend against. And we can all look at the description of the logical controls and say we believe that control would be effective against those threats.”

Finos officially open-sourced the standard in October following three months of formation. Gabriele Columbro, executive director of Finos, says this is an issue that can only be addressed through two aspects: openness and broad participation. 

“The openness aspect is fundamental in providing transparency to the regulators and possibly engaging them early in the process,” he says. In 2020, Finos announced the Open RegTech initiative, which will encompass all the different areas where it looks to engage regulators thoroughly. “We think that through open source, we can not only mutualize the costs of implementation and interpretation of regulations but also have regulators as active participants in introducing machine-readable regulation,” Columbro says.

On the other hand, it's the idea of shared responsibility, or a shared fate. “While, of course, the buck stops at the financial institutions and the regulated industries, this is not about slapping a new standard on the cloud service providers,” he says. Having them engaged from the beginning and providing technical expertise is fundamental. Google is currently the sole provider involved, but Columbro says there are active conversations with other cloud providers, both large and small. 

Building 1.0 

One of the goals of the project is the ability to build on existing industry standards. Particular attention has been paid to the Open Security Controls Assessment Language being developed by the National Institute of Standards and Technology. OSCAL puts forward formats in programming languages XML and YAML—a data serialization language—as well as open standard file format JSON that offer machine-readable representations of control catalogs, control baselines, and system security plans, among other things. Adams stresses that it’s not about reinventing the wheel. “It’s really important that we don’t reinvent things, we’re looking to just to bring them together in a very cohesive way,” he says.

The project is also looking at The MITRE Adversarial Tactics, Techniques, and Common Knowledge framework, or MITRE ATT&CK, to outline the threats being considered. The framework is commonly used across the private sector to outline the various cyber attacks that can occur and help recognize them when they are taking place.

The reality is threats change over time. So once we’ve created the baseline of this standard, there will still be ongoing work

Jim Adams, Citi

Finos CCC references a subset of threat techniques and associated mitigations from the framework to ensure cyber security resilience within the project. Some examples of cloud threats that banks would reference include Data from Cloud Storage, Cloud Administration Command, and Additional Cloud Roles.

By mitigating these threats on the cloud, banks would be able to mitigate adversaries accessing data from cloud storage, abusing cloud management services to execute commands within the cloud environment, and adding additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. 

An example control is the Relational Database Service, which is categorized within a common taxonomy of cloud services as stipulated by the Finos CCC standard. Using NIST OSCAL to describe and define the Relational Database Service, the configuration of the service is described and versioned as code for each CSP to implement as a compliant Finos Common Cloud Controls service and is compliance tested using a set of validate statements written using machine- and human-readable Gherkin. 

Adams views it as a level playing field. “I have a degree of assurance that at least when I get there, that service will be able to provide the same level of controls as I’ve got in the other CSP,” he says. “It really begins to level the playing field somewhat, because we know before we invest any dollars that they can at least meet the common threats that we believe they need to be able to address.”

Columbro says that as open standard development projects tend to be more complex than open-source projects, he anticipates more progress next year. Adams also emphasizes that this will require continued work. 

“The reality is threats change over time. So once we’ve created the baseline of this standard, there will still be ongoing work,” Adams says. “This is something where we’ll get to the 1.0 but there will be ongoing administration oversight from within Finos to make sure it continues to keep pace with both the service development and the threats that need to be addressed.”