02/01/2024 Common Cloud Controls - All Hands #119
Comments
|
@maoo / FINOS 👋 |
|
Rob / FINOS 🎈 |
|
👋 |
Eddie Knight / Sonatype
|
Jane / FINOS |
|
Karl Moll / FINOS |
|
Michaela Iorga/NIST |
|
Rachel Kim / Google |
|
👋 Henry Mortimer / ControlPlane |
|
Eteri / FINOS |
|
Oli Bage / LSEG |
|
Rob Griffiths / Scott Logic |
|
Chanel Crawford - Citi |
|
Meeting Minutes: CC: Okay, we'll go ahead and get started with the meeting notices. CC: Hello, everyone, and thank you for joining our second. I believe this is our second, all hands meeting of the 2020 for 2024 for the Common Cloud Control Standard Initiative. CC: I thought it might be good to do some quick introductions, maybe name company area of interest. CC: I will go ahead and start, My name is Chanel. CC: I am the Pm. For CCC. From CITI. I am probably the least technical person on the call. However, I do understand the importance of the work we're doing here with the standard and the effect that it is going to have on the financial services industry in its entirety. So I am happy to be a non-technical contributor. CC: First, I will give updates on the working lead designation in a steering committee. Update. Second, we will chat about some of the great collaborative efforts we have seen this month. Thank you all for your hard work in advance. We will have the Maintainer give an update on their progress. And then, finally, there are a couple of issues that need some subject matter, expert analysis from the group and we will go into those. CC: The WG lead: This role is to liaise with other working groups and make sure that we're pushing in the same direction and in tandem with the steering committee roadmap. It is a light touch, coordination role and will not replace the need for existing Maintainer to also lead and coordinate. We should have them in place by our next steering K committee meeting CC: And speaking of that, our first steering Co. Steered Co. Meeting was about 6 weeks ago on December twelfth. It was decided then that we would hold them quarterly, and we would have escalations as required. This is a publicly observable meeting, and is headed by Citi’s own JA. With the understanding that additional leadership will be added at a later date. There are a couple of names in the hat already, and we are excited about finally picking up some help. There were some concerns raised over the steering committee communications, so we wanted to make sure that it was a Democratic and not top down, and this is mitigated with the meeting being held publicly and observable. And of course we can change the procedures as we see fit. CC: A couple of the goals that were pointed out during the steerco were to define the working principles of the steering committee and what the Maintainer role was and how they would engage with the project. One of the biggest things was to make decisions on partnerships between mutual beneficial taxonomies CC: One of the things that Jim noted in the first steering committee meeting was the importance of the validation of the first service. It is paramount, and I believe there has been a lot of work done on issue number 15 and 57. CC: So it looks like with that Sonali and Vicente. They are leading the work on adapting the markdown and bringing it back to the group. Do you guys have an update for that VH: No, II do not have an update. I also already, take notice that I have to travel next week, so I have been a little busy, but I will. I will get on to it. CC: Number 11. We needed output from the attack framework in a consumable document. I believe it is Eddie, David and Rowen. Can you guys speak to Number 11? EK: Oh, was David, were you working on this? DS: Yes, so we were working to basically define where we want within the MITRE catalog and define some of those attack services. So yes, we have made progress on some of the formatting pieces of that DS: But we need to synchronize with that, I think Wider and OSCAL, to make sure that we are presenting it inside the OSCAL format correctly. So there has been progress. I would, by next meeting. What I will do is put an example. Up in the chat here of one control that maps across and get feedback from the teams here to make sure that meets the taxonomy and the and what you would expect from that. CC: Number 88, which was to determine how CDMC could accelerate the CCC taxonomy. OB: can you hear me? Okay, yes, I can hear you. Did you like to speak on them? OB: Yes. So we have got a couple of different pieces of activity in the CDMC space on CCC. Now, there's active work going on inside to produce an OSCAL version of the CDMC controls. And we are also working with our internal cloud Governance team to see if we can get permission to open source the Cloud Service catalog that we have developed with Microsoft for azure OB: Strong partnership with azure and we are quite advanced with that service platform, but I do not know if it is something that we could potentially contribute. So we're working on both this one activity at the moment. CC: Perfect. Thank you. CC: Okay, so as you can see there is active work still being done this month. I think the simple fact that we have been able to collaborate and actively work on things shows that we can at least, knock some of these out of the park. Right? CC: The next one is Number 48, which is the creation of the RDMS Branch infrastructure. And I am mentioning this because it was created all the way in September. And I know, since this is tagged as all working groups. Does anyone oppose to us closing this or sometime how integrating it into number 15 or 57. EK: I think that one. that one should be complete. I am going to pull it up right EK: okay, yeah, I do not think there is anything pending on that. If you do not look, I'm looking right now as well. EF: It looks like there's an outstanding request to check with you, Chanel on the RDS taxonomy and controls to make sure that Citi can access the material. CC: And then, after you guys get that dedicated answer, we can close. This out EF: appears to be the last action for it. EK: Yes, all the work outlined in the issue itself is complete. So we should be. We should be good as long as any pending comments are eruptive. CC: Thank you. Okay. KM: There's a message from Michaela in the chat asking, Where is the OSCAL formatted information developed so she can assist. EK: Is that targeting? David? DS: yes, I will get with you on that one. I think I'm asking for some assistance there as well on OSCAL, in the formatting there, and where to put particular items. Within the catalog. But I will give with you, and let's figure that piece up MI: Mikala here, or with somebody else with you DS: and with Eddie as well. MI: The reason I ask us we would like to be able to collaborate, not duplicate, as I promised to the working group members before I started creating a sample example based on the document, the financial service document, the Pdf version and Chanel very kindly copy and paste some information. That was, and one of the issues. MI: But that doesn't help me. MI: but generate easily a sample that properly represents the information. So I'm trying to use the tables that are inserted in the Pdf. And other information there. But those tables are images, and me typing every single word again. It's a waste of time. DS: I would like at least to be able to copy and paste into DS: yes, and what? And just to be clear, the example that we have is essentially a control example works for a Gcp service. With the regulatory mappings against those as well as the MITRE attack mappings. So, looking for some help on how to then map that into the OSCAL format, appropriately right. And this is where I was struggling with the example that was created, because in OSCAL controls are the ones that are used as assemblies to represent information that is going to be assessed right? So, a threat is not a control, because that's something that you have a mitigation for that threat. MI: If you want to represent the threats as digital information, we can do that and use mapping, or we can tag the threat inside of the control, saying with prop, saying that those are. This is the threat that was mitigating, and this is very important to understand not only how to represent right now, but to be able to represent the information right now in a way that is, supports the process that is envisioned. DS: Yes, and not to derail too much, and love to hear feedback from the line. Essentially what I think we should do is just map to the MITRE framework. And then we should then keep the threats that are using that attack vector separate DS: So that we just have a clear mapping to the minor control or minor mapping there as well as the NIST and the other controls within that. So, they just have a clear lineage there and then you can maintain the threat actor and what they're using from a minor attack framework independent of those. MI: So, the document that I mentioned has a list of mitigations that frequently check permissions. The first one is good, that's a safeguard. Right? I can represent it as an OSCAL control. And now, there are others that are really not so prescriptive. Consider using multi factor. Well, is that a control? DS: Absolutely. And I think that's one worked example. And then we can work additional ones just so that we make sure that we have a taxonomy correctly, absolutely. MI: And if some controls are optional, versus others being, you know, treated as normative, that can be documented. But the language inside of that requirement has to be very clear and consistent. DS: 100% agree, a hundred percent. SA: So, I agree, just talking from the LSAC perspective we worked. I think OB mentioned it before. We're using JSON to make that sort of translation from the CDMC to OSCAL, and then planning once we've agreed the format, we've not added any sort of MITRE alignment, or mappings there but once. Once, we've agreed, based off of the quite prescriptive descriptions from the CDM. We will look to batch. generate for the rest of their controls based off of that one control approach. SA: We won't be able to join the working group next week, because there's an AWS symposium all day. But the following week we're looking to come and present the approach that we've taken. Hopefully, we can sort of marry the 2 up and see how we can integrate MI: Mapping as well, and if you're building a tool to generate that information, it's very important to be versatile enough to generate properly. OSCAL in Json format is not just JSON format, and then providing to the user's other formats like Xml or YMO. That's easy to do with our command conversion tool. MI: Run it once and you generate information, but it has to be valid. SA: OSCAL, otherwise won't convert anything. MI: It's not sufficient to be Jason, because there are rules in there, in the, in the schema so, and constraints for the values. MI: So please feel free to reach out even directly. Via email, I can put my email in the chat again CC: great discussion, any other comments. CC: Moving on to the last one that I wanted to address since we have Jim on the call, hi Jim. in the beginning, we had the common Cloud control 30-, 60- and 90-Day plan. But we're clearly way beyond that. So, I wanted to know. Ask you, you know, are we going to be working on this at the next steering committee? You think that's something that we could work on? JA: Yeah, I think we have to. But the reality is certainly speaking from Citi perspective. There's a lot of other pulls on our time at the moment. I'm sure that's been consistent for others. At the end of the year processes and coming through Christmas. So yes, let's discuss it in the next step. CC: Thank you. And with that being said, those were all of the issues. I wanted to make sure that we highlighted what we've done so far this month. I wanted to make sure that we got a chance to talk about the emails that were exchanged and touch base on the 30-, 60- and 90-Day plan. At that point I'd like to open the floor. For any questions or concerns. OB: I've got a question, and I don't know if it's too soon to be doing this. But is there a plan around engaging with the Cloud Service providers themselves? I have mentioned this project to AWS into Asha and I know we've got to do the reps on as well. But do we want to start putting that plan together and having them join these engineering phones? Or is that some other great thinking about that? JA: I think that that's depends on their engagement with finals itself. I know that I also spoke quite extensively to AWS just before Christmas. I think I disambiguated a few items that they were a little bit confused on, but I'll defer to finance to know how proactive they've been in reaching back out and tried to get engaged. But they really need to come through the Finos channels. PS: Yeah, actually got a meeting with Azure tomorrow, and they've mentioned Fennel. CCT. PS: I'll try and understand what they mean by that? They've got a new product they're building called continuous compliance or continuous control, or something like that. And they're really keen that they actually get involved with CCC. To make sure PS: whatever Cis doing maps to that product. PS: So,I can happily give feedback on what that conversation's like. JA: Well, hopefully, if we do this well, there'll be a mapping to the logical control that we state, and you know, so absolutely they should be able to be able to engage. JA: But we don't want to wag the tail wagging the dog? We don't want the controls from a single CSP driving the standard. JG: Hi, this is Jane I can add that. Yes, we have been speaking with Microsoft, and actually I was expecting a couple of Microsoft people on this call today. JG: But II don't know if they joined, but that is definitely something we are orchestrating RO: I was just saying, Microsoft are members now, aren't they, Jane? JG: And they are going through the process correctly. DS: and for what it is worth. I would agree with all the statements above. We have also been talking with our counterparts in the CSP space and encouraging them to join as well. So glad to see Microsoft joining and hopefully, AWS will follow suit here soon. JG: That is also in the work. DS: Fantastic. CC: If there is nothing else, I look forward to working with you all in the next working groups and look forward to the next community meeting and sharing updates with you guys. Then thank you so much. So, you mentioned it earlier? Where are we with the leads for the working groups? Cause they are going to be. They are the key to getting this like understanding of where we are, what we need to do, how the groups are working together, what the 30, 60, 90 Day Plan, which we are beyond that now. So, where are we with that? CC: What we are doing is we're trying to make sure that we have the right leadership with the right level of interest and the bandwidth to be able to lead the groups? And we're doing some restructuring right now. So, we've got a selection process to go through. CC: However, it does not necessarily have to be a Citi representative. So, if anybody else is, you know, wants to put their hand up and lead one of the groups that would be great. It's just a liaison to kind of make sure that everybody is working together CC: any other questions/comments. CC: I will give you your time back. Have a great day, and we will see each other soon. |
Date
02/01/2024 - (12:00 PM) ET / (5:00 PM) UK
Untracked attendees
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
TOPICS:
Steering Committee/Designated Working Group Leads Update
CCC Collaborative Highlights:
#11 - Contribution Request : OSCAL example that points to MITRE and describes tests using Gherkin
#15 - Collaborate to define the initial common cloud services, first common service taxonomy and top level
taxonomy
#57 - Taxonomy Working Group to Evaluate FOCUS Synergies with Common Cloud Controls
Maintainers Discussion
#13 The creation of a Common Cloud Controls 30, 60, 90 day plan
#48 Creation of RDMS Service for Compliant Financial Infrastructure
Zoom info
Join Zoom Meeting
https://zoom.us/j/93861901920
Meeting ID: 938 6190 1920
Passcode: 284383
Dial by your location
• +1 719 359 4580 US
• +1 253 205 0468 US
• +1 253 215 8782 US (Tacoma)
• +1 301 715 8592 US (Washington DC)
• +1 305 224 1968 US
• +1 309 205 3325 US
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 360 209 5623 US
• +1 386 347 5053 US
• +1 507 473 4847 US
• +1 564 217 2000 US
• +1 646 558 8656 US (New York)
• +1 646 931 3860 US
• +1 669 444 9171 US
• +1 669 900 6833 US (San Jose)
• +1 689 278 1000 US
• 855 880 1246 US Toll-free
• 877 369 0926 US Toll-free
• +1 438 809 7799 Canada
• +1 587 328 1099 Canada
• +1 647 374 4685 Canada
• +1 647 558 0588 Canada
• +1 778 907 2071 Canada
• +1 780 666 0144 Canada
• +1 204 272 7920 Canada
• 855 703 8985 Canada Toll-free
Meeting ID: 982 5461 7376
Find your local number: https://zoom.us/u/acPjHdY2IO
The text was updated successfully, but these errors were encountered: