common-cloud-controls icon indicating copy to clipboard operation
common-cloud-controls copied to clipboard

Published 20 hours ago verified publisher icon finos

Creation of RDMS Service for Compliant Financial Infrastructure

Open mcleo-d opened this issue 2 years ago • 11 comments

The FINOS Compliant Financial Infrastructure project wants to create a FINOS Common Cloud Controls version of RDMS that's being led by CFI maintainers @eddie-knight of Sonatype and @AdrianHammond of Red Hat.

The objective is to demonstrate an "end to end" working example of RDMS that is described by FINOS CCC and is created by Compliant Financial Infrastructure for demo at the FINOS Open Source in Finance Forum on 1st November 2023.

Piecing the RDMS Requirements Together

FINOS CCC has created taxonomy and service description examples that could be used to deliver the requirements that Compliant Financial Infrastructure is requesting. For example ..

  • The following pull request describes a work in progress Taxonomy that's being created by @mark-rushing and the Taxonomy working group - https://github.com/finos/common-cloud-controls/pull/39

  • The following Object Storage service description is being created by @git-hub-forwork1 and the MITRE working group - https://github.com/finos/common-cloud-controls/issues/11#issuecomment-1729746032

Requirements

Using the examples above, members of the FINOS CCC project should collaborate with @eddie-knight and @AdrianHammond to provide the first MVP description of RDMS in OSCAL that also mitigates x amount of threats from the MITRE Attack Framework.

Tests described in Gherkin are desirable, in the knowledge the approach has not been fully formed by @git-hub-forwork1 and the MITRE working group.

Please Note

This piece of work is a reference example for FINOS CCC and FINOS CFI and will not be deployed in a banking environment unless hardened and tested over time.

Timelines

Please use the issue comments to discuss the requirements for RDMS work to start on Monday 2nd October 2023.

mcleo-d avatar Sep 27 '23 14:09 mcleo-d

We will be treating portability and hardening as separate validation tasks, and we will be focusing on portability (service taxonomy) validation for the Nov 1st OSFF demo. Including the MITRE mitigations is a nice-to-have, but not a requirement for the OSFF demo.

eddie-knight avatar Sep 27 '23 22:09 eddie-knight

Sounds good. We have the initial document we can seed the group with that includes the RDMS threats, high level architecture diagram, threats, mitigations and initial test cases. I'm just confirming we have PR & legal sign off to send it into the group, then will drop in here. Will check back early next week

jonmuk avatar Oct 01 '23 14:10 jonmuk

Sounds good. We have the initial document we can seed the group with that includes the RDMS threats, high level architecture diagram, threats, mitigations and initial test cases. I'm just confirming we have PR & legal sign off to send it into the group, then will drop in here. Will check back early next week

Amazing @jonmuk - Keep us posted 👍🏻

mcleo-d avatar Oct 03 '23 08:10 mcleo-d

Hi @nas-hub - I'm copying you into this thread given the latest email and virtual conversations with @eddie-knight from Compliant Financial Infrastructure.

cc @valmihai, @d1gital-f, @davidstonegoogle, @smendis-scottlogic

mcleo-d avatar Oct 04 '23 13:10 mcleo-d

  • @Naseer Mohammad @.***> since he spoke with Eddie

On Wed, Oct 4, 2023 at 9:15 AM James McLeod @.***> wrote:

Hi @nas-hub https://github.com/nas-hub - I'm copying you into this thread given the latest email and virtual conversations with @eddie-knight https://github.com/eddie-knight from Compliant Financial Infrastructure.

cc @valmihai https://github.com/valmihai, @d1gital-f https://github.com/d1gital-f, @davidstonegoogle https://github.com/davidstonegoogle, @smendis-scottlogic https://github.com/smendis-scottlogic

— Reply to this email directly, view it on GitHub https://github.com/finos/common-cloud-controls/issues/48#issuecomment-1746856973, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBZQDI77NBEG2L75TZDCDI3X5VOQHAVCNFSM6AAAAAA5JPJQJGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBWHA2TMOJXGM . You are receiving this because you were mentioned.Message ID: @.***>

--

Valentin Mihai

Cloud CISO - Continuous Assurance and Controls Engineering

Mobile 647-972-8991 <(647)972-8991>

valmihai avatar Oct 04 '23 14:10 valmihai

Thank you for tagging me on this thread; Seems like Relational Databases and Cloud Storage are two categories that got proposed for developing a proof of concept. As next steps we need to define further what this proof of concept looks like, and its dependencies. We can continue to build on the cloud storage exercise we did in one of our working sessions. Or we can initiate similar working session for Relational Databases.

nas-hub avatar Oct 05 '23 13:10 nas-hub

FOCUS has a line item for Database which represents any and all databases provided by CSP. This grouping helps address billing related use-cases very well. From a Portability Controls point of view I feel we may need to go a level deeper, for which I added name-spaced sub categories as follows: Database: <CSP Native | Managed> <Relational | NoSQL | Graph | Document>. Following this pattern I have added entries into the original Google sheet in this thread here Rows 50 to 57 for your review.

nas-hub avatar Oct 11 '23 13:10 nas-hub

Very much interested in adding that next level detail into FOCUS for billing purposes. For the initial version of FOCUS, we started with the highest level categorization but the need for next level was definitely discussed and on the radar. We're open to go out and define it in FOCUS OR refer to an external mapping is up for discussion. Is there a desire to maintain both ServiceCategory and whatever the subcategory name as a part of CCC?

One challenge I can see is that FOCUS intends to go broadly into IT expenditure - e.g. on-premise costs, license, labor etc. in addition to the Cloud and SaaS cost. So it would be hard for us to adopt something external that doesn't capture the categories broadly. Open to ideas.

udam-f2 avatar Oct 11 '23 15:10 udam-f2

AFAIR we had consensus on evaluating FOCUS's taxonomy and leveraging it, if it serves CCC's use-cases. If we can add SubCategories in FOCUS we should be able to directly refer that taxonomy. @eddie-knight your thoughts^^

nas-hub avatar Oct 11 '23 16:10 nas-hub

AFAIR we had consensus on evaluating FOCUS's taxonomy and leveraging it, if it serves CCC's use-cases. If we can add SubCategories in FOCUS we should be able to directly refer that taxonomy. @eddie-knight your thoughts^^

Thanks for raising the FOCUS evaluation @nas-hub 👍🏻 👍🏻

Please see below ...

  • #57

mcleo-d avatar Oct 11 '23 16:10 mcleo-d

@eddie-knight - quick update from the CCC Maintainers meeting yesterday on CFI team creating an RDMS service. Chanel Crawford from the CITI team kindly agreed to follow up within CITI to see if we can access to material on the RDS taxonomy and controls. I will check with Chanel on Monday.

@mcleo-d

AdrianHammond avatar Oct 12 '23 07:10 AdrianHammond

This issue will be closed as stale in 7 days. Please update this issue if it is still needed.

github-actions[bot] avatar Jul 03 '24 22:07 github-actions[bot]

Closed as stale. An update may reopen this issue.

github-actions[bot] avatar Jul 11 '24 22:07 github-actions[bot]