Video by FINOS via YouTube
Maxime Coquerel (Principal Cloud Security Architect at RBC) and Eddie Knight (Founder of Revanite) introduce the Common Cloud Controls (CCC) framework. They break down how global financial institutions are building an openly governed, cloud-agnostic taxonomy of capabilities, threats, and shared controls to eliminate multi-cloud security fragmentation.
๐ฌ๐ง Join us in London! Catch the latest on Cloud Security and Compliance at OSFF London on June 25, 2026: https://hubs.ly/Q041YV9Z0 (Use Code: 26YTOSFFLN20C)
๐ Timestamps:
0:00 Welcome and Disclaimers
0:30 Speaker Introductions: RBC & Revanite
1:13 Scope of Cloud Security Teams: Threats vs. Controls
1:55 The Jamara Project: Philosophy of Standardized Compliance
2:33 Layer 2 Activity: Accelerating Policy with Shared Controls
3:18 RBC’s Cloud Security Framework: Step-by-Step Architecture Vetting
4:06 Multi-Cloud Drift: The Challenge of AWS Config vs. Azure Policy
6:18 The Role of CCC: A Level, Agnostic Control Catalog
7:06 Connecting CCC with Architecture Language Models (CALM)
7:46 The Authoring Process: Capabilities, Threats, and Vector Mapping
8:54 Visualizing the Catalog Taxonomy
9:46 Website Tooling and Live Evaluation Ecosystem
10:38 Component Breakdown: Generative AI, Object Storage, and Secret Management
11:23 Differentiating Agnostic Controls from Policy Implementations
12:10 Pre-written Compliance-to-Perform Terraform Modules
12:46 Third-Party Vendor Tooling Integration (Polar)
13:19 How to Start Your Journey with Common Cloud Controls
15:03 Contributing Organizations and Call for Feedback
15:35 Key Takeaway: Cross-Cloud Shared Language
16:50 Navigation of the Dev Website and Git Workflows
17:57 The CCC Open Governance Schema Architecture
18:16 Q&A: Reference Module Strategy and Regulatory Change Tracking
๐ The Problem: The Fragmented Multi-Cloud Policy Trap Operating in a multi-cloud financial environment forces security teams to write individual, specialized configurations for each provider (e.g., AWS Config vs. Azure Policy). This causes severe operational driftโwhere an identical security requirement (like forcing TLS encryption in transit) requires completely distinct implementation paths. Without a uniform baseline, structural security gaps emerge between clouds, and regulatory compliance validation becomes immensely tedious.
๐๏ธ The Solution: Standardized Agnostic Control Frameworks
The FINOS Common Cloud Controls (CCC) project provides a uniform translation layer across all environments:
* The Layer 2 Compliance Taxonomy: Standardizing cloud services into high-level, vendor-agnostic functional components (e.g., evaluating "Object Storage" as a generic standard rather than uniquely tracking AWS S3 or Azure Blob).
* Threat Matrix Mapping: Correlating native system capabilities directly to known cybersecurity attack vectors (such as MITRE) to proactively highlight cloud-agnostic vulnerabilities.
* Compliance-to-Perform Modules: Standardized, community-maintained Infrastructure-as-Code (Terraform) building blocks that are pre-certified as compliant out-of-the-box.
โ๏ธ Why This Matters for Financial Engineering
* Frictionless Mergers & Acquisitions: Utilizing a shared language ensures that if a financial institution acquires or merges with a company on a different cloud provider, risk postures can be validated instantly without refactoring the entire governance engine.
* Automated Enforcement Pipelines: Integrating CCC schemas with git-based engines (like Flux) guarantees that unvetted, non-compliant configurations are automatically blocked prior to deployment into production environments.
๐ More about FINOS: https://www.finos.org/
๐ง Join our newsletter: https://www.finos.org/sign-up
๐๏ธ Listen to our Open Source in Finance Podcast: https://www.youtube.com/@FINOS/podcasts
LinkedIn: https://www.linkedin.com/company/finosfoundation
#FINOS #OSFFToronto #RBC #CommonCloud Controls #CloudSecurity #MultiCloud #Terraform #DevSecOps #NIST #CyberSecurity
