The FSUG has grown via individuals and the Birds of a Feather session at KubeCon. After a few meetings, we should discuss ways to increase awareness and bring in more people and more financial institutions to collaborate.

Based on the conversation from the SIG meeting, most of us work in locked down environments where some common collaboration tools might be blocked like Google Docs, Slack, public Github, etc. It would be useful to capture two things:

1. What tools do most people have access to so we can at least pick tools that most people will be able to use.

2. For those who don't have access to certain tools what have other people done at their companies in order to request and get access to those tools.

Codifying compliance controls with automated tests - Need best practices, codified control implementation and automated test suite to validate the efficacy of regulatory / compliance controls, such as SOC1, PCI, etc.. aiming to open source material, code and test cases in collaboration with others, pending appropriate internal discussion around sensitivity and logistics. A request was raised by another participant to include potential regional differences.

Create initial draft of FSUG Checklist.

Checklist to outline areas of concern in financial services for developers of software and CNCF projects.

Following discussion on 9 November 2021 group decided to change meeting time to:
Weekly, every Tuesday at 11am US/Eastern time.

Best practices to show how to operate efficiently in a multi-cloud environment

A detailed threat model has been created, taking in scenarios from both internal actors and container compromise. This solution provides a detailed set of attack trees and documentation with accompanying test cases.

System to provide hands on training for candidates seeking to gain a detailed understanding of Kubernetes security from both an offensive and defensive perspective. The system will be provided by the end of June with 5 initial exercises, expanding to 25 in the coming months. Additional exercises should be straight forward to create hence looking for assistance in creating additional exercises and functionality to allow multi-player engagement

Reach out to regulators and auditors to provide common set of technical detail and training material.

Multi-tenancy - Best practices and design patterns required for workload isolation, scalability, managing pods and clusters

Hi FUG members,

In CNCF sig-security and also kubernetes policy wg, we will be starting exploring how to provide formal verification for kubernetes or cloud native policies (with folks from RedHat, AWS, OPA, etc..). As I understand this is one of the critical requirement from Financial users to have the ability to provide an automated way of proving compliance.

Would like to share related information during Jun's FUG meeting if anyone is interested :) We will also have discussions during the Policy WG Weekly meeting on Wed PT 4:00pm (which is sort of mid-night in Europe , and morning in east asia)

On of the major problems we are going to face will probably be our divers legal/regulatory grounds.

A common ground that is
(a) sufficiently detailed / comprehensive on the one hand but
(b) agnostic to local or specific legal/regulatory provisions on the other hand
will be crucial to make any progress on common solutions IMO.

Therefore I would like to ask if some member already knows / uses the Cloud Security Alliance Cloud Controls Matrix (CCM) 3.0.1 (latest release date: 11/12/2018) (see: https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview).

The best thing about this matrix is, that a 300 x 300 standardises Q&A catalogue is - via a matrix overview - linked to all relevant international and common security standards (e.g. NIST, NZISM, ISO, or e.g. from a Germany perspective even the requirements by the Federal Office of Information Security, etc.). Relying on this matrix, you can solve/answer a requirement once, but can link the solution to all kinds of standards' requirements, you might be faced with from different auditors.

I would be interested to hear, if you agree with me, that maybe this Matrix could help us to define our common legal/ regulatory ground as an international Financial User Group? Or if someone knows/ uses other tools / sources to solve the mentioned (a) + (b) contradiction.

Problem
The increasing velocity of business requirements as well external requirements like regulations require FinServ to be more agile in its adoption of new technologies and paradigms like cloud native. Financial services traditionally have been slow to adopt certain new technologies because of various enterprise challenges. Financial services organizations have also in the past been unable to collaborate and communicate with the community/industry at large regarding these requirements.

This has led to the following issue:

• Vendors and open source haven't been aware of key FinServ requirements leading to FinServ being unable to adopt their products, projects, approaches and architectures

Proposed solution

A white paper detailing the general challenges that FinServ has in adoption of new technologies. This should also include an explanation of why we have some of the requirements we do and why we can't adopt certain technologies or patterns today without changes to our own approaches or changes to the technologies and patterns.

Creating this issue as a call to action to help out. Looking for additional contributors as well as general feedback on this approach. See the #fsug CNCF slack channel for more info around scheduling and synchronous collaboration on this.

Doc:

https://docs.google.com/document/d/1wBKQtibVlzybVXMASBwE6jGFWf9ea4CmR1bDLPf1DMg/edit

Detail to be provided by group member

I don't know if this is being discussed on slack, I don't have access, but this seems like a pretty big deal.

Is it worthwhile to explore if Zoom is the direction we should go? Zoom's response to the zeroday has been troubling and rather not be using easily exploitable software.

Bring project maintainers into group to discuss specific use cases, focussing on enterprise usage and security

How to move old applications into containers - Requiring single tenant, traditional application hosting in a containerized environment

Best practices from end to end container SDLC to include image scanning, signing and deployment particularly in a hybrid environment covering both on prem and multiple cloud providers.

One participant highlighted significant Artefactory bloat, inability to efficiently scan.