Determine how to use CMDC to accelerate CCC Taxonomy

[ojeb2]

At the FinOS CCC meeting last week (#68 ) we agreed to arrange a follow up with the CCC Taxonomy workstream to see how the CDMC information model and controls have be used to accelerate the data section of CCC.

I have done a bit of work to identify the overlaps in advance of a meeting with the Taxonomy maintainers in the near future. Simon Sanger and Mark Rushing I think volunteered to work on this, with Leroy Abikhui, Shuh Alam and Ben Newton from LSEG's Cloud Controls team. This issue is to track that follow up and come up with a proper plan of action.

Context and example follows:

CCC Taxonomy vs CDMC Capabilities
Looking at https://github.com/finos/common-cloud-controls/blob/main/services/database/relational/taxonomy.md
We have a CDMC controls list that overlaps with the RDMS Taxonomy (and will overlap with others in the future). For example:

Taxonomy ID	Feature	Description	CDMC Capability
CCC-RDMS-1	SQL Support	Properly handle queries in the SQL language.
CCC-RDMS-2	Vertical Scaling	Users may increase or decrease resource allocation.
CCC-RDMS-3	Horizontal Scaling	Read replicas of the primary database can be created.
CCC-RDMS-4	Multi-region	Read replicas can be created in multiple user-specified regions.
CCC-RDMS-5	Automated Backups	Backups can be automatically created and stored according to user specification.	CDMC-6.1.3 Backups and point-in-time recovery are supported
CCC-RDMS-6	Point in Time Recovery	Backups can be restored on demand to a specific point in time.	CDMC-6.1.3 Backups and point-in-time recovery are supported
CCC-RDMS-7	Encryption at Rest	Data is encrypted at rest, and can be encrypted with user private keys.	CDMC-4.1.1 Encryption policies are defined and enforced for data at rest, in motion, and in use
CCC-RDMS-8	Encryption in Transit	Data is encrypted in transit, and can be encrypted with user private keys.	CDMC-4.1.1 Encryption policies are defined and enforced for data at rest, in motion, and in use
CCC-RDMS-9	Role Based Access Control	Users can be assigned roles with specific permissions.	CDMC-3.1 Data entitlements are managed, enforced and tracked
CCC-RDMS-10	Logging	Configurable logs are available for user inspection.
CCC-RDMS-11	Monitoring	Configurable metrics are available for user inspection.
CCC-RDMS-12	Alerting	Configurable alerts can be enabled.

CDMC Definitions
CDMC has a range of existing controls documented in the CDMC Spec

• 14 Key controls some of which overlap with the existing RDMS items
• A full list of Capabilities & Sub-Capabilities that have been implemented by AWS, Azure, GCP and Snowflake
• see What is the plan and direction for the CDMC Technical Spec Working Group? compliant-financial-infrastructure#174 for all the specs
• see https://github.com/edmcouncil/cdmc/tree/main/ontology for the CDMC taxonomy (based on W3C, Atlas, Egeria and other existing standards)

Testing compliance with the Capabilities
Looking at the script in https://github.com/finos/common-cloud-controls/blob/main/services/database/relational/rdms-taxonomy.feature

• CDMC has a test script that was donated by KPMG of how to test each of the above capabilities. (see What is the plan and direction for the CDMC Technical Spec Working Group? compliant-financial-infrastructure#174 for all the specs)
• Example implementation of KMPG’s CDMC test script for Snowflake and Alation: https://github.com/Snowflake-Labs/EDMC-CDMC-v1-14-Control_Mapping
• Codebase implementing CDMC for GCP https://github.com/GoogleCloudPlatform/cdmc

[mcleo-d]

Hey @ojeb2,

Thank you for raising this issue following #68. I have assigned this issue to the maintainers of the FINOS CCC Taxonomy WG to help schedule the call and set the agenda.

• @mark-rushing
• @moematar
• @vicenteherrera
• @AdrianHammond
• @simonzhangbmo

I have also cc'd @eddie-knight who did the RDMS work as part of the CFI project using the existing FINOS CCC output below.

• https://github.com/finos/common-cloud-controls/tree/main/services

Please use the issue template below to schedule the open Zoom call making sure to tag @crawfordchanel, @eteridvalishvili and @mcleo-d. We'll then add to the FINOS Community Calendar.

• FINOS CCC Zoom Meeting Issue Template

The FINOS CCC calls for November and early December are in the GitHub issues to help you avoid any clashes.

I hope this helps.

James.

[ojeb2]

The prep work for this follow up (to prepare example CDMC controls mappings) work is blocked on a data model question. captured in this issue:
#131