Friday, September 29th
Registration + Continental Breakfast Opens
This session will examine modern engineering and enterprise needs in comparison to current industry security practices, process, and strategy. The speaker will provide examples and lessons learned from experience in addressing these challenges and will discuss also more controversial suggestions on where approaches in the security industry need to evolve.
Most organizations, whether commercial or non-profit, public or private, have some form of Information Security (InfoSec) program today; and all need it. In most cases, it is not resourced the way it needs to be, prioritized along other objectives, or involved in the business decision making process. Far too often, the InfoSec program is treated as an ex-post facto reactive group, charged with securing what has already been designed, built, deployed, and in many cases, hacked. This talk is about how to build an actual, enterprise grade, security practice. It provides a 50,000 foot overview of where to place the program, the important elements to cover, how to staff it, and the basics of a security strategy.
It has been said that healthcare, as an industry, has been slow to adopt cloud strategies. On one hand, this has resulted in healthcare inability to capture savings and efficiencies where other industries have gained years ago. On the other hand, healthcare has to consider several regulatory and data security issues that need to be addressed before the cloud is a real option. In this presentation, a combination of lessons-learned and industry experiences are shared with the intention of a fully-interactive conversation with attendees.
Any discussion about cloud services is going to include encryption and catch-phrases like "Bring Your Own Key". Security and compliance stakeholders express great interest in encryption and its apparent promises. However, customer expectations are often founded on assumptions that fail under scrutiny. In this session we will examine the top myths of cloud encryption and look at regulatory and legal factors that have contributed to the growing misperceptions that have taken hold within IT organizations, industry press, and the public at large. Don’t be fooled! This session will provide effective talking points when dealing with questions or issues related to cloud encryption. Audience members will learn facts and myths about encryption, the importance of legal frameworks, and how to spot encryption snake oil.
The General Data Protection Regulation (GDPR) with enforcement beginning on May 25, 2018, imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze personal data tied to EU residents. The GDPR applies no matter where your organization is located and however you process and store personal data including using SaaS, IaaS or PaaS options. This session will provide an all-up understanding of how you should approach GDPR compliance related to Cloud services.
Cloud service providers (like Amazon) have published details on shared responsibilities for good net-citizen type behavior. We will take a look at the complicated case of shared compute and memory allocations to determine how to better attest the integrity of cloud provisioned resources. This is of particular interest towards forensic type response activities. Our hope is to push the envelope towards a higher bar of integrity and monitoring that enables a proactive state of cloud security." In this presentation, we'll be discussing various security capabilities within AWS services, as well as the vulnerabilities and misconfigurations which expose users to attack.
Mr. Hamilton will discuss a taxonomy of cloud use cases and their implications for conducting security monitoring. He will provide information on methodologies being explored, and those successfully in use to aggregate security event and packet data, as well as limitations of existing methods.
This presentation will review the history and development of the corporate network and its interaction with the Internet. How the adoption of SaaS and PaaS base solutions have rendered the network irrelevant from a security perspective. We will explore the developments in malware, how threat actors have taken on a business approach to creation, distribution, and management of their attack campaigns. We will then take a few steps into the future and explore some possibilities that have the potential to greatly affect corporations and how they protect themselves. Finally, we will explore some of the potential strategies that can be started now to lay time ground work to ensure a more secure architecture in the future.
While Cloud Service Providers are committed to protecting the integrity of their applications and infrastructure, organizations cannot outsource responsibility for the protection of user credentials, data classification and protection, or documenting compliance with regulations and industry standards. Once an enterprise uses leaves the corporate network to access a Cloud service, the enterprise has limited visibility or control of the user action or data flow. Cloud Access Security Brokers (CASB) are a foundational security element of a Cloud Program that provide a gateway between Cloud Service Providers and users of cloud services that provide visibility, data security, threat protection, and compliance. Garter projects 80% of organizations will implement a CASB within the next 3 years.
This talk will provide a brief introduction to SDN and security, demonstrate ways of compromising and securing a Software Defined Network and will illustrate new ways of using the power of open source SDN coupled with machine learning to create and maintain self-defending networks.
Over 97% of organizations have some of their operations in the cloud. As companies move more and more workloads into places like AWS and Azure, it is inevitable that compliance must move to the cloud as well. However, compliance in the cloud is not the same as on-premise. In some ways, compliance in the cloud is simpler than on-premise. Yet, many of the compliance practices in use on-premise, do not translate into cloud environments. In this presentation, we will explore the challenges of building compliant cloud environments. We will discuss common mistakes, myths, and misunderstandings. We will also layout a clear process to make cloud environments compliant. Additionally, we will demonstrate how you can accelerate compliance using cloud services, such as key management and directory services.
Every organization is at risk, regardless of their size, industry or business function. These exploits will often go unnoticed for months or even years until the vulnerability is detected and made known to the world, hence the term "zero-day" in which the vulnerability has been known for zero days. In this panelist group, we will discuss what are the various methods (i.e., people, process and technology) that organizations can use to reduce the time it takes to detect and respond to zero-day exploits?
Unlike traditional local network applications, cloud applications are both more powerful and easier to compromise. Fortunately, many emerging technologies and standards are focused on allowing applications to access only what they need, and only when they need it. This reduces the amount of harm a compromised application can do without reducing its power to help your team get work done. Take home an actionable game plan for the next six months, the next year, and beyond. With great cloudiness comes great responsibility.
The speed and flexibility of the cloud can often magnify an organization’s exposure, making Threat Intelligence (TI) an absolutely essential capability. An effective TI model must maintain a stable of defense mechanisms that are in constant motion to anticipate breeches and respond quickly when they occur. This talk will cover Threat Intelligence and the emerging practice in which organizations can leverage the power of cloud in the collection, analysis, integration and production of previously disjointed information for the purpose of extracting holistic, evidence-based insights regarding an organization’s unique threat landscape.
Despite much lip service to the “human” dimension of security, the industry has not bridged the gap between experts and the realities of everyday digital work/life. It is one thing to deal in theory and technical solutions, yet quite another to translate that work to fit a diverse audience. When things go sideways, it is too easy to blame users or management that don’t share our worldview. Blame isn’t a helpful response. Our challenge is to translate theory into practices accessible outside of our own echo chamber. Let’s unwind stagnant beliefs and biases to explore why people resist our seemingly helpful guidance. Along the way, we'll sample alternative approaches to obstacles encountered by cloud security architects and security compliance professionals.
As an industry we are making reasonable progress on protection, detection and response. However, when it comes to remediation we are still “crawling” which was evident in recent events like WannaCry and Petya. At Microsoft, we have done some amazing work to create a healthy fusion of devops engineering mindset and operational security to reduce thousands of high risk attack vectors for Azure in a very short time. This talk is an attempt to share those learnings with the community as we gear up for the next wave of threats at the scale of cloud..
In this presentation, Cloud Security Alliance CEO Jim Reavis discusses how cloud computing's emerging dominance as the primary IT system is transforming information security programs around the world. Jim will also tie these trends into the CSA research roadmap and outline the important knowledge and technologies to track and understand.