: Josh Stella, Cofounder & CTO , Fugue
: Rob LaMagna-Reiter, CISO , FNTS
: Roger Ofarril, Information Security Manager , Federal Reserve Bank of Chicago
: Thomas Hillman, Director , Weaver
: Ryan Mackie, Principal , Schellman & Company, LLC
This year’s Cloud Security Summit dives deep into the technical aspects of securing your cloud-based data. From the state of security in the cloud, to evaluating your environment to identify vulnerabilities, and developing and delivering a secure multi-cloud ecosystem, this Summit is designed to prepare your organization to defend against the ever-growing threats in the cloud.
With real-life case studies and lessons learned from recent breaches the Cloud Security Summit focuses on actionable insight you can take back to your office to start enhancing cloud security immediately.
Cloud Security Summit Session Schedule:
9:30 AM - 10:30 AM
CS1 Stranger Things in the Cloud: How Do We Stop Breaches?
Roger Ofarril, Information Security Manager, Federal Reserve Bank of Chicago
The race to the cloud is on full force. As enterprises fast-track their cloud adoption, strange things keep happening that undermine security and put data at risk. This session explores the state of security in the cloud, from the real meaning of “shared responsibility” to the lessons learned from recent breaches. The focus is on actionable content that you can take back to your day job and start enhancing cloud security.
- What are the top cloud security myths
- What does "Shared Responsibility" REALLY mean
- Best practices we need to consider on the cloud
- Controls that you can implement to reduce risk in the cloud
10:30 AM - 11:30 AM
CSS2 Enabling a Cloud Security & Operating Model
Rob LaMagna-Reiter, CISO, FNTS
Organizations have also realized they need to realign their IT skillsets & culture to take advantage of the cloud & automation shift. Learn first-hand how enterprises are taking an active role to adjust their service delivery, as well as leveraging calculated risk to improve the efficiency and effectiveness of the security program.
- Define & understand cloud, common missteps & business drivers
- Standardize & implement, maintain or enhance your cloud security operating model
- Describe common business drivers & expectations of cloud services
- Take the next steps to confidently secure your cloud operations
11:30 AM - 12:30 PM
CS3 A Live Simulation of an Advanced Cloud Misconfiguration Exploit
Josh Stella, Cofounder & CTO, Fugue
The leading cause of data breaches in the cloud aren’t application or OS vulnerabilities--it’s cloud misconfiguration, which are almost always due to customer error. Unfortunately, these mistakes are easy to make and extraordinarily common in enterprise cloud environments. We’ve moved beyond simple “misconfigured S3 bucket” incidents and into more advanced attacks that exploit a series of common cloud misconfiguration vulnerabilities--many of which are often missed or not even categorized as misconfigurations by security teams.
Traditional security approaches and solutions can’t prevent misconfiguration or detect associated data breaches because cloud misconfiguration is a software engineering problem, not a security analysis problem. That’s good news, because with the right cloud security architecture, we can address cloud misconfiguration before hackers can find and exploit them.
The demonstration will utilize a running AWS cloud environment, but the concepts and misconfiguration risks are applicable to any cloud provider, including Microsoft Azure and Google Cloud Platform.
- Common, and dangerous, cloud misconfigurations and how hackers exploit them
- How to evaluate your cloud environment to identify misconfiguration vulnerabilities
- Strategies for eliminating misconfigurations without disrupting applications
- Tips on educating developers and cloud engineers on secure cloud architecture
- Building better collaboration and trust between security and application teams
1:30 PM - 2:30 PM
CS4 Cloud and Container Audit-Compliance Considerations
Trip Hillman, Director, Cybersecurity Services, Weaver
- What is a container
- What is Orchestration
- How is it different
- Why does that matter
- Top 5 considerations for auditing containers
- Top 5 considerations for auditing orchestration
2:45 PM - 3:45 PM
CS5 Internal Controls in the Cloud
Ryan Mackie, Principal, Schellmann
Moving to the cloud, whether it is IaaS, or SaaS, is nearly inevitable in the current market. As a user of cloud services, it is important to understand the risk and control landscape an organization must navigate. Learn what an organization should know when using cloud providers as a component of their supply chain. Hear about internal control boundaries and who is responsible for what. Explore tools and resources, such as the Cloud Security Alliance and ISO/IEC 27017:2015, that an organization can utilize when determining control boundaries and assessing internal controls. Monitor your cloud provider's controls through SOC examination and understand complementary user entity controls.
3:45 PM - 4:45 PM
CS6 Securing your Cloud and Your SaaS: 6 Practices to Beat Hackers and Satisfy Regulators
Tony Pietrocola, President, Agile1, LLC
Cybercriminals have expanded every company’s attack surface by attacking networks, cloud, SaaS, chips, IoT, mobile devices, applications and API’s. They are relentless. And now the regulators are beginning to pass state level regulations that will eventually hold all of our feet to the fire. Add all of this up and the future points to reality that every single company, regardless of size or industry, will need to do much more to protect themselves and their customers. This presentation will show real life case studies, how the company handled the breach and six practical applications to secure your cloud, your SaaS applications and your mobile surface.
- Priorities in attempting to secure SaaS applications and APIs
- Incorporating cybersecurity into risk management
- Building security features into your entire enterprise attack surface
- Incident response and offensive threat hunting
- Help customers address data privacy by showing them the way