7th SIGS Technology Conference 7th/8th September 2020 – Cloud Security Day 2020

Keynotes

Cloud Security Alliance (CSA), Craig Balding, Enterprise Security Specialist

Craig Balding is a London based, international cyber security adviser and practitioner. As the founder of Resilient Security and a Chartered IT Professional, he enjoys designing and creating practical and resilient solutions to a wide range of cybersecurity challenges facing his clients now and in the future. As an Enterprise Security Specialist for the Cloud Security Alliance, he supports the Financial Services working group and advises enterprise clients on cloud risk and security.

Prior to starting his own business, he was Managing Director within Global Information Security at Barclays PLC. He led 120+ cyber experts across Cyber Architecture, Security Engineering, Security Solutions and Security Assurance. He created a dedicated Cyber Innovation team and an experienced Red Team to "stress test" Barclays' cyber capabilities. Before this promotion, he was MD and Head of Cyber Risk, where he defined global cyber policy/minimum standards, acted as SME for cyberfraud and provided check and challenge of the first line of defense.

He was chair of the British Banking Association Cyber Forum and influenced Bank of England cyber policy. Before Barclays, he held global security roles at GE for 17 years. In his last role, as Red Team Director, he led a cutting edge offense team delivering major security assessments across GE business units covering finance, banking, healthcare, aviation, research and treasury. Craig co-authored "Maximum Security: A Hacker’s Guide to Protecting Your Network". He has spoken at numerous events including the FT Cyber Summit, BlackHat EU, Cloud Security Alliance and RSA Europe. In his spare time he mentors military veterans as they transition to the civilian workforce.

From the Field: Is your Cloud Journey Painful? Practical Tactics for Common Pain Points (without silver bullets)

This talk shares pain points and practical tactics “from the field”. Every organisation is different and faces a different Cloud Journey, but there are some common responses in terms of Risk Management, Policy, Process, People and Tools). Beyond the hype, what are the active cyber threats: what attack tactics does cloud make easier (vs. harder)? How have cyber threat actors shifted tactics (if they have)?

We explore Cloud Security Theory vs. Practice as embodied by cloud related failure modes from the real world; including examples of breaches, accidents and known "near misses”. What can we learn from this emerging experience and what is materially different about the practices that we as security practitioners need to follow now and in the future? How can we “be prepared”, leverage the Shared Responsibility model, Threat Modelling and real-time assurance to keep our organisations within their risk appetite?

Open Compute Project Foundation, John Laban, Reset Catalyst and Board Member at OpenUK

Always a maverick pushing the boundaries and intuitive mindsets John is also a Board Member for the non profit OpenUK organisation and he is a passionate promoter of open source technologies.

For his efforts in the Data Centre industry John has been voted as a top ten mover and shaker in the UK and top fifty in EMEA region. John is a renowned international keynote speaker and trainer and innovative and passionate practicing Data Centre Architect.

John has a deep fundamental understanding of what really makes us smart - Our ability to make sense of things, to weave the knowledge we draw from observation and experience, from living, into a rich and fluid understanding of the world that we can then apply to any task or challenge.

Once open source gets good enough, competing with it would be insane

The title of the presentation shown above is a quote from Larry Ellison (Founder and CTO Oracle Corporation). John Laban will tell the story of how open source became “good enough” in the last decade. Open source is not just for software any more, since 2011 it now includes open source servers, storage and network hardware plus highly optimised low cost energy efficient Data Centres.
John will firstly provide an overview of the non profit Open Compute Project Foundation which started in 2011 and now has a worldwide community of thousands that have created a hidden revolution in Data Centres during the last decade. OCP hardware is now the underlying bill of materials for the world's hyperscaler Cloud players (Facebook, Microsoft, Rackspace etc) that consume millions of OCP servers every year.

Since 2016 OCP vanity free open source hardware has been adopted by the worlds Telecommunications Service Providers to Cloudify their infrastructure for supporting tomorrow's technologies of 5G, IoT and Smart Cities. This transformation to open source technologies has produced 70% CAPEX reductions and more than 50% OPEX reductions plus 90% dematerialisation of Central Offices. Once complete these new open source Telco infrastructures shall support IOT and Smart City applications at zero marginal cost.

OCP servers that use 50% less energy than traditional proprietary enterprise servers and they exceed the new EU energy efficiency legislation for servers which appeared in March 2020.

With open source technologies being fundamentally more secure (many eyes and all can be seen) than proprietary technology, John will explain how this has been boosted even further with open source firmware that boots servers in just seventeen seconds and root of trust technology innovations.

This presentation is guaranteed to educate, inform and entertain.

SecureAuth Corporation, Bil Harmer, Chief Evangelist | CISO | Trusted Advisor

Harmer has been in the IT industry for 30 years. He has been at the forefront of the Internet since 1995 and his work in security began in 1998. He has led security for startups, Government and well established Financial Institutions. In 2007 he pioneered the use of the SAS70 coupled with ISO to create a trusted security audit methodology used by the SaaS industry until the introduction of the SOC2. He has presented on Security and Privacy in Canada, Europe and the US at conferences such as RSA, ISSA, GrrCon and the Cloud Security Alliance. He has been interviewed by and has written for various publications such as Dark Reading, Data Informed, SecureWorld and Security Intelligence. His vision and technical abilities have been used on advisory boards for Adallom, Trust Science, ShieldX, Resolve and Integris. He has served as Chief Security Office for GoodData, VP Security & Global Privacy Officer for the Cloud Division of SAP and Zscaler.

The Future of Identity: Bringing Trust to a Zero Trust World

As businesses settle into a hybrid world of on-prem, public cloud, private cloud infrastructure with security delivered as a service all of this overlaid with the concept to Zero Trust, what is left?

Companies will have the data they are trying to protect and the identity of the user trying to access something. As life on the Net continues to develop, people are going to have multiple identities that will merge into a single identity with multiple profiles (work, play, family etc) while businesses continue to push MFA and eventually password-less access. The great question is how do manage things between now and then?

Workshops and Roundtables

Bank Julius Baer & Co. Ltd., Martin Morger, IT Security Architect

Martin is a IT Security Architect at Bank Julius Baer. Previously he worked as a Security Consultant and Business Analyst at AdNovum. He holds a M.Sc. Business Information Systems from the University of Zurich and a MAS Information Security from the Lucerne University of Applied Sciences and Arts.

How to tailor the cloud to our standards

In this session, Martin likes to discuss the following topics with the participants:

  • Internal applications must comply with many security requirements, such as authentication, access control, or logging and monitoring. How can the security frameworks that Cloud services provide be adapted to the specific internal requirements? Do they actually have to provide the exact same functionality as internally, or can we rather translate the internal requirements to a more generic level?
  • How can we make sure that all the security mechanisms that are promised by the cloud service are actually in place? Is it feasible to require a certain right to audit in a contract or is this only possible for the very large players and smaller companies have to take it or leave it?
  • How much can we trust the cloud: can we treat is as an equal extension to our own datacenter, or are there certain kinds of data we would never want outside our own premises? Could anonymization be some intermediate solution, or would we lose too much functionality?

Basler Kantonalbank, Stephan Boos, Chief Security Officer / Gruppenleiter BKB Security

Stephan Boos arbeitet seit 20 Jahren bei der Basler Kantonalbank und ist seit knapp 15 Jahren Leiter der Security.

Cloud: Eine Auslegeordnung (in Deutsch)

Cloud-Angebote gibt es in allen erdenklichen Service- und Liefermodellen. Von SaaS bis IaaS und von private bis public Cloud gibt es die unterschiedlichsten Ausprägungen. Je nach Modell gibt es die unterschiedliche rechtliche und regulatorische Anforderungen aber auch inhärente Risiken und Überwachungsaufwände.

Ziel dieser Roundtable ist es, die Vor- und Nachteile sowie die Anforderungen der verschiedenen Modelle zu diskutieren und Erfahrungen austauschen zu können.

Check Point Software Technologies, Ltd., Chris Beckett, Cloud Security Architect UK & Ireland

Chris Beckett is a Cloud Security Architect for the UK & Ireland at Check Point. He is a 24 year veteran of the IT industry, starting out as a programmer (not a very good one) and then moving into infrastructure design and implementation across multiple industries including healthcare, financial services, education and consulting. He has been working in the partner channel for 10 years and counts Capgemini as one of his alumni.

One day, he discovered this new thing called cloud and it was love at first sight! The rapid pace of evolution and the game changing service offerings from the hyper scale providers meant that the industry would never be the same again. Moving to Check Point in 2018 meant specializing in cloud security and working as a trusted advisor to many of Check Point’s customers, both large and small. Check Point is constantly evolving as a cloud security services company, including the acquisition of Dome9 in 2018 and Protego in 2019, meaning the tool chest gets bigger but so do the potential issues of moving to the cloud!

Cloud Security, We’re Still Making The Same Mistakes

Another day, another cloud security breach. We spend so long fortifying our external defenses that we forget about the potential risk that comes from within, such as cloud service misconfiguration and overly permissive roles for administrators.

In this session, we will look common attack vectors and examine some high profile case studies of cloud security failures to see what went wrong and how you can avoid it.

Cloud Security Alliance (CSA) CISO Panel

Panelists:

  • ABN AMRO Bank, Jim de Haas, Cloud Security Wizard/Global Security Office
  • Cloud Security Alliance, Linda Strick, Director CSA EMEA
  • Cloud Security Alliance, Neil Thacker, Advisory Board Member
  • European User Group Enterprise, Rolf Becker, Cloud Data Protection Co-Chair
  • Falcon Private Bank, Patrick Schramböck, CISO
  • Swiss Re, Vladimir Lazic, CISO EMEA

CSA CISO Panel: Cloud Governance and Risk Assessment

CISOs of different companies and application domains will share their experience on how to cope with additional regulation requirements, how to manage the risk in their daily work with Cloud Computing, how to manage assurance and show accountability and manage the procurement of Cloud Service Providers.

Credit Suisse AG, Andy Church, Capability Lead for Cloud Data Governance and Structured Data Security

Andy Church is an experienced IT Security Leader who came up through the ranks fulfilling roles such as security engineer, product manager, solution architect and department head.

He is responsible for the Cloud Data Governance, Crypto Key Management and Structured Data Security capabilities. These capabilities include a framework around implementing proper security controls for cloud solutions, and also a number of the cloud controls, including inline encryption, SaaS DLP, cloud key management, and Shadow IT oversight.

Securing the Internet, making SaaS safer

We are all rushing headlong into a transformations to expand SaaS usage. Join this round table in discussing:

  • Ensuring Control Equivalence for Cloud
    • What technological controls exist to help secure Cloud applications
    • Securing Cloud (Outsourcing): More than a technology topic
  • The risks or benefits of SaaS providers that utilize private or public cloud (e.g. 4th Party risks or benefits)
  • Avoid Shadow IT: Educating the business and the ongoing need for trusted technologists

Falcon Private Bank, Patrick Schramböck, Director

Patrick Schramböck is CISO and working since more than 10 years in information security area. Since 2016 he specialized himself in crypto architecture & security, working in different crypto projects to make cryptos usable for banks. Another topic is cloud security since two years which is getting more and more attraction in the financial world.

Cloud Security in a regulated world

Nowadays, financial institutions have to meet different regulatory requirements to stay compliant. When using cloud services in particular, an institute has to consider several topics.

This presentation introduces some important aspects that should be addressed and should help you as a security officer or architect to get started with this topic.

Farsight Security, Paul Vixie, CEO and Co-Founder

Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, CEO and cofounder of Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source Internet software including BIND 8, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first commercial anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). In 2018, he cofounded SIE Europe UG, a breakthrough European data sharing collective to fight cybercrime.

Dr. Vixie earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.

Workshop: Threat Hunting Using Passive DNS

Every transaction on the Internet – good or bad – leaves a trail in the Domain Name System (DNS). In this fast-paced, hands-on four-hour workshop, Internet Pioneer and Farsight Security CEO Dr. Paul Vixie will teach the fundamental investigative techniques and methodology on how to use DNS to combat cyberattacks, from phishing to e-crime to nation-state attacks. This is a rare opportunity to take a “masterclass” from the top expert in the field and learn the proven techniques used by threat hunting teams, from banks to government agencies.

Further details and registration (separately) at https://www.sig-switzerland.ch/threat_hunting_dns/

Illumio, Christer Swartz, Principal Technical Engineer

Christer Swartz is the Principal Technical Engineer for Illumio. He has spent many years in the Networking industry, beginning with a small startup called Cisco. He has worked for Swisscom and Nokia as an architect for their Service Provider backbones, and he has worked on Cloud architectures for many years, including working for Netflix on the design of their Internet video-streaming architecture, and for Palo Alto Networks, designing security for Hybrid Cloud fabrics.

He has focused for many years on Security, which has long been an afterthought, or a nuisance, in Networking and Cloud architectures. Scalable Cloud architectures and Security are often perceived as a binary choice. Cloud security can no longer be primarily dependent on underlying Network fabric or hypervisor mechanisms, since the details in each environment are different. Every Cloud and every Data Center implement security and segmentation differently. In the modern world of Cloud magic, Security trust-boundaries need to be implemented at the workload level, largely agnostic to underlying network plumbing, regardless of location, and needs to remain consistent across workload migrations. Security needs to be agnostic to how and where any workload is hosted. Free Workload Security from the Network.

How to implement ZeroTrust and "micro-segmentation" across Hybrid Clouds

In this session we will discuss how to implement Zero Trust and "micro-segmentation" Security directly at the workload layer, agnostic to underlying Network dependencies. Security is traditionally dependent on Networking or host hypervisor details and operational challenges, which creates limits to how granular a Zero Trust model can be achieved. A true Zero Trust architecture needs to enable segmentation directly at the workload, following workloads as they migrate across Hybrid Clouds, and not be limited by underlying Network segmentation capabilities.

Most people agree that segmenting workloads along Security trust-boundaries is important, but it can be complicated, and it can slow down network performance. Many people simply just create 2 big trust-boundaries: between the Internet and their Cloud, with everything in the Cloud considered as "trusted". This works fine, until a "security event" happens.

There are basically 3 places you can create Security segments in any Network or Cloud:

  1. In the Network fabric - switches & routers - creating a lot of VLAN's or subnets
  2. Using an SDN Controller, such as with VMware NSX or Cisco ACI
  3. Create the trust-boundary segments within each workload itself, not in the network
The first two approaches can create operational challenges, due largely to the fact that each network, host, and hypervisor works differently, which creates complexity as a Cloud architecture scales. The goal of any Security architecture should be consistency across any Data Center or Cloud, with one central management plane across all fabrics, and trust-boundaries being defined as where ever a workload is currently hosted, not specific to the hosting environment.

In this session we will discuss the three different layers in a Cloud in which Security trust-boundaries can be implemented, and how to best design an architecture which can achieve true Zero Trust, and be centrally managed at scale.

Mandiant’s Trainer

Matias Bevilacqua-Brechbühler Trabado, Principal Response Consultant at Mandiant – check his profile here

Tarik Yassem, Incident Response & Forensics Consultant at Mandiant – check his profile here

Workshop: Mandiant's Enterprise Incident Response

This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. The class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them.
Further information and registration (separately) at https://www.sig-switzerland.ch/enterprise_incident_response/

Open Compute Project Foundation, John Laban, Reset Catalyst and Board Member at OpenUK

Always a maverick pushing the boundaries and intuitive mindsets John is also a Board Member for the non profit OpenUK organisation and he is a passionate promoter of open source technologies.

For his efforts in the Data Centre industry John has been voted as a top ten mover and shaker in the UK and top fifty in EMEA region. John is a renowned international keynote speaker and trainer and innovative and passionate practicing Data Centre Architect.

John has a deep fundamental understanding of what really makes us smart - Our ability to make sense of things, to weave the knowledge we draw from observation and experience, from living, into a rich and fluid understanding of the world that we can then apply to any task or challenge.

Follow Up Roundtable: Once open source gets good enough, competing with it would be insane

This Roundtables and Education Workshops will drill down deeper into the topic from the keynote and provide activities to maximise the learning experience as a next step to the adoption of these open source Cloud infrastructures for supporting tomorrow's applications. No prerequisites are required for these interactive upskill activities

Qualys, Marco Rottigni, Chief Technical Security Officer EMEA

Marco is a result driven professional with nearly 30 years’ experience in IT and 20 years in Security space. He is a natural born Evangelist and Sales Engineer who loves the technology he deals with.

He worked for many companies such as Esker, SCO, Stonesoft, McAfee, Fireeye and managed many European teams and projects. Joining Qualys in 2018 as Chief Technical Security Officer EMEA, Marco’s responsibility is to deliver Qualys technical vision, to pitch Qualys unique advantages and competitive differentiators to strategic customers and partners, while collecting feedback about customers experience with Qualys solutions across the EMEA region.

Digital Transformation, DevOps and Security: DevSecOoops or DevSecHopes?

DevOps paradigm is leading the way for business critical applications to cope with the agility and velocity required by Digital Transformation. Security should not and must not be an afterthought!

In this session well examine the concepts of DevOps, will assess the most common CI/CD pipelines, and discuss the best practices for having security built-in and not bolted on.

Ricoh USA, Inc., David Levine, Vice President Corporate and Information Security, CSO

David Levine is Vice President of Corporate and Information Security & CSO for Ricoh USA, Inc. In this role, he has responsibility for operational security, security strategy, security policy, corporate and physical security, access management, eDiscovery and litigation support and some compliance functions. Levine chairs Ricoh’s Security Advisory Council, leads Ricoh’s Global Virtual Security team and is routinely engaged in customer opportunities to discuss risk and security.

Levine has held a wide and diverse variety of positions during his 24-year tenure with the company, including IT engineering, project management, vendor management, Six Sigma and Technology Infrastructure and End User Services leadership, giving him a great perspective on technology, the business and security.

Levine is a member of Forrester Research’s Security & Risk Leadership Board, the FBI’s InfraGard Program and is an Atlanta Governing Body Co-Chair with EVANTA. Levine is a frequent speaker and writer. He holds a Bachelor of Arts degree in Information Systems with minors in Computer Science and Business from Eckerd College.

I think the train left the station! Playing catch-up with security in cloud deployments

One of the best things about the cloud is it’s really easy to utilize. One of the worst things about the cloud…it’s really easy to utilize. The business is moving full steam ahead into digital transformation and cloud utilization and in many cases security, risk and governance teams are struggling to keep up. And that’s for the projects we know about -- let alone shadow IT.

In this highly interactive session, we will discuss driving a security-aware culture, your approaches and strategies to “catch up” with the business. Come prepared to talk about your successes and challenges!

Ted Demopoulos, Independent Consultant

Ted Demopoulos’ professional background includes over 30 years of experience in Information Security and Business, including over 25 years as an independent consultant. Ted helped start a successful information security company, was the CTO at a "textbook failure" of a software startup, and has advised several other startups.

He is a frequent speaker at conferences, conventions, and other business events, author of "Infosec Rock Star: How to Accelerate Your Career Because Geek Will Only Get You So Far" and two other books.

Ted conducts Leadership and Information Security Bootcamps for The SANS Institute, and is the principal of Demopoulos Associates, a consulting organization specializing in information security.

When is The Cloud MORE Secure

Years ago, the rush to the cloud began with a primary driver of cost savings. Security was often an afterthought if a thought at all, and the cost savings although real were not as easily realized in many cases.

Many organizations including those rushing to the cloud refused to move certain data and operations to the cloud because of security concerns. Yet, many of us have moved things to the cloud we initially claimed we never would.

Certainly, there are significant security concerns in the cloud hence this event. It is accurate to say we have “different” security concerns in the cloud – also with a lot of overlapping ones in both, cloud and non-cloud environments.

Our claim is that sometimes moving certain operations and/or data to the cloud can be more secure. The most common example given is the small to medium organization that has no or little in house security expertise, and there are other examples as well. In this session we will discuss when using the cloud can be more secure.

Transmit Security, Kilian Zantop, System Engineer Global Accounts

Kilian works since more than 30 years in the industry – mainly in Cyber Security - bringing new technologies to the market. Kilian was founding member of two security VARs in Switzerland. He has been leading deployment of new technology across complete enterprises in different industries like Finance, Insurance, Pharma and many other.

Lately he worked seven years at Palo Alto Networks as System Engineer taking care of global customers. His current workplace is at Transmit Security who provides a low code/no code approach to IAM and fraud prevention. He likes to tackle complex challenges and solve them with reasonable but creative solutions.

IAM and the cloud – your data goes cloud, should your identities too? What should your priorities be and why

Digital transformation has become an imperative for all organizations; small, medium, or large. As more and more businesses adopt hybrid IT environments on their digital transformation journey, many are faced with the challenges that emerge when managing identities and access across multiple applications, clouds, networks, and servers.

Delivering a good digital business experience to your customers, employees, and business partners while managing risk, maximizing efficiency and ensuring compliance with regulatory requirements such as the General Data Protection Regulation (GDPR), requires the use of next generation identity and access management solutions.

Companies are adopting cloud services as well as a wide range of software-as-a-service applications, yet the IT landscape on-premises and in the cloud rapidly becomes blurred and the proper protection of identity and management of access is a key business differentiator to achieve efficiency, compliance, and security.

This round table discussion is an opportunity to share experiences and learn from peers discussing the IAM in the cloud world on real world examples and best practices - what works & what not, what’s your next best move instead.

TX Group (formerly Tamedia), Olivier Martinet, Security Officer

After graduating from EPFL, Olivier spent 10 years doing pure Unix, performance benchmarking and high-availability. He then spent 11 years being Chief Visionary in a Global Innovation Center, both in Geneva and Dubai, making C-Level customers dream about the possibilities of technologies and how that could enable their business.

When he joined TX Group (the holding formerly known as Tamedia) a bit more than 5 years ago, he found a really really bad security situation, with not a lot of people caring about it. Being the largest private media group in Switzerland, TX Group has a lot of variety and free minds in his portfolio, ranging from industrial to super edgy cloud start-ups.

We flipped completely the security to go from nowhere to a very good level nowadays. Doing that, we instilled a creative and agile way to do security in a group where freedom is a keyword. Recently TX Group is moving very fast toward being a pure cloud company and this has a tremendous impact on how we decided to secure ourselves.

BeyondCorp - What it means to be fully Cloud - what we learned and what we plan

  • Learn how a media group is implementing security when your HR, Finance, Instant Messaging, Mail and Core applications are in the Cloud and your average employee can even be paid to buy a BYOD
  • See how we push developers to implement secure code and introduced security in their daily code
  • Watch how we will empower our board with Agile Risk and our employees with being responsible for their security
  • Freedom CAN be made compatible with good Security

Event Partner

Media Partner

X
X