Cloud Security Alliance Summit 2012

For those of you who were unable to join in this morning at the Cloud Security Alliance Summit 2012, you missed an interesting event. The summit was a mixture of keynotes and panels from folks across the industry. Details can be found here: https://cloudsecurityalliance.org/events/csa-summit-rsa-2012/

"Protecting State Secrets in the Cloud"

Mike McConnell, Vice Chairman, Booz Allen Hamilton and former Director of National Intelligence & former Director, National Security Agency

This interesting presentation included a number of stories about the US Government and how they are investing in cybersecurity protection for their infrastructure. The key component of this was that they realize the economic impact on the country and world if private infrastructure is targeted by foreign interests. The one statement I did find interesting (and this is paraphrased) was a claim that the United States is the country most reliant on digital infrastructure… and has the most to lose if it is compromised. I wonder how the people in the room from around the world view this statement given the adoption of technology elsewhere if frequently faster than the US.

Panel: “National and International Security Standards - The Viability of Cross-Jurisdictional Solutions”

Moderator: Tim Mather, Advisory Director, KPMG
Speaking: Marc S. Crandall, JD, CIPP, Senior Manager of Global Compliance Enterprise, Google
Baber Amin – Senior Director of Product Management, CA Technologies
Chris Wysopal, CTO, Veracode
Ashvin Kamaraju, VP Product Development, Vormetric

I am a huge fan of panels in that we get an opportunity to interact, but keeping them on track is often a tough job. Tim did a great job of managing this panel session, making it in to an interesting discussion on cloud security standards and data exchange across borders and other jurisdictional boundaries. The conversation did go some way to outlining the work being done both in the CSA and elsewhere to do with standards frameworks in this space, but it seems that key point was that we have a long way to go with updating what we have today to meet the challenges of today, let alone those of tomorrow. Interestingly in a recent survey we did here in Trustworthy Computing, 92.5 percent of respondents believe cybercrime laws in their country need updating.

Keynote: “Solving Cloud Access Complexity Through a Broker Model”

Speakers: Girish Juneja, Director of Intel Application Security and Identity Products, Intel
Ron Huddleston Senior, Vice President, ISV Alliances, salesforce.com

This presentation was a product pitch for Intel and Salesforce.com.

Keynote: “Securing an OpenStack Cloud”

Speaker: Chris Kemp Founder and CEO, Nebula Inc., former CTO NASA

Thanks Chris for doing a slightly more technical presentation on an open source software project called OpenStack. This project aims to provide a flexible way to build a cloud fabric. This project has been written in Python and in essence uses the security models of the underlying technologies such as the hypervisors etc to secure the solution. I would encourage people to make up their own minds: https://openstack.org/, but I do understand they have a way to go on the project, especially in terms of security.

Panel: “Cloud Innovation - The Panel's View on the Next Generation of Cloud Security Devices and Services”

Moderator: Philippe Courtot, CEO, Qualys Inc.

Panelists:
Patrick Harding, CTO, Ping Identity
Don Godfrey, Security Consultant, Humana (Representing Zscaler)
David Lingenfelter, Information Security Officer, Fiberlink
Matt Johansen, Threat Research Center Manager, WhiteHat Security

The one message I took away from this session was that it is still very much undecided to owns and is ultimately responsible for security in the mobile world. Much of the discussion was taken up with the follow example.. If you download an application from the app store on a mobile device and it contains malware, who is responsible for helping you, the software vendor, the owner of the app store, the mobile OS vendor, the telecoms company you use, or indeed the phone manufacturer. No real answers here, but a realization that with the rise of smartphones, it is an increasingly big problem that has not easy solution.

"From Datacenter to Device: Security in the Enterprise 2012 and Beyond"

Presenting:Steve Herrod, CTO and SVP of R&D, VMware

I have to confess to not staying for this talk as lunch beckoned.

Overall, an interesting session and most importantly good to see how many people attended. Great that CSA is having such a big splash in the community. Now I await the rest of the conference!