CSA EMEA Congress 2012

EMEA Congress 2012

CSA EMEA Congress 2012 Overview

Update for the latest information and to register please visit http://www.cloudsecuritycongress.com/.

Update CSA members can benefit from a 10% discount on the delegate price by quoting the registration code 'CSA10'. Your invoice will then be amended to show your 10% discount.

MIS Training Institute and the Cloud Security Alliance invite you to attend the inaugural Cloud Security Alliance EMEA Congress. Building on the success of the 2010, 2011 and upcoming 2012, CSA Congresses, MIS Training Institute and the Cloud Security Alliance have partnered to host the inaugural Cloud Security Alliance EMEA Congress in Amsterdam, September 25-26th, 2012. The Congress is the industry’s premier gathering for IT security professionals and executives who wish to educate themselves on the rapidly evolving subject of cloud security.

In addition to offering best practices and practical solutions for remaining secure in the cloud, the Congress will have a special focus on the legal and policy aspects of cloud computing security, with a specific stream dedicated to these issues.

You will leave with:

  • Up to the minute insight into emerging areas of growth and concern in EMEA cloud security, including EU data privacy challenges, cloud forensics, the impact of mobile and smart devices and incident management
  • Industry-specific end user case studies that will help you learn and leverage best practices used by your peers in moving to the cloud securely
  • Insight into models and architecture, controls and educational resources from leading companies to help your business move securely into the cloud

View the Congress brochure and full speaker line-up

Day 1: Tuesday 25th September

8.00 am Registration and refreshments

8.45 am Cloud Security Alliance welcome address

8.50 am Morning keynote:

Microsoft’s cloud compliance programme

Despite the fact that cloud computing has been discussed and used for a number of years, much of the regulation relating to it is still in flux.

  • A closer look at the evolving cloud computing standard landscape
  • Survey results on customer attitudes to cloud computing security
  • How standards can support policy makers in areas of security and data protection
  • Microsoft’s cloud infrastructure compliance programme as a case study to demonstrate an approach to a comprehensive and flexible compliance programme

Monika Josi
Chief Privacy Adviser, EMEA
Mark Estberg
Senior Director, Online Services and Compliance

9.30 am Cloud security, resilience and critical infrastructures

  • Identifying the key risks and opportunities around cloud
  • Security in SLAs and critical clouds: An update on recent ENISA work
  • Examining the broader EU context: Government clouds, incident reporting, security measures, etc

Thomas Haeberlen
Expert, Network and Information Security
European Network and Information Security Agency (ENISA)

10.00 am Avoid the rain. How to build a strategic cloud assessment programme

  • A cloud state of mind. Learn why traditional security does not work in the cloud and how to rule out cloud vendors who do not understand security
  • Discover how to build a strategic cloud assessment programme for your enterprise.
  • Learn who to bring to the table to effectively assess cloud security and manage enterprise risk.
  • Interviewing techniques to strive for higher transparency with providers that are very careful not to divulge information.

Nikita Reva
Global Security Assessment Specialist
MARS Information Services

10.30 am Morning refreshments

10.50 am How Orange integrate security right into the heart of its cloud computing programme

  • Explaining the tools, processes and methodologies that have been developed and implemented within Orange.
  • How to leverage and mix together the existing standards (ISO20K, ISO27K, CSA CCM, ENISA, ...) and frameworks which affect cloud computing
  • Integrating together network and cloud service providers for secure and seamless access to the cloud

Jean-Francois Audenard
Cloud Security Advisor – CCSK
Orange Business Services

11.20 am The evolving focus of securely using cloud services

  • A look at industry cloud security resources and their focus
  • Result: CSP transparency and maturity – customer’s ability to validate a cloud provider’s controls  
    • Experience: A major financial institution’s perspective of maintaining security and compliance in the cloud
  • Shift in focus: using cloud services in a disciplined and secure way  
    • Example: building a PCI compliant environment in the cloud under the shared security model
    • Experience: the   perspective of an EU member state national bank (TBC)
  • Focused guidance: Creating an approach to auditing that works for AWS customers

Chad Woolf
Global Risk and Compliance Leader
Amazon Web Services

11.40 am Why identity is key to the cloud and how we can make it work

  • Cloud identity: Explaining why it is essential and examining the use cases, drivers and trends
  • A bird's-eye view on emerging standards and technologies for identity and access management in the cloud.
  • Understanding what cloud identity means for your business and how it affects your IT strategy

Hans Zandbelt
Senior Security Architect, CTO Office
Ping Identity

12.10 pm A crisis of identity: technical truths and trials on the journey to data-centric security

  • Opening the Pandora's box of Digital Rights Management: what dynamics in the business and technology environment must be considered before strategic and architectural decisions are made on how to move towards a data-centric security model?
  • Fundamental problems and requirements that arise as data moves between an organisations' perimeter and a potential multitude of service suppliers
  • Similarities and differences between asset-based security, identity management and information assurance: what can work, what won't work, what might work and what the future could hold
  • Practical steps that an organisation can take today so that their business is able to take advantages of emerging opportunities for cost reduction

Marco Plas
Chief Jericho Evangelist

12.40 pm Turning your cloud identity strategy into reality

  • Learn how a cloud identity strategy can encompass existing on-premises assets, such as identity management platforms
  • How to securely expose your on-premise enterprise applications for cloud and mobile APIs
  • Pragmatic advice of what standards are being used
  • Considerations for mobile applications

Mark O’Neill
Chief Technology Officer

1.00 pm Lunch break

2.00 pm Afternoon keynote

Case study: Assessing the benefits and challenges of BBVA’s recent move to the Google cloud

  • The business rationale and drivers for a move to the cloud
  • Challenges when moving 110,000 employees worldwide to a cloud environment
  • How the cloud offers a solution by improving efficiency and productivity throughout the company

Jorge Parada Gimeno
Security Innovation Manager, BBVA Innovation Centre

2.40 pm Balancing national level compliance with legislation and the impact on global cloud solutions

  • Assessing the impact on cloud computing of EU citizen access to the US courts
  • When privacy is invaded under the FISAA or Patriot Acts, does an EU citizen have standing under US law to petition for relief?
  • Under EU law, similar country specific laws such as the UK's RIPA Act can be challenged under the EU justice system, but it is not clear that a similar path exists under US law. What does the EU need to negotiate with the US to enable similar relief?
  • How does this impact cloud computing, given that the major cloud providers (Microsoft, Google, and Amazon) are all US based, and subject to US law?

Stewart Room
Field Fisher Waterhouse

3.10 pm The Future of Authentication & the Cloud

  • The growth of cloud & mobile computing depends on our ability to authenticate customers for security and commercial transparency, enabling access to secure information and the completion of complicated transactions, but the current model is broken
  • Over-long, adaptive passwords have proved a security weakness, and the burden they place on the consumer has restricted the growth of online services
  • The current authentication landscape, as it relates to the cloud and mobile experience - considering why it has failed, and industry efforts to find a better way

Phil Dunkelberger
Nok Nok Labs

3.30 pm Afternoon refreshments

Stream 1: Architecture and strategy

Facilitated by Giles Hogben

3.50 pm Assessing when cloud computing will become sufficiently innovative to justify adoption across the wider business

  • Is cloud computing innovative enough in comparison to outsourcing to datacenters and providers?
  • Analysing whether cloud computing can provide the killer breakthrough; enabling the dream of many nbusiness managers that ICT will be ‘available like electricity?
  • What is the real backbone/enforcer/enabler of the new way of doing business?

Eric Ijpelaar
Manager Global Security Competence Centre

4.30 pm Cloud Forensics: Assessing Cloud Computing's Impact on Digital Investigation

  • Comparing on-premise and cloud forensics- control v cost benefits and flexibility
  • The influence of location, encryption and relevant local legislation on forensics

Keyun Ryan
Center for Cybersecurity and Cybercrime Investigation
University College Dublin
Chief Research Officer

5.00 pm Panel discussion:
Build Trust. Architecting security for your cloud service to enhance customer protection

  • Meeting and exceeding customer expectations for security
  • Leveraging industry best practices and reference models to build security
  • Building customer assurance and trust by establishing transparency through APIs and dashboards
  • Understanding the dynamics of data privacy, regulation and compliance in the cloud

Adam Swidler, Senior Manager, Google Apps security, privacy and compliance, Google Enterprise
David Cripps, Chief Information Security Officer, Investec
Nikita Reva, Global Security Assessment Specialist, MARS Information Services
Michael Sutton, VP, Security Research, Zscaler

Facilitated by the chair

5.40 pm Close of day 1

Stream 2: Design and implementation

Facilitated by TBC

3.50 pm Mobile and smart device security and the cloud

  • Identifying the key challenges of securing consumerised devices accessing cloud services
  • How secure are mobile apps from cloud providers or other sources and why do we trust them?
  • Legal and regulatory challenges around BYOD - identifying the data you allow people to access and determining security measures which should be in place to protect it

John van Huijgevoort
National Cyber Security Centre (Netherlands)

4.30 pm Panel discussion:
Securely moving your business into the cloud

  • Security models for evaluating cloud providers- where do the security responsibilities lie?
  • Assessing effective GRC practices inside cloud providers
  • The changing risk profile- which risks can and should be accepted in the move to the cloud?

Taiye Lambo, President, eFortresses
Peter Wood, CEO, First Base Technologies
Richard Hollis, CEO, The Risk Factory
Paul Davies, Director, Solutions Engineering EMEA, Terremark

5.30 pm Close of day 1

Day 2: Wednesday 26th September

8.15 am Registration and refreshments

8.45 am Chair’s welcome back

David Cripps
Chief Information Security Officer

8.50 am Morning keynote:

Certification for the cloud: Optimizing security and increasing transparency using an ISO 27001 ISMS framework

  • How to provide a good grounding in international best practices for integrated information security governance as well as IT governance
  • Explaining the new international standards currently under development which will take aim at cloud services, privacy and vendor management
  • Integrating the ISO 27001 certification with a proven benchmark process analysis and rating system to provide a transparent and consistent continuous monitoring system

John DiMaria
Product & Certification Manager, Information Security
BSI (British Standards Institution) Group Americas

9.30 am Helix Nebula: Securing tomorrow’s innovation with today’s cloud
Exploring the driving factors that brought together a leading group of private companies and international institutions to create the Helix Nebula Consortium for producing a science cloud

  • Managing the networking challenges, ensuring a secure cloud environment and allowing seamless usage/authentication across multiple locations and providers
  • Real-world security lessons from CERN, ESA and EMBL’s public cloud deployments
  • Assessing the security frameworks best suited for such sensitive and potentially life-altering scientific research

Robert Jenkins
Chief Technology Officer

10.00 am Accountability for the Cloud – An overview of multidisciplinary research aimed at making cloud services accountable

  • Create solutions to support users in deciding and tracking how their data is used by cloud service providers
  • Extend accountability across entire cloud service value chains, covering personal and business sensitive information in the cloud
  • Preventing breaches of trust by using audited policy enforcement techniques, assessing the potential impact of policy violations, detecting violations, managing incidents and obtaining redress
  • Develop techniques for improved trustworthiness of cloud ecosystems as prerequisite for accountability
  • Address major perceived barriers to trustworthy cloud‐based services

Dr Siani Pearson
Scientific Coordinator, A4Cloud project
Senior Researcher, Cloud and Security Lab
HP Labs

10.30 am Morning refreshments

11.00 am Terremark- keynote

Simon Mason
Manager, Centre of Security Excellence

11.30 am Panel discussion:

Assessing the impact of data access for law enforcement (i.e. the Patriot Act) on the EMEA cloud market

  • Challenges around privileges & immunities, jurisdiction, confidentiality & data sensitivity
  • Understanding what U.S. law enforcement agencies can, and cannot, request using warrant exceptions
  • How Mutual Legal Assistance Treaties relate to the exchange of information
  • Whether transmitting, storing or accessing data in the cloud affects access by law enforcement

Panellists include:
Hester de Vries, Attorney-at-Law, Kennedy Van der Laan
Jean-Francois Audenard, Cloud Security Advisor, Orange Business Services
David Snead, Attorney-at-law

12.00 noon Case study: How can you perform due diligence on potential cloud vendors that will keep your auditors happy?

  • Convincing internal stakeholders that effective due diligence has been done
  • Can cloud providers help “sell their solutions”?
  • Updating existing assurance models to better reflect the cloud environment
  • How to overcome issues about data ownership and access in the cloud

David Cripps
Chief Information Security Officer

12.30 pm Developing ‘an SLA for privacy’: Case study on Privacy Level Agreements (PLAs)

  • Clear and effective ways for potential customers to communicate to Cloud Service Providers (CSPs) the level of data protection needed
  • Explaining the objectives of PLAs: Providing cloud customers with a tool to assess a CSP’s commitment to addressing personal data protection
  • Providing CSPs with a tool for structured disclosure of its data protection practices

Paolo Balboni, Director, European Privacy Association &
Founding Partner, ICT Legal Consulting
Francoise Gilbert, Managing Director, IT Law Group

1.00 pm Lunch break

2.00 pm Afternoon keynote:

The National Government perspective: Cloud Computing: Evolution, Reliability, Compliance and Security

Ron Roozendaal
Chief Information Officer
Netherlands Ministry of Health, Welfare and Sport

2.30 pm Certifying transparency & assurance of cloud service providers to strengthen existing information security control environments

  • Explaining how CSA’s Cloud Computing Matrix provides a baseline set of criteria for certifying the assurance and transparency of European cloud services
  • The fundamental security principles to guide cloud vendors and assist prospective cloud customers in assessing the overall security risk of a cloud provider
  • What’s new in the upcoming CCM Rev 2

Becky Swain
Project Leader, CCM Rev2
Cloud Security Alliance

Legal and compliance issues

3.00 pm

3.40 pm Afternoon refreshments

4.00 pm An overview of EU data sovereignty and privacy in the cloud

  • The rights of data subjects, roles of controller and processor: is a Safe Harbor certification really safe?
  • US Foreign Intelligence Surveillance Amendment Act 2008: conflicts over political surveillance of EU data?
  • Decryption powers under UK RIPA 2000 Pt.3: the kraken wakes?

Caspar Bowden, independent privacy advocate

4.30 pm Cloud computing and EU data privacy challenges

  • Getting your timing, regulation & processes right
  • Data storage location risks – can the governance and data protection compliance issues be addressed?
  • Privacy level agreements: Model clauses and compliance with the EU Data Protection Directive

Jan Dhont, Partner, Lorenz

5.00 pm Panel discussion:

The new EU Data Protection Regulation: business as usual or the biggest change in two decades?

  • Assessing the impact of the proposed European Data Protection Regulation on cloud
  • How will strengthened national data protection authorities affect data centres located in the EU?
  • Extra-territorial scope and possible enforcement issues

Taiye Lambo, President, eFortresses
Marit Hansen, Deputy Privacy & Information Commissioner, Land Schleswig-Holstein, Germany, and Deputy
Chief of the Independent Centre for Privacy Protection (ULD)
Dr Gwendal Le Grand, Head of IT Experts Group, Commission Nationale de l’Informatique et des Libertés (CNIL)

5.50 pm Chair’s summary and close of conference

Keynotes Include:

Ron Roozendaal, Chief Information Officer, Netherlands Ministry of Health, Welfare and Sport
"The National Government perspective: Cloud Computing: Evolution, Reliability, Compliance and Security"

Newly Confirmed Speakers Include:

Chad Woolf, Global Risk and Compliance Leader, Amazon Web Services
"The Evolving Focus of Using Cloud Services Securely"

Visit www.cloudsecuritycongress.com/congress-speakers for the full speaker list


Please register through the CSA EMEA Congress booking page: www.cloudsecuritycongress.com/register-now.

CSA members receive a 10% discount. Please use the registration code CSA10.


Supported By

The Cloud Security Alliance EMEA Congress is a superb opportunity to access the end users of cloud products.

For sponsorship enquiries, please contact Kate Lafferty [email protected], Sponsorship Manager, +44 20 7779 8866