CSA Innovation Conference 2013

CSA Innovation Conference

CSA Innovation Conference 2013

Document Download
Keynote: "Real-World Cloud Infrastructure Use Cases - Risks and Rewards"
Carson Sweet, Co-founder and CEO, CloudPassage
Download (pdf)
Standards-Based Secure Single Sign-On For Cloud and Native Mobile Applications
Pamela Dingle, Senior Technical Architect, Ping Identity
Download (pdf)
Physical Security Threats in the Cloud
Oded Horovitz, CEO & Co-Founder, PrivateCore and Steve Weis, Co-Founder, PrivateCore
Download (pdf)
Entropy (or lack thereof) in Cloud Instances
Speaker: Sam Heywood, Vice President of Marketing, Gazzang
Download (pdf)

About the Conference

The CSA Innovation Conference 2013 will be held on Thursday, July 18, 2013 at the Network Meeting Center located at 5201 Great America Parkway, Santa Clara, CA 95054.

  • 10:00am to 11:00am Registration and Coffee
  • 11:00am to 4:00pm Program
  • 4:00pm to 6:00pm Cocktail Reception

In the spirit of the CSA Silicon Valley Chapter's mission to foster education and transparency of emergency and innovative technologies for cloud security, we are announcing the 2nd Annual Innovation Conference in Santa Clara, CA. The Conference will gather IT architects, senior executives, start-ups, and industry leaders to discuss current challenges, best practices, breakthroughs and trends in cloud computing and security. Attendees will get to see working prototypes and the latest releases of cloud-related security offerings including security as a service, mobility and big data.

Your participation at the Innovation Conference may be eligible for up to 3 Continuing Educational Credits through other certifying bodies. The Innovation Conference program will consist of 3 hours of cloud security subject matter presentations and discussions.

2012 Attendee Breakdown C Level, President, VP Director Technical Mgmt/Staff Marketing & Sales 23.5% 15.7% 23.5% 37.3%
Attendees Number
C Level, President, VP 48
Director 32
Technical Mgmt/Staff 76
Marketing & Sales 48

“Urgent need drives innovation, and cloud security is going to be a crucial area of both great demand and huge advancement over the next decade,” said Jim Reavis, co-founder and executive director of the CSA. “This will be the liveliest and most forward-thinking discussion on cloud security, and we look forward to bringing together innovators with end-users, investors, and thought leaders in the space at this unique event.”

For information about last year's conference please refer to the CSA Innovation Conference 2012 page.

About Cloud Security Alliance, Silicon Valley Chapter:

The CSA Silicon Valley is an official chapter of Cloud Security Alliance since May 2011. The chapter's main focus is to foster education and transparency of emerging and innovative technologies supporting best in class solutions for cloud security.


–– 11:10 – 11:40 ––
Keynote: "The Onward Maturity of Cloud Security"
Speaker: Justin Somaini, Vice President and Chief Trust Officer, Box

We are moving forward in a world of highly connected devices, but historically, back office functions being moved to the cloud required deep dependency on other organizations to be "secure" on top of "compliant". Today, the role of cloud providers and how they see security has, and must, continue to mature. This maturity is achieved with a regulatory and threat backdrop that also requires an elevated focus on security seen in legacy enterprise environments. Justin Somaini, Chief Trust Officer at Box, will share his thoughts on where businesses can turn to protect their data and relevant stakeholders.

–– 11:40 – 12:10 ––
Keynote: "Real-World Cloud Infrastructure Use Cases - Risks and Rewards"
Speaker: Carson Sweet, Co-founder and CEO, CloudPassage

Cloud models are transforming how information technology gets delivered. The most recent trend is enterprises evolving virtualized data centers to true private IaaS and adopting hybrid cloud models. This creates very significant security, risk and compliance issues that require new thinking to mitigate.

CloudPassage works on the front lines with the most innovative cloud adopters, to secure fully-implemented private and hybrid cloud infrastructures. In this presentation, CEO Carson Sweet will discuss the real-world use cases that are driving private, hybrid and public cloud adoption by large enterprises. Security and compliance challenges will also be discussed, and approaches to achieving ubiquitous, consistent security by building automated, self-scaling control systems directly into the cloud stack.

Key Takeaways

* Recently emerging use cases for private, hybrid and public cloud
* Business and operational benefits of cloud deployments
* Challenges & solutions around securing large-scale, multi-cloud infrastructures

–– 12:10 – 12:50 ––
Panel: “The Intersection of Innovation & Regulation – Does Regulation Hinder or Drive Innovation?”
Moderator: Jim Reavis, Executive Director, Cloud Security Alliance
Panelists: Vincent A. Campitelli Vice President, VP, IT Risk Management, McKesson Corporation
Tim J. Sandage, Senior Risk & Compliance Strategist, CISSP, CRISC, CCSK, Amazon Web Services (AWS)
Becky Swain, Cloud Assurance Director, PwC

With the US Federal Risk and Authorization Management Program (FedRAMP) and a mandate for continuous monitoring or the proposed EU General Data Protection Regulation and the introduction of new consumer data protection rights – " Right to be Forgotten", "Right to Data Portability", etc., it is not clear how these mandates can be achieved with current technological constraints. Is it possible that there is a “tail wagging the dog” scenario where regulations could actually be driving new forms of innovation or are these regulators simply being unrealistic and these mandates unachievable?

On this esteemed panel made up assurance professionals, international standards representatives, legal experts, regulators and innovators, we will have a debate and have expert positions about this intriguing conundrum in today’s rapid adoption of cloud computing heavily driven by business value realized from new technological innovations.

–– 1:50 – 2:10 ––
"Standards-Based Secure Single Sign-On For Cloud and Native Mobile Applications"
Speaker: Pamela Dingle, Senior Technical Architect, Ping Identity

This session will summarize the current reality of native application authentication to cloud applications, present its implications on employee productivity, and introduce the concept of a mobile device authorization agent. It will present an emerging industry-defined OAuth-based model for the interactions between the enterprise, SaaS providers, authorization agent, and native apps on the employee device.

In this session, Pamela Dingle of Ping Identity will:

  • Introduce the concept of an ‘authorization agent’ onto mobile devices and showcase how this provides employees with a seamless and usable authentication experience for native applications
  • Illustrate how an authorization agent removes the burden of having employees individually authorize each native application
  • Show attendees how to generate their own framework for allowing their workforce to use personal mobile devices to safely access enterprise data and cloud applications
  • Examine the emerging ecosystems that have emerged to deliver consumer and enterprise services based on identities
  • Outline the implications for enterprise IT, cloud service providers, employees and consumers

–– 2:10 – 2:30 ––
"Physical Security Threats in the Cloud"
Oded Horovitz, CEO & Co-Founder, PrivateCore and Steve Weis, Co-Founder, PrivateCore

The cloud promises computation as a abstract utility, freed from the complexities of underlying physical systems. Where and how computation occurs should be no more of a concern than where power is generated. Yet when it comes to security, using cloud infrastructure as a service (IaaS) ultimately cedes control to anyone with physical access to the underlying hardware. This loss of control is a key barrier to cloud adoption.

This talk presents the taxonomy of physical attacks that can completely undermine security in IaaS. We then discuss why addressing these threats is essential to securing computation in the cloud. Key discussion points will cover:

  • Discuss the state of physical security for cloud infrastructure as a service
  • Direct memory access attacks
  • Memory extraction attacks
  • Malicious hardware devices
  • Existing countermeasures and their weaknesses
  • Why physical security is essential to cloud security and how to achieve it

–– 2:50 – 3:30 ––
Panel: “Cloud Security Innovation – How to Adopt It?”
Moderator: Dr. Ulrich Lang CEO ObjectSecurity Panelists: John Mullen, President & CEO, Promia
Cesare Garlati, Co-Chair Mobile Working Group, CSA
John Howie, CCO, CSA and Visiting Research Professor and Research Associate, University of Arizona
John Mullen, President & CEO, Promia
Dr. Srinivas Mantripragada, Vice President of Technology, Infoblox

Innovation in general is ultimately only useful if it gets adopted. However, adopting any innovation in today’s enterprise and government agencies is often not easy, and cloud security innovation is not different in this respect. Can the cloud paradigm pave the way for speedier adoption of cyber security innovation compared to traditional deployments? Or does the lack of control and visibility into clouds by the consumer hinder the adoption of cloud security innovation.

This esteemed panel of security professionals of organizations facing these challenges will have a lively debate and expert positions about their approaches, experiences, and challenges trying to ensure cloud security keeps up with the rapid pace of evolution and adoption of cloud computing.

–– 3:30 – 3:50 ––
“Entropy (or lack thereof) in Cloud Instances”
Speaker: Sam Heywood, Vice President of Marketing, Gazzang

Are you collecting sensitive data - health records, trade secrets, personally identifiable information or government intelligence- in your NoSQL database? If you store any amount of sensitive information, then compliance must always be top of mind. Fortunately, there is a way to help ensure your sensitive data is compliant without impacting the performance, availability and speed of your environment.

In this session we will look at how to dynamically control and secure data, from ingestion, to transit, to an at-rest state, to exit. Key takeaways include the following:

  • Techniques such as NoSQL automation, encryption, process-based access controls and key management, all of which are essential to meeting data security compliance guidelines
  • How to implement big data security without sacrificing high-performance
  • How to minimize the pains of the cloud and key sprawl
  • How to determine which applications and people should have access to the data
  • The strengths and weaknesses of various key management options
  • The latest innovations for managing keys and company secrets


Vince Campitelli

Vince A. Campitelli
Vice President, VP, IT Risk Management, McKesson Corporation

Vince is a Vice President with McKesson Corporation and is responsible for IT risk management for the US Pharmaceuticals division. Prior to joining McKesson, Vince held various leadership roles with major financial service firms within their Internal Audit and Risk Management functions. Vince’s career also included over 12 years as a partner in PriceWaterhouseCoopers specializing in Technology Risk Advisory Services. Vince is a graduate of Penn State University with a degree in Mechanical Engineering and the University of Maryland with an MBA in Operations Research. Vince is active with various risk management and security organizations, and is co-chair of the recently formed Healthcare Information Working Group of the Cloud Security Alliance.

Pamela Dingle

Pamela Dingle
Senior Technical Architect, Ping Identity

Pamela Dingle is a Senior Technical Architect within the Office of the CTO at Ping Identity. Pamela has a long history with Identity Management, focusing on implementation, architecture and strategy over 10 years of evolution of systems such as directories, application servers, web access management systems, provisioning, and now federation. Pamela serves on the board of directors of the OpenID Foundation, and has in the past run the Pamela Project, an open source project for RP-enabling Information Card websites.

Cesare Garlati

Cesare Garlati
Co-Chair Mobile Working Group, Cloud Security Alliance

Cesare Garlati is one of the most quoted and sought-after thought leaders in the enterprise mobility space. Former Vice President of Mobile Security at Trend Micro, Cesare currently serves as Co-Chair of the CSA Mobile Working Group – Cloud Security Alliance.

Prior to Trend Micro, Mr. Garlati held director positions within leading mobility companies such as iPass, Smith Micro Software and WaveMarket. Prior to this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite.

Cesare has been frequently quoted in the press, including such media outlets as The Economist, Financial Times and CBS News. An accomplished public speaker, Cesare also has delivered presentations and highlighted speeches at many events, including the Mobile World Congress, Gartner Summits and RSA Conferences.

Sam Heywood

Sam Heywood
Vice President of Marketing, Gazzang

Sam Heywood is responsible for driving Gazzang's global product innovation and delivery, corporate marketing and demand generation programs. He is a seasoned product and marketing executive with leadership experience at several notable technology startups and is well versed in systems management, online CRM platforms, consumer eCommerce and security technologies. Prior to Gazzang Sam was Senior Director of Products at uShip, leading the company's expansion from a single product in a single market to multiple product lines spanning the consumer retail and commercial freight markets. Sam holds an MBA from the McCombs School of Business at the University of Texas at Austin, where he also received his bachelor's degree in Computer Sciences.

Oded Horovitz

Oded Horovitz
CEO & Co-Founder, PrivateCore

Prior to founding PrivateCore, Oded Horovitz was a senior staff engineer at VMware in the networking and security group, where he worked on the vShield and VMSafe security products. Prior to VMware, Oded spent three years at McAfeeleading the HIPS security group after joining through the acquisition of Entercept in 2003. Oded spent five years at Entercept leading engineering and security research from ideas to product.

John Howie

John Howie
CCO, CSA and Visiting Research Professor and Research Associate, University of Arizona

John Howie is Chief Operating Officer of the Cloud Security Alliance. John has over twenty years of experience working in information and communications technology in a variety of industry sectors including financial, telecommunications, entertainment, education and software manufacturing. Prior to joining the Cloud Security Alliance, John managed the groups responsible for security in the datacenters of a leading cloud provider.

John is a Visiting Professor at Edinburgh Napier University’s School of Computing, a Visiting Research Professor and Research Associate at the University of Arizona, is a member of the editorial advisory board for the Journal of Information Management and Computer Security, is a member of the certification advisory board for certifications of the International Association of Privacy Professionals, and is an advisor to the United Nations Interregional Crime and Justice Research Institute’s Security Governance/Counter-Terrorism Laboratory. John holds many industry certifications including CISSP, CISM, CISA, CIPP and CIPP/IT. John writes regularly for industry magazines, and presents at conferences on a wide range of topics including cloud computing, security and privacy. John graduated from Edinburgh Napier University with a BSc (Hons) in Computing, in June 1991, and was awarded the degree of Doctor of Technology (h.c.) in June 2012 from the same.

Dr. Srinivas Mantripragada

Dr. Srinivas Mantripragada
Vice President of Technology, Infoblox

Dr. Srinivas is currently the VP, Technology at Infoblox (NASDAQ:BLOX) driving new technologies and product initiatives in security, infrastructure and automation. Prior to that Srinivas played numerous CTO/VP roles at RedShift Networks (leader in Enterprise SBC category), VP, Technology at Phoenix Technologies (NASDAQ:PTEC) driving cloud infrastructure efforts, CTO-office roles at NetContinuum (leader in Web Application Firewall category; acquired by Barracuda Networks) and Determina (leader in Host Intrusion Security; acquired by VMware). Prior to that, at MIPS/SGI and at HP-Labs. Srinivas is a frequent speaker in leading conferences, driving standards and authored more than 40+ technical and product publications with 8 patents. He holds a PhD in Computer Science from University of California, Irvine.

John Mullen

John Mullen
President & CEO, Promia

Mr. Mullen's background includes Software Systems Engineering with concentration in security, object technology and networking for commercial and government customers. He is the President & CEO of Promia, supporting a global grid of interconnected network appliances for asset state monitoring, security event monitoring, enterprise network mapping and cyber leak defense for the US Navy. His teams have delivered commercial products and global IT systems for military, government and commercial customers in oil, banking, telecommunications and energy.

Jim Reavis

Jim Reavis
Executive Director, Cloud Security Alliance

Jim Reavis is the Executive Director of the CSA, and was recently named as one of the Top 10 cloud computing leaders by SearchCloudComputing.com. Jim is the President of Reavis Consulting Group, LLC, where he advises security companies, large enterprises and other organizations on the implications of new trends and how to take advantage of them. Jim has previously been an international board member of the ISSA and formerly served as the association’s Executive Director. Jim was a co-founder of the Alliance for Enterprise Security Risk Management, a partnership between the ISSA, ISACA and ASIS, formed to address the enterprise risk issues associated with the convergence of logical and traditional security. Jim currently serves in an advisory capacity for many of the industry’s most successful companies.

Jim Reavis

Justin Somaini
VP and Chief Trust Officer, Box

Justin Somaini is VP and Chief Trust Officer at Box, where he is responsible for working globally and collaboratively across Box's growing customer base, technical operations, business development teams, and partners to ensure the company is consistently delivering on its information security commitments, investing to meet the rapidly evolving security environment, and building transparent, deeply trusted relationships with its customers.

Previously, Justin created and held the role of Chief Information Security Officer (CISO) at Yahoo!, driving security planning and operations for the company. Prior to Yahoo!, Justin was CISO of Symantec where he developed the company's Information Security Enterprise Risk Management process, worked cross-functionally to manage critical incidents to resolution and drove implementation of controls for both a significant threat environment and regulatory needs. In addition to his roles at Yahoo! and Symantec, Justin was Director of Information Security at Verisign and an advisor to Palo Alto Networks.

He received a Bachelor's of Science degree in Management Information Systems from Drexel University.

Tim J. Sandage

Tim J. Sandage
Senior Risk & Compliance Strategist, CISSP, CRISC, CCSK, Amazon Web Services (AWS)

Tim is a Senior Risk & Compliance Strategist for Amazon Web Services (AWS). Tim specializes in risk, compliance and security delivery of cloud computing services. Tim’s responsibilities include risk, compliance and security management of AWS cloud computing services; as well as continuous monitoring of current compliance efforts/certifications.

Previous to AWS; Tim has spent over seventeen years delivering information technology security services, compliance and risk management solutions as a Management Consultant with Deloitte & Touché LLP as wells as several security management positions within the Healthcare, Technology, Retail and US Federal Government environments. Additionally, Tim is retired from United States Air Force with over twenty-five years of service within both physical and technical security capacities. Tim has deployed in support of Enduring Freedom, Iraqi Freedom and Operations Jump Start.

Becky Swain

Becky Swain
Cloud Assurance Director, PwC

Becky is a globally recognized thought leader as Founding Member of the Cloud Security Alliance (CSA). She serves as a US Delegate for ISO/IEC / JTC 1/SC 27 (SC27) and key contributor for the development of international cloud standards as a Project Co-Editor for ISO/IEC 27036 and the CSA Liaison Officer. She regularly speaks at conferences and is considered a trusted adviser on topics related to cloud trust and assurance industry best practices and emergent standards.

Prior joining PwC, Becky was an independent consultant helping Silicon Valley SaaS startups prepare for meeting enterprise security expectations and registering their cloud solution with the CSA STAR (Security, Trust & Assurance Registry). Prior to that, Becky built and managed multiple risk and compliance programs for ensuring security and privacy requirements were adhered to and embedded into the organizations’ new technology initiatives (IT and BU related) and company acquisitions. Prior to joining Cisco, Becky was a Senior Associate for KPMG LLP focused on SAS 7o audit and data privacy compliance engagements with Fortune 500 companies in the financial services and retail sectors.

Carson Sweet

Carson Sweet
Co-founder and CEO, CloudPassage

Carson Sweet is Co-founder and CEO of CloudPassage. His information security career has spanned nearly two decades and includes a broad range of entrepreneurial, management and hands-on technology experience.

As a senior information security strategy and technology consultant, Carson has created and implemented groundbreaking security solutions across a range of industries and public sectors. Prior to co-founding CloudPassage he served as RSA's principal solutions architect for the financial services sector, where he specifically focused on virtualization & cloud security, Internet application controls, data protection and anti-fraud. Carson formerly served as founding CSO for GlobalNetXchange (now Agentrics) and CTO for the Investor Responsibility Research Center (now the RiskMetrics Group). He also founded security consulting and managed services lines of business for RPM Consulting (acquired by Computer Horizons Corporation), TimeBridge Technologies (acquired by Dimension Data) and Security Methods.

Prior to his technology career Carson served in the U.S. military as a heavy anti-armor weapons specialist and later as a career firefighter-paramedic. He studied emergency health sciences at the Jefferson College for Health Sciences, pre-medical neuropsychology at Virginia Commonwealth University/Medical College of Virginia and information technology at the University of Massachusetts.

Steve Weis

Steve Weis
Co-Founder, PrivateCore

Steve Weis was previously a technical director at AppDirect. Prior to that, Steve was a senior engineer at Google. He led the design of Google's two-step verification and received a Google Founder's Award in 2010. Steve has a PhD from MIT in cryptography, where he was a member of the Cryptography and Information Security group.

Organizers / CSA Silicon Valley Chapter Leadership

Naveen Bisht

Naveen Bisht Co-Founder, AURISS TECHNOLOGIES INC. and Chair, Programs/Board Member, TiE Silicon Valley

James Hunter

James Hunter President, Net Effects Inc.

Srinivas Jaini

Srinivas Jaini Executive Director, CSA Silicon Valley Chapter

John Kinsella

John Kinsella Founder & CEO, Stratosec

Ulrich Lang

Ulrich Lang Founder & CEO, ObjectSecurity

Tim Mather

Tim Mather Advisory Director, KPMG

Becky Swain

Becky Swain Founding Member, Cloud Security Alliance


To contact the CSA Innovation Conference event organizers about sponsoring the 2013 event please send inquiries to [email protected].

To download the 2013 Sponsorship Prospectus please fill out the form below:

Your Name (required)

Your Email (required)

Phone Number