CSA Summit at RSA 2014

CSA Summit 2013

Summit Proceedings

Document Download
Cloud Computing Security A European Perspective
Udo Helmbrecht, Executive Director - European Union Network and Information Security Agency
Download PDF
Critical Infrastructure in the Cloud
JD Sherry, Vice President, Technology & Solutions-Trend Micro
Daniel Poole, Cloud Security Architect-Vodafone, UK
Download PDF
Building Secure Global Networks in the Age of Technology Consumerization
Alan Boehme, Chief of Enterprise Architecture for The Coca-Cola Company
Junaid Islam, CTO, Vidder
Download PDF

Software Defined Perimeter Workshop (SDP)

Monday, February 24th, 2:00pm – 3:00pm
Moscone West, Room 2008

The SDP workshop will provide participants a hands-on overview of the SDP protocol as well as detailed view of the SDP Hackathon. Workshop participants will be provided with an introductory overview of server blackening and ephemeral access techniques incorporated into the Software Defined Perimeter concept.

If you wish to attend this free workshop, please contact us at [email protected].

SDP Hackathon

CSA's SDP Hackathon kicks off Feb. 24th at 2:00pm in Moscone West, Room 2008. This contest will allow security professional to play the role of an "inside attacker" where the file server is protected by a Software Defined Perimeter. Just like inside attacks, participants will be provided with the IP address of the target server as well as the SDP components, which are protecting them. Participants will also be provided an overview of the SDP "need-to-know" protocol that is being used to protect the file server. The first participant to access the target server will win a trip to DEF CON® in Las Vegas, compliments of CSA. For contest rules and more information, please visit https://cloudsecurityalliance.org/research/sdp/

CSA Legal Information Center Seminar:

Trust in the Cloud: How are you Protecting Customer Data?

Wednesday, February 26th, 8:14am – 1:00pm
PLI Conference Center 685 Market Street, San Francisco, CA 94103

In the cloud, to deserve the trust of its customers and others, a company must be able to demonstrate that it protects the privacy and security of the data in its custody. It must communicate clearly and specifically the nature and extent of the measures taken to protect data, and show how they meet the existing legal and regulatory requirements, standards, best practices and benchmarks. Customers, on the other end, need tools to evaluate and compare different offerings so that they can decide which one deserves their trust and their business.

This interactive program will provide:

  • Legal and regulatory backgrounds
  • A survey of methods, standards and certifications available to evaluate and measure compliance
  • Examples of frameworks adopted by market leaders

This program is eligible for 3.0 hours of CLE general credit. This program is provided by the IT Law Group, an approved Multiple Activity Provider (#15599) and is eligible for 3.0 hours of MCLE general credit (No ethics, No elimination of bias, No substance abuse). If you have attended this program and signed the Official Record of Attendance for California MCLE your Certificate of Attendance will be available upon request. For CLE information, please email:[email protected].

Seating is limited for this event, please register at:

Registration closes Thursday, February 20th

CSA Booth 2433 (South Hall)

No matter what your role in our industry is, CSA has something for you. Come to our booth to learn, be entertained and win prizes.

  • Learn how CSA STAR is setting the bar for cloud provider assurance and certification
  • Discover how to obtain the CCSK and take your career to the next level
  • Find out how you and your organization can become more involved with CSA
  • Watch the Software Defined Perimeter Hackathon and talk to the project experts

CSA will also be giving away:

  • An Apple TV each day and Free CCSK tokens ~ Sponsored by CSA
  • $100 Total Wine Gift Certificate ~ Sponsored by Perspectsys
  • Beats by Dr. Dre Executive Headphones ~ Sponsored by Netskope

CSA Summit 2014: In Global Clouds We Trust?

CSA Summit Registration has reached capacity, please click here if you wish to attend.

Monday, February 24th. New Location: Moscone Center West, Room 2014

Join us for the 5th CSA Summit, where key policy makers and industry luminaries from the US, Europe and Asia discuss and debate our industry’s seminal issue: can we trust global cloud service providers to protect customers located anywhere in the world? We will also review the latest technologies promising to secure the cloud, big data and mobile in an interactive audience session.

8:00 AM – 9:00 AM
Doors Open/Informative Cloud Security YouTube Videos sponsored by Qualys

9:00 AM – 9:30AM
Keynote : Richard Clarke, Chairman & CEO of Good Harbor, Member of President Obama’s Review Group on Intelligence and Communications Technology

9:30 AM - 9:50AM
Keynote: "Cloud Computing in Europe - the Governmental Clouds Case"

Presenting: Professor Udo Helmbrecht , Executive Director, European Union Agency for Network and Information Security (ENISA)

Public and private sector organisations are switching to Cloud computing. Public bodies are a key player in Cloud computing area as it offers scalability, elasticity, high performance, resilience and security, together with cost efficiency while in the same time it could enable and simplify citizen interaction with government by reducing information processing time, lowering the cost of government services and enhancing citizen data security. The specific security and privacy risks have become a drawback to the uptake of cloud computing by the public sector. However the situation in Europe is quite optimistic as more and more public sector are moving to the Cloud; this presentation will provide an overview of the status of cloud computing in Europe.

9:50 AM – 9:55AM
Cloud Security Alliance Industry Leadership Award

9:55 AM – 10:55AM
Panel: "Bring Your Own Cloud: Targeting your Application Perimeter Security Strategy"

Moderator: Jay Chaudhry, CEO and Founder, Zscaler

Robert (RSnake) Hansen, Director of Product Management, Whitehat Security
Patrick Harding, CTO, Ping Identity
Wolfgang Kandek, CTO, Qualys
Krishna Narayanaswamy, Chief Scientist, Netskope

The network perimeter was long ago shattered by VPN's and a distributed workforce and over the past years we’ve seen a new application perimeter emerge with the introduction and growth of mobile devices and cloud-based applications. Panelists will discuss the scale of threat presented by Bring Your Own Device (BYOD) and cloud applications, the ever-expanding application perimeter, and how security teams should mitigate potential vulnerabilities and protect against data loss caused by weaknesses in critical applications wherever they are hosted or deployed.

10:55AM – 11:05AM

11:05 AM – 11:35 AM
Sponsored Keynote: “Critical Infrastructure Protection in the Cloud”

Presenting: JD Sherry, Vice President, Technology and Solutions, Trend Micro
Daniel Poole, Cloud Security Architect, Vodafone Group, UK

TITLE: Critical Infrastructure Protection in the Cloud

Today’s cyber-attacks have not only grown to an unimaginable volume but also a sophistication and variety that would have been hard to believe a few years back. We are seeing a manifestation of a new cyber world order… They target our mobile devices and social network accounts; they attack new technologies – everything from HTML5 to virtual machines – and they steal our data and identities and turn our machines into botnets. They’re even using public cloud accounts to launch massive brute force attacks and DDoS storms – hitting public and private sector organizations across the globe. There are no boundaries…

The actors behind these attacks, whether state-sponsored groups or financially motivated guns-for-hire, are an increasingly professional bunch, making use of the commoditized exploit kits freely available on many underground forums. What’s more, an ever-greater number are targeting organizations and critical infrastructure with a laser-focus, perhaps sneaking malware in under the radar as logic bombs waiting to strike our national utility systems. Once inside the network, this malware can lie hidden for months or years exfiltrating data out of an organization.

It is estimated that 90% of critical infrastructure is managed by the private sector. Many of these private sector organizations are already leveraging cloud-based infrastructure or are looking to adopt cloud based services. What are the latest threats and areas of concern? How can organizations adopt and integrate elements of the NIST CyberSecurity Framework to protect their cloud based critical infrastructures and mitigate their risk against a catastrophic attack?

11:35 AM – 12:35 PM
Panel: "Managing Cloud Risks and Trusting the Cloud Continuously"

Moderator: Erik Peterson, Director of Product Strategy, Veracode

Sol Cates, Chief Security Officer, Voremetric
John Hawley, VP, Business Unit Strategy, CA Technologies
David Miller, Chief Security Officer, Covisint
Kaushik Narayan, Co-Founder and Chief Architect, Skyhigh

Whether through IT, business units or individual employees, the decision has been made to move to the cloud. How do we make the determination that we can trust any given cloud application? What types of independent verification are needed, and what trust marks and certification are most appropriate? Panelists will discuss state-of-the-art innovations helping enterprises manage risks and monitor activities in realtime. We will also explore governance and compliance initiatives such as CSA STAR that encourage industry transparency and independent certification. This panel will provide enterprises with practical advice to manage risks with their own cloud adoption strategy and protect their sensitive information from all comers.

12:35-1:00 PM
Closing Keynote: “Software Defined Perimeter: Building Secure Global Networks in the Age of Technology Consumerization”

Alan Boehme, Chief of Enterprise Architecture for The Coca-Cola Company
Junaid Islam, Chief Technical Officer and Founder, Vidder
Kevin Walker, Vice President & Assistant Chief Information Security Officer, Walmart

TITLE: Software Defined Perimeter: Building Secure Global Networks in the Age of Technology Consumerization

The massive growth in Internet-connected devices, digital data and cloud are creating ubiquitous computing resources that both aid the enterprise's mission while threatening its ability to protect its digital persona. In this talk, CSA board member, Coca Cola's chief of enterprise architecture and Silicon Valley technology leader Alan Boehme discusses the challenges complex multi-national organizations have in leveraging leading edge technology while maintaining secure and trusted IT capabilities. Mr Boehme will explain why incremental approaches to managing and securing tech consumerization will fail and why more disruptive approaches at enterprise network security are necessary. Finally, Mr Boehme will provide an update to CSA's Software Defined Perimeter, a breakthrough framework to secure multiple clouds, mobile computing and the Internet of Things.


Alan Boehme

Alan Boehme
Chief of Enterprise Architecture for The Coca-Cola Company

Alan Boehme serves as Chief of Enterprise Architecture for The Coca-Cola Company. In this role he is responsible for leading the Global enterprise architecture and emerging technology function. Boehme was previously Sr. VP and Head of IT Architecture for the ING Global Insurance Business as well as serving as chairman of the global cross banking / insurance business (ING Group) enterprise architecture committee reporting into the global CTO office. Prior to his time with ING he served as VP & CIO at Juniper Networks, EVP & CIO Sage Software and the CIO for Emerging Technologies & Shared Services at GE Power Systems.

Sol Cates

Sol Cates
Chief Security Officer, Vormetric

In his role as CSO of Vormetric, Sol Cates is responsible for ensuring Vormetric’s internal security profile remains robust while also understanding how security is perceived and used by IT/IS and how it drives technical decision making and buying behavior at the boardroom level.

The technical depth and understanding of the information security space Cates has developed over the last 17 years is rooted in the intelligence community, financial services industry and other large enterprise organizations. He originally joined Vormetric in 2003, when he spent four years as a systems engineer.

Jay Chaudhry

Jay Chaudhry
CEO and Founder, Zscaler, Inc.

Jay Chaudhry is an accomplished entrepreneur, having founded a series of successful companies, including Zscaler, AirDefense, CipherTrust, CoreHarbor, Air2Web and Secure IT. Chaudhry leverages more than 25 years of security industry expertise, including engineering, sales, marketing and management experience with leading organizations, such as IBM, NCR and Unisys. Prior to founding Zscaler in 2008, Chaudhry founded and led AirDefense, a wireless security pioneer, before its acquisition by Motorola. From 2000 to 2006, Chaudhry founded and led CipherTrust, the industry’s first email security gateway, before its merger with Secure Computing. From 2000 to 2003, Chaudhry founded and led CoreHarbor, a managed ecommerce solution, before it was acquired by USi. In 1996, Chaudhry founded and led his first company, SecureIT, the first pure-play Internet security service, before it was acquired by VeriSign in 1998.

Chaudhry has been honored as an Ernst & Young “Entrepreneur of the Year,” an Information Week “Innovator & Influencer” and SC Magazine “Market Entrepreneur.” Chaudhry earned his MBA and his MS in Computer Engineering and Industrial Engineering from the University of Cincinnati and his B.Tech in Electronics Engineering from IIT BHU Varanasi. Chaudhry has completed the Executive Management Program from Harvard University.

Richard A. Clarke

Richard A. Clarke
Chairman & CEO, Good Harbor and Special Advisor to the President for Cyber Security & National Coordinator for Security and Conterterrorism.

Richard A. Clarke is chairman & CEO of Good Harbor and an internationally recognized expert on cyber security, homeland security, national security, and counterterrorism. He is currently an on-air consultant for ABC News and teaches at Harvard's Kennedy School of Government. He is the author of Cyber War: The Next Threat to National Security and What to Do About It. Mr. Clarke served the last three Presidents as a senior White House Advisor, including as Special Advisor to the President for Cyber Security and National Coordinator for Security and Counterterrorism.

Robert (RSnake) Hansen

Robert (RSnake) Hansen
Director of Product Management, WhiteHat Security

Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better

Patrick Harding

Patrick Harding
Chief Technical Officer, Ping Identity

Patrick Harding is the CTO of Ping Identity, responsible for Ping Identity Labs, emerging technologies, architecture and standards, and developing Ping's technology strategy. Previously, Harding was a VP and the Security Architect at Fidelity Investments. Mr. Harding has a Bachelor of Science Degree in Computer Science from the University of New South Wales in Sydney, Australia.

John Hawley

John Hawley
VP, Business Unit Strategy, CA Technologies

John is currently Vice President of Strategy for Security solutions at CA Technologies. He coordinates the definition of the CA Security vision and evaluation of new portfolio growth opportunities. John has been working in the security space for 15 years and is a frequent conference speaker, focusing on how enterprises embrace new trends to secure the business but also align security to the discussion in the boardroom.

John has been working with CA Technologies for 9 years, holding previous roles in Product Management and Technical Sales. Prior to CA, John founded and managed a venture funded SaaS company providing performance monitoring for cloud applications. Earlier, John managed a Solutions Engineering and Security teams at Internet services provider UUNET/WorldCom and consulting firm Ernst & Young, LLC.

John holds an MBA from the KATZ School of Business at University of Pittsburgh and a BS in Information Systems from Virginia Tech.

Professor Udo Helmbrecht

Professor Udo Helmbrecht
Executive Director, ENISA

Prof. Udo Helmbrecht is the Executive Director of ENISA since the 16th of October 2009. Prior to this, he was the President of the German Federal Office for Information Security, BSI, for six years, between 2003-2009.

Procedure. Prof. Helmbrecht was nominated by ENISA’s Management Board, from a list of candidates proposed by the European Commission, after a presentation of his visions. He was appointed after making a statement to the European Parliament and replying to MEPs’ questions on 16 April, 2009.

In end of 2010, he was bestowed with the title of Honorary Professor at the Bundeswehr University in Munich.Prof. Helmbrecht is assisted by a Permanent Stakeholders' Group and ad hoc Working Groups on scientific and technical matters.

Junaid Islam

Junaid Islam
Chief Technical Officer and Founder, Vidder

Junaid Islam is the founder and CTO of Vidder and has over 25 years of product development experience in the security and networking industry. Prior to founding Vidder, Junaid founded Bivio Networks, which invented the first programmable Gigabit speed Deep Packet Inspection device for security and surveillance applications. During the 90's, as an architect at StrataCom & Cisco, Junaid played a leading role in the development and standardization of Frame Relay, ATM & MPLS. Junaid is the Co-chair of the Software Defined Perimeter research group for the CSA.

Wolfgang Kandek

Wolfgang Kandek
Chief Technical Officer, Qualys

As the CTO for Qualys, Wolfgang is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online Music streaming company myplay.com and at iSyndicate, an Internet media syndication company. Earlier in his career, Wolfgang held a variety of technical positions at EDS, MCI and IBM. Wolfgang earned master's and bachelor's degrees in computer science from the Technical University of Darmstadt, Germany.

Wolfgang is a frequent speaker at security events and forums including Black Hat, RSA Conference, InfoSecurity UK and The Open Group. Wolfgang is the main contributor to the Laws of Vulnerabilities blog.

David Miller

David Miller
Chief Security Officer, Covisint

Mr. Miller directs the identity management offering at Covisint, which currently secures access for automotive, healthcare, energy and government customers. Mr. Miller has spoken at numerous conferences in various industries and has also testified before the U.S. Senate regarding e-prescribing of controlled substances (testimony which helped shape new laws). Mr. Miller has been with Covisint since its inception, architecting its federation solutions and implementing the first true identity network for the auto industry. A visionary in FIAM, Mr. Miller has built Covisint’s INFOSEC organization, developed policies and procedures for information security and helped design secure solutions for product offerings.

Mr. Miller has more than 20 years experience in the information technology and automotive industries. Prior to Covisint, he served as Director of Operations for GM TradeXchange, managing the implementation and architecture of GM’s automotive exchange. Previously, Mr. Miller was Chief Architect for Secureway, an IBM division that provided security to e-business initiatives. His GM experience also includes being Director of Technology for Dascom (later purchased by IBM) and his many years as an Enterprise Architect at EDS in Detroit, where he supported GM business systems. He chaired the HIPAA Compliance Work Group and is a member of the Executive Security Action Forum.

Krishna Narayanaswamy

Krishna Narayanaswamy
Chief Scientist, Netskope

A highly-regarded expert in security, deep packet inspection and behavioral anomaly detection, Krishna Narayanaswamy focuses on data science and security technologies as chief scientist at Netskope. Krishna brings over 24 years of experience, including founding Top Layer Networks and serving as a distinguished engineer at Juniper Networks. He has delivered multiple generations of successful security products to the market. He has been awarded 20 patents covering a broad set of technologies and has a dozen more pending patent applications. He has been an active participant in standards groups and industry consortiums.

Kaushik Narayan

Kaushik Narayan
Co-Founder and Chief Architect, Skyhigh Networks

Kaushik Narayan is a Co-Founder and Chief Architect at Skyhigh Networks, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class products.

Kaushik has been working in the network security and management space for sixteen years and large part of that at Cisco systems where his last stint was as the Principal Engineer responsible for the Identity Services Engine product, which won Cisco Pioneer Technology award. Kaushik helped drive key technology initiatives within Cisco in the areas of Policy Management, Cloud Centric Networking and Network Automation, he has filed several patents and also been active member at the IETF responsible for multiple RFCs.

Kaushik holds a Bachelor of Science in Electrical Engineering from Pune University and an MS in management Systems from BITS Pilani.

Erik Peterson

Erik Peterson
Director of Technology Strategy, Veracode

Erik Peterson is the Director of Technology Strategy for Veracode with 17 years of security industry experience, including senior leadership and technology roles for HP, SPI Dynamics, GuardedNet and Sanctum.

Erik has also held InfoSec roles at Moody’s and SunTrust Bank and IT roles for the U.S. Embassy in Vienna, Austria and the UN IAEA. Erik has spoken at numerous events including Security BSides, OWASP, ISSA, InfraGard, ISACA and the Cloud Security Alliance

JD Sherry

JD Sherry
Vice President Technology and Solutions, Trend Micro

Mr. Sherry is responsible for providing guidance and awareness regarding Trend Micro’s entire security portfolio aimed at protecting both commercial and government cloud ecosystems. Well-versed in enterprise and data center architecture, Mr. Sherry has successfully implemented large-scale public, private and hybrid clouds leveraging the latest in virtualization technologies. Over the last eight years, he has established himself as a trusted senior advisor and cloud security specialist for the protection of Payment Card Industry (PCI), Health Information Privacy Act (HIPAA) and Personally Identifiable Information (PII) data. Mr. Sherry also has an extensive background in developing and bringing to market mobility platforms and applications. JD has spent the last 12 years in senior IT leadership roles.

Kevin Walker

Kevin Walker
Vice President & Assistant Chief Information Security Officer, Walmart

Kevin brings over 25 years’ experience in computer science and information technology to his role at Walmart. Previously he was a senior security leader at Intuit, Cisco, Symantec and VERITAS Software. A long-time Silicon Valley veteran, he has been a founder of several successful technology start-ups. Kevin built one of the first managed security services providers supporting numerous Fortune 100 companies. He was also an engineer and researcher for Digital Equipment Corporation, EDS, SAIC, SRI International and the University of California at Berkeley.

Platinum Sponsor

Gold Sponsors

Silver Sponsors

Bronze Sponsors