
Archived: Securing Cloud-as-Infrastructure
Earn up to 6.5 CPE credits by attending this virtual event
Securing cloud-as-infrastructure must be a shared responsibility between IT/security professionals; DevOps teams; and cloud-based SaaS, PaaS and IaaS providers. As part of this effort, stakeholders must take steps to deter cloud leaks and misconfigurations, avoid careless API mismanagement, and ensure that cloud services clients and providers have clearly communicated security expectations to each other.
Join SC Media on May 17-18 as we convene industry leading practitioners and experts to learn how to secure cloud infrastructure and topics including:
- Results from CyberRisk Alliance's Cloud Security Research Survey
- Developing a user-centered model for safely storing content in the cloud
- Assessing cloud services providers, and how to enter a shared responsibility agreement
- Tips for secure cloud-based app development
- The cloud’s lingering privacy and data sovereignty issues
FEATURED SPEAKERS

Agenda
DAY 1 | May 17
10:45 AM ET
Program Opens
11:00 AM ET
Opening Keynote – A user-centric approach to securing content in the cloud
Dan Meacham: VP, Global Security and Operations & CSO/CISO, Legendary Entertainment
In April 2022, the Motion Picture Association reportedly revealed an expanded industry effort to secure creative content that’s developed and stored in the cloud. The initiative is a high-priority one, considering that insecure cloud access and misconfigurations can result in damaging leaks, piracy and even extortion if the content falls into the wrong hands. In this session, Dan Meacham, CISO at Legendary Entertainment, will discuss these latest developments in the media and entertainment space and how they are relevant to other industries that also must safeguard their highly sensitive assets and materials. Dan will also reveal how he developed a user-centric cloud architecture that has allowed Legendary to secure the remote editing of entertainment projects anywhere in the world.
11:30 AM ET
Managing cloud security risks…IYKYK.
Maristelle Bagis Hosaka: Director, Product Marketing – Cloud Security, Fortinet
Digital transformation has been a critical enabler for the rapid acceleration in cloud adoption. Despite the benefits, rapid adoption has also outpaced many organizations’ cloud security expertise, preventing them from properly securing their cloud environments and leaving them exposed to potential threats. With over 80% of organizations adopting the cloud, security risk often accumulates faster than it is resolved and mitigated. Understanding the risks in the cloud and how to best work as a team is essential for effectively mitigating risk and choosing the right tools. This session will highlight some of the most common cloud risks and explore the ways to mitigate them.
12:00 PM ET
AppSec best practices for securing cloud-based web apps and APIs
Sonali Shah: Chief Product Officer, Invicti Security
Web apps and APIs present a major risk for organizations of all sizes, according to the Verizon DBIR about two of every five breaches originate in a web app – and the problem is only growing. And in most organizations, innovation pressures still outweigh security priorities. So, what can AppSec professionals do to reduce their web attack surface? In this presentation, Invicti Security Chief Product Officer Sonali Shah dives into the top five AppSec risks that every organization should be aware of and provides best practices for securing cloud-based web apps and APIs.
12:30 PM ET
Penetrating the cloud: uncovering unknown vulns
Seth Art: Principal Security Consultant, Bishop Fox
Nate Robb: Senior Operator with Bishop Fox
For an increasing number of organizations, the explosion in attack surfaces has reached unmanageable levels amid the widespread adoption of cloud services. In fact, 79% of companies have experienced at least one cloud data breach in the last 18 months, often due to unknown vulnerabilities.
One of the key challenges in the unprecedented growth in cloud infrastructure is understanding which vulnerabilities and misconfigurations are the most exploitable and impactful. While many organizations spend a lot of time fixing the issues they can easily identify with tools, tools have limitations and often do not operate in the same vein as a hacker. Uniquely, an offensive security approach offers the ability to identify the type of attack paths that a malicious attacker will actually take and, therefore, better prepare against.
1:00 PM ET
BREAK | Visit Solutions Center
1:15 PM ET
Research Session: Cloud security: findings from a CRA business intelligence research study
Matt Alderman, EVP, Foresight, CyberRiskAlliance
Bill Brenner, VP, Custom Content, CyberRiskAlliance
What are the main challenges security teams face when it comes to securing their cloud implementations? In this session, CyberRisk Alliance Business Intelligence’s Matt Alderman and Bill Brenner review the findings of a research study Business Intelligence conducted last month among 303 IT cybersecurity decision makers. They will focus on the specific challenges organizations face, and how to overcome those challenges.
2:00 PM ET
10 Steps to cloud security success in 2022.
Richard Beckett: Senior Product Manager, Sophos Public Cloud Security Team
With busy IT teams how do you make sure you’re making the right cloud security decisions in 2022? Join Sophos as we discuss how to operationalize your cloud security approach, adding the right security tools and expertise to help you reduce security risk, increase cloud security posture, and improve the efficiency of your security program and internal teams.
2:30 PM ET
Planning and building a strategy for comprehensive cloud infrastructure security
Lior Zatlavi: Sr. Cloud Security Architect, Ermetic
With so many different variables to consider when designing and implementing a security strategy for your AWS, Azure or GCP environment, it is difficult to organize everything or take the first step. You need a guide to help set priorities and build a plan of action.
Outlining best practices and compliance standards is a good place to start. But these alone don’t enable you to actually assess the maturity of your current cloud security practices and build a roadmap for continuous improvement.
To this end, we created the Cloud Security Maturity Model, a lightweight and easy to understand framework that defines the key guidelines for a comprehensive cloud security strategy. It serves as a guide for prioritizing and implementing security controls and procedures.
3:00 PM ET
Enabling trust in cloud-as-infrastructure
Seema Kathuria Senior Product Marketing Manager, Cisco/Duo
While there are numerous benefits of adopting cloud-as-infrastructure including cost savings, access and availability of compute resources and services, scalability, and resource optimization, security is not inherent and cannot be taken lightly. Organizations must plan and prepare for mitigating security risks to protect the business and assets hosted in a cloud environment.
In this session, we will discuss security implications of adopting cloud-as-infrastructure and best practices organizations should consider for risk management and enhancing trust in the cloud.
3:30 PM ET
Closing Keynote,- Burning questions to ask when developing a shared responsibility agreement
Jim Reavis: Co-founder & CEO, Cloud Security Alliance
Cloud service providers and their clients must enter into a shared responsibility model, whereby the two parties divvy up control of all security-related matters and decide who is accountable when an incident occurs. To reach this understanding, organizations must first assess the security capabilities and histories of prospective cloud services providers. Then they must ask the right questions to these third-party providers to determine if they are the right fit, and to ensure that any shared responsibility model is mutually beneficial. This session will review the most important metrics to assess the efficacy of cloud services providers and the key questions you must ask as you negotiate a shared responsibility contract.
DAY 2 | MAY 18
10:45 AM ET
Program Opens
11:00 AM ET
Opening Keynote - Privacy shield reborn? the cloud’s lingering privacy and data sovereignty issues
Sujit Raman: Partner, Sidley Austin LLP + former Associate Deputy Attorney General, DOJ
Privacy and data sovereignty concerns continue to swirl around companies that manage their assets in the cloud – especially whenever data crosses international boundaries. Just this past March, it was reported that the U.S. and European Union were close to finalizing a new data-sharing pact that would replace the old Privacy Shield agreement that was nullified in 2020 by the EU Court of Justice’s “Schrems II” decision. In this session, Sujit Raman, who coordinated the DOJ’s response to EU court’s decision while serving as an associate deputy attorney general, will share his views on this latest developments, including what needs to be in the latest data-sharing agreement for it to pass muster with the EU courts and privacy advocates. He will also weigh in on other lingering data privacy and jurisdiction concerns that must still be resolved.
11:30 AM ET
Survivorship bias, growing attack surface and finding your weakest links when moving to the cloud
Fredrik Nordberg Almroth: security researcher and Detectify co-founder
With more organizations moving to the cloud, new systems being exposed online and growing moving parts, security risks continue to change leading to increased complexity. Alongside, the lack of transparency leads to an expanding attack surface that is hard to defend from attackers. Companies - irrespective of the sector - must address the issue of the increasing web-facing attack surfaces and in this session, Fredrik will talk about why it is the most pressing issue facing CISOs today.
12:00 PM ET
Developer-focused security from code to cloud, and back to code
Jim Armstrong: Senior Director, Product Marketing, Synk
Cloud and DevOps practices blur the boundary between application development and the production cloud environment. Solutions that satisfy the needs of only the development team -or- the security & operations teams, in isolation, don’t help where organizations need it the most: reducing security risk while ALSO increasing the speed of application delivery.
12:30 PM ET
Silver linings: self-learning ai for cloud and Saas
Maria Fung, Technical Manager, Darktrace Holdings
Cloud and SaaS platforms have created digital environments where businesses can innovate, collaborate, and share more than ever before. However, this is often at the cost of visibility and control. In this session, Maria Fung, Darktrace’s Technical Manager will discuss the challenges of securing cloud and SaaS applications. Discover why Self-Learning AI is best-in-class in protecting organizations’ dynamic workforces and constantly changing digital infrastructure.
1:00 PM ET
Break
1:15 PM ET
Thought leadership panel: API apprehension: improving API security amidst rampant cloud-based services adoption
Jack Hart: Vice President, Information Security Architect, City National Bank
Sonya Moisset: Security Advisory Board Member & Ambassador, OpenUK;
Omar Shabir Peerzada: Cyber Security Architect, Neiman Marcus
As APIs grow exponentially in number across web and mobile app ecosystems, businesses are increasingly challenged to achieve the visibility, governance and standardization they need in order to prevent and detect code vulnerabilities that open the door to threat activity. Factors contributing to API sprawl include increased adoption of cloud-based services and microservices architectures, version control issues stemming from continuous software development, complex integration challenges, and siloed product and dev teams working on their own separate projects. This panel will examine why API sprawl has created a fertile breeding ground for cyber threats, and what developers and security professionals must do to institute more responsible API policies and practices.
2:00 PM ET
Security blind spots in the era of cloud communication & collaboration: are you protected?
Shlomi Levin: Security Researcher & Co-Founder, Perception Point
The need to communicate, collaborate and do business on a global level has created a proliferation of cloud-based applications and services. Email. Cloud Storage. Messaging platforms. CRM. Digital Apps and Services. Organizations continue to add new cloud channels to support their business needs. But with new channels come new security blind spots that must be addressed.
2:30 PM ET
Hidden risks of using open source software
Maciej Mensfeld: Director of Product, White Source Software
With each passing year, open source software use increases. But this trend does not come without a price. Modern software’s heavy reliance on open source components created space for exploitation by malicious actors. New threats are challenging to detect and to protect against. This session should arm you with knowledge about the risks and practical countermeasures you can take to avoid becoming a victim
3:00 PM ET
Injection vulnerability: What do developer’s actually know?
Amy Baker: Chief Marketing Officer, HackedEDU
In this session, we will discuss the application security landscape and what role secure development training plays in it. We will highlight data from over 100,000 training sessions on our Secure Coding Platform, focused on one of the most common vulnerabilities, injection. We will highlight what developers know today about injection and how you can use that data to build a plan for secure coding training inside your organization.
3:30 PM ET
Closing Keynote: The most common visibility and compliance lapses in your cloud vendors' environments.
Kayne McGladrey: Senior Member, IEEE & Cybersecurity Strategist, Ascent Solutions
Whenever a key business function is hosted by a cloud-based vendor, your organization cedes a certain amount of control to the service provider. And that sometimes means that your security team lacks visibility into how this third party handles sensitive data and to what degree it successfully meets regulatory compliance standards around privacy and data security. This session will identify some of the most common gaps in visibility and compliance to develop between companies and their SaaS, PaaS and IaaS providers, and explain the root causes behind these lapses so that your own company hopefully can avoid some of these pitfalls.