The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Tuesday, January 30 • 3:00pm - 3:50pm
Seeing Through the Fog - Navigating the Security Landscape of a Cloud-First World

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Abstract :
The prospect of the cloud is extremely attractive to many enterprises, so it’s no surprise that several industries are in an all out sprint to get there. Cloud has become so popular that many CIOs have simply been given the directive “get to the cloud,” and thus are moving forward at a staggering rate with little regard for cost or security. This is putting security teams on their heels, in large part because many haven’t had the chance to truly grasp the shared responsibility model that most cloud providers operate under.

There is a common misconception in the industry that, when you buy space with a cloud provider, the cloud provider is also responsible for securing your data. This simply isn’t the case. The agreement is much more like leasing an apartment - the landlord maintains the roof, walls and windows, but if you leave the door unlocked that’s on you. That said, determining who has responsibility for the protection of applications, services, and data once cloud has become part of an enterprise stack is a lot harder than locking a door. If it weren’t, we wouldn’t be constantly reading about huge troves of sensitive data stored on unsecured AWS servers. So, figuring out this shared model has become one of the major challenges of navigating this new and only vaguely-defined landscape.

The first thing we all need to understand is that cloud providers are not managing data so much as providing a platform or infrastructure, so the protection of the data is still up to the enterprises. While the cloud offers more availability and uptime, it can also make data more vulnerable to attack. Every copy of data is a potential liability, so while availability is convenient it comes with elevated risk. Cloud providers can certainly make it easier for enterprises to set up their servers correctly, but enterprises need to own the responsibility of securing their data and make sure they are maintaining access control lists properly, performing quality-assurance on configurations and policies, and auditing who has access to what.
In this session we will explore how security professionals can own security for their organization as they migrate to the cloud, and detail the steps they can take to make sure the cloud stays secure for their enterprise, thus ensuring that they don’t end up making headlines for all the wrong reasons.

avatar for Ben Johnson

Ben Johnson

CTO, Obsidian Security
Ben Johnson is a prominent voice in cybersecurity, having co-founded and been CTO of both Obsidian Security and Carbon Black. Additionally, Ben sits on several cyber start-up boards and spent 7 years at the NSA. Ben has spoken to over 600 organizations and given thought-leadership... Read More →

Tuesday January 30, 2018 3:00pm - 3:50pm PST
Sand and Sea Room