IllenaArmstrong SeanHeide

foreign [Music] of indigenous peoples we also remain collectively accountable to respect Facebook Valley College aims to uphold the intention of the numbered friendship treaties from the perspective of indigenous peoples we also remain collectively accountable to respect indigenous peoples legal and inherited rights recognizing we are all treating peoples there are words interactions Well Valley College honors the traditional lands of the Blackfoot Confederacy which includes the sixth attack the Ghana the bikaner and the Amish copy beginning First Nations as well as the nicora Wesley and bears power First Nations we also recognize the connection and autonomy of the metis nation Region III within the historical Northwest metis Homeland you join all nations in celebrating the unique histories traditions and cultures of indigenous peoples as we continue our journey on the road towards reconciliation together exactly right good morning everyone hey for those who don't know me my name is Steve Porter I'm with the b-sides organizing committee and um welcome to besides Calgary 2022. it's our first in-person one in a couple years now and first of all can everybody hear me okay I'm nope okay you want me to Beef It Up a bit gotcha I'm a little soft-spoken I'm sorry nope all right um so I got a few notes here just want to say welcome on behalf of the committee uh just to remind everybody this conference is for you I hope that everybody enjoys it and we've got a great lineup of speakers and presenters throughout the next couple of days I think we have 35 Plus presenters I think that's a bit of a record for b-sides here oh there we go um we've got all kinds of different challenges and workshops over the next couple of days as well uh we have an iot lab downstairs and the ctfs we have some wi-fi hacking uh even have a Tesla outside if anybody wants to try to unlock that and drive it off the lot um I'm not kidding if you hack the Tesla you win a Tesla how about that I mean it's a 1 18 scale model of the one outside but it looks just like it I mean kind of count for something all right I'm getting laughs at nine o'clock in the morning this is good so I wanted to give a little bit of background uh first of all how many of you how many people are this is your first year for besides Calgary wow that's great um thank you for coming and I really know you're going to have a great time here make sure that you know make the conference about you do the things you want to do attend the sessions you want to see do the challenges you want to do even if you're not a wi-fi hacking expert go downstairs learn it see how it's done have some fun this is a safe place for doing all of these things and not going to jail that's what our careers are about let's finish it I'm going Way Off Script here but that's kind of me um I have a bad habit of doing that maybe that's what James asked me to do this in the first place uh but yeah so besides Calgary a little bit of background we actually started this back in 2016. so we did our first two events up at state and uh you know what the first year we actually planned organized lined up all the presenters got all the swag and sponsors and everything together in four months um it was kind of crazy it was definitely stupid um but we did it and it turned out to be a great event and the number one feedback we got from it was how come it took so long for us to do this and are we doing it again so we ended up doing it again the next year and we intended on this being an annual event and well life got in the way work got in the way people got busy so we took a little Hiatus there for a couple years and that's when we uh we approached James Cairns our lead organizer now and Beau Valley College and said what about if you guys took it over and that's when it started up again in 2020. so big hand a big shout out for James um our lead organizer who's back here hiding behind the post from me and uh and everything that he's done to bring this event to you again for the past three years now we did have a little hiccup of course you know we were supposed to be an in-person event back in 2020. yeah these lockdown things really kind of sucked right so in a matter of I don't know how James was at three months we had to go from being a planned in-person event to online and again we pulled it out um you know none of us are professional event planners let me just say that okay we do our best we manage to get things done and um then we thought maybe we'll be physical next year and nope again that didn't happen so here we are today though and we've got this together we have a great turnout uh We've we've sold 550 tickets I believe yeah okay um that's all we had accounted for we we couldn't sell any more so I'm really really excited about that thank you all for attending um just out of curiosity who was at the 2016 event [Music] okay we got a couple 2017 anybody attended all five of them one okay two that's all right we got a lot of swag from the old events and if you want you can give a donation and you could try to win a raffle or pick up a grab bag you can feel like you were there a lot of the presentations are also online so that's the other thing I should mention is that everything we're doing here is being recorded sorry not in any kind of weird way it'll all be online later it will so if you do miss one of the talks or one of the tracks you can go online in a few weeks it'll be there and you can watch it and um and you know again get all the sessions that you really want I know what kind of a rabbit hole it is to go and start playing in the CTF next thing look at your watch and go whoops the day is over so um it'll all be there if you need it the recordings from last year are up there now if you want to watch anything from there and uh I think a lot of the other ones are on YouTube from the first two years so with that um I'm just going to kind of hand it back to James and to our Keynotes here we have a great keynote for today from the cloud security Alliance and I'm looking forward to it myself and hopefully um you said everything goes well and everyone has fun if you do have any questions please feel free to tag one of us with the red red lanyards we're volunteers here we can help you out if anything is not working right or if you're looking for where you need to go for the next talks and um thank you again for showing up for besides Calgary [Applause] thank you foreign thanks Steven thanks everyone for being here you know it wouldn't be a Tech conference without some tech Gremlins you know as you can see we're up here trying to do things and pulling cables and doing that we've been doing that for about oh well since since about four o'clock yesterday make sure we got it right and probably still don't and we notice the camera's starting to go off and do its own thing so we'll figure it out as we go uh just ask that you know realize this is the Grassroots conference really we're not a big 15 20 000 member you know conference so we're trying to do things a lot of these people love the goodness of their heart their time and effort to do this I got a huge huge set of volunteers here today and as well as also been here before yesterday as well as before this exciting this thing this up I wanted to say just a quick welcome here on behalf of both Beau Valley College and the besides committee as well um I get the distinct opportunity of being able to help plan and work with among uh amazing set of people um to get this event running and to deal with all the issues that come up with it that we just don't want to make sure that we get this this out for the community by the community um so just one just want to make sure also to say thank you to our our sponsors um of course bowelli College here as a platinum sponsor they allow me to be able to take some of my time to be able to organize and contact you and see what's how to get get people registered and everything like that I also want to give thank you to our gold sponsors and the zombie networks Microsoft Security net Solutions our silver sponsors trellix Tech democracy Forest Point crowdstrike phosphorus Cisco secure CGI and our bronze sponsor mnp digital as well as ion United to further sponsorship of the iot village it's pretty amazing to have a village that was at Defcon this year to be actually at this event here first of all a small group like us um Steve you already took window my sales was amazing to see we had over 550 people that have registered we've got about 10 of our people that are at the event are actually online so if you're online hi too bad you're not here but we're glad that you're joining in with us everything that we try to do here is yeah we're trying to make sure that everything goes through here as well as hop in so if you even if you can't make it to one of the rooms here you can pull it up on your browser outside one of our rooms one of the big places that's an overflow area is just to the outside here of n231 there's a lot of room that people want you know not sit in really hard chairs it's kind of more comfy that's the place to to be able to just kick back a little bit too um other than that one thing that we didn't have on the the agenda before that came up is we do have our RF workshop at the CTF Village um running on both 11 25 to 12 15 on both days so that's something if you are interested in that there is some seats there it's limited seating so make sure you get there ahead of time I'm sure you can make sure make sure you have that spot other than that I am going to quit talking because I'm not a good public speaker and hand it over to the professionals Elena and Sean it's up to you now thank you very much Hi how are you I'm I have a big mouth so this might I might have to stand back a little bit here um but I also need to see this screen so um let me see how I can how do I move my slides forward on this I'm going to do enter ah there we go um so we're back uh Cloud security Alliance has been back doing physical events all year we've been completely stoked about it um and we did go to RSA for the first time uh each year at RCA conference we hold a summit on the Monday of that event and it turned out great of course we saw a fewer people at the event but hey you're missing the Zoolander gifts off already okay all right if you look over there um so yeah so why don't I just continue until we figure out what what's happening but we um we're back and we're all about just meeting and greeting with new people getting together with some of our members Etc um to tell you a little bit about the cloud security Alliance we are a 500 corporate member strong non-profit organization vendor neutral uh and um along with that we also have about 150 000 individual members across the globe who are typically part of our chapters for our chapters we have um a little over 100 or so Global chapters so you could uh certainly look to participate in some of those as well um College Thanks James I don't want to mess up anything oh good because I would and that's not the one I want to share but but the reason that we were established 14 or so years ago is really to work with the industry public and private entities to establish best practices standards that would enable organizations to understand uh how to secure their Cloud environments and back in the day um back in the day of course 14 years ago for for those of you who have been in the industry for a while like me um there were a ton of Skeptics about uh Cloud right but now here we are and um no no no uh and we're just uh the cloud has become foundational to everything we do and we see that through the Investments that are being made and some of the Unicorn companies uh certainly uh some of those organizations are getting much more um VC funding than what you would typically see in the traditional cyber security um and even hybrid organizations um and so it's a booming a booming industry um where it's a multi-billion dollar uh Market um there we go is it are we good oh there it is okay um and uh and uh we've been throughout that 14-year span we definitely have been creating a number of controls Frameworks uh we've been working with the likes of nist and other organizations to ensure that we're getting you know those security mappings together that organizations uh can use teams can use to deal with their ever-growing um uh Cloud uh environments and on top of that too we did launch with training curriculum so we have our certificate of cloud security knowledge as well as our certificate of cloud auditing knowledge that one we just launched about a year ago in partnership with isaka but that enables individuals to really validate their knowledge about Cloud which is extremely needed and I'll get into that a little bit and then we have another sort of validation if you will through our star program and I'll talk about that in a bit more detail as well but it's our security trust assurance and risk registry uh and there are all kinds of components that sort of support that registry you can check out to see if a service is meeting certain security controls that you would want to see them offer when you're working with them so I just talked a little bit about this I mean organizations like Gartner and certainly us through our research we found that this is just a crazy business certainly covid helped to accelerate the journeys of a number of um companies workloads to the cloud um and that's that even is for those large large organizations which was a little bit surprising to me I thought they would have been a bit head of the game talk about this fact of the matter is cloud is foundational to everything we do um and so there's really no business strategy without a cloud strategy at this point but organizations whether they like it or not um have to have it and most are opting for a multi-cloud environment now over the course of my one and a half years of being with um Cloud security Alliance in this particular position I have come across one organization that is all about one hyperscaler and that's it so but most are definitely going multi-cloud for the many reasons that you see here and that brings with it a number of concerns skills I don't think there's one cxo with whom I have spoken over the last year and a half who is um not having trouble securing people for open positions so they're definitely looking to upskill they're coming to us we're seeing a number of organizations come to us not only to train their security teams or I.T teams some want to also make sure that their HR departments are educated about the cloud and Cloud security issues procurement Etc more and more of that is happening but again individuals can take the training too so a multitude of concerns with that and then on top of that multi-cloud strategy where organizations might be opting to work with let's say three hyperscalers you also have the number of cloud disparate cloud services through SAS micro Services Etc that organizations also are using and there are some uh cxos who might not necessarily know what's in place hence that well I think it's over maybe more than Investments are in tools and service training security violations cyber Insurance I'd be Keen to find out if that still holds true I just read an article that um insurers are looking to up the cost by 174 and also increase the number of exclusions so we'll see what happens but all of this is an amalgamation of the day in the life of a cxo where you have moments of euphoria and then maybe some sadness and anger and fear especially if there's a regulator or an auditor of coming at you so CSA can help out we're looking not only to work with you to help with today's pain points but we want to make sure that we're addressing those in the future and we do that through our research team Sean is going to talk a little bit more about that the education and certification that we offer certainly a number of different events and focus groups and working with different constituents who are supporting particular initiatives and then of course just networking but let me hand it over to Sean he's going to talk to you about some of the more recent research we've done and give you some practical tools that can help arm your teams to deal with class threats awesome thanks yeah hi everyone I really appreciate you having me here so my name is Sean Heidi I am the technical research director for cloud security Alliance so essentially we have a research portfolio that I help lead that encompasses things like Enterprise architecture so the adoption of cloud and controls when you're moving to a cloud environment I also help lead as you can see up on the screen are top threats to cloud computing which is one of our annual surveys that we help companies kind of focus on mitigations and techniques I also helped lead our CSO our cxo trust which is our CSO an executive working group to kind of help Enterprises better understand at the Cecil level how they need to be interacting with the business how to approach the business and what security means to an entire Enterprise space so this is one of you know honestly maybe I'm a bit biased one of our best uh releases we usually have annually uh this specific one the top threats to cloud computing uh the pandemic 11. this was our sixth installment of this we've been doing this survey for quite some time so year to year what we actually do is we will compile a list of what the industry sees with the working group on the top threats the risk that we're seeing any breaches that have happened and uh what was the factor behind that so we compile a list of about 40 or 50 items and then we scale that down for surveys so what we do is we push a survey out and the whole purpose behind the survey is to give you the general Community a voice and actually being able to say yes I agree that these should be ranked in this specific order all of that culminates into this actually being created into a top threats document that businesses can utilize to find mitigations techniques business impacts which I will actually show you on one of the next slides this is an expert driven series our members and Volunteers in this working group are some of the best Minds in the business they work at Fortune 500s they're dealing with risks day to day so when you take a look at this top threats to cloud computing I suggest everyone download this from the CSA website it's something that you can take a look at From anovis perspective all the way to an expert because there's going to be a little bit of something for everyone in this release now these results are often the result of shared on-demand nature of cloud so everything that we report in here as far as a threat or a risk is something that has been seen in a cloud instance over the last I would say two years so we do this annually but we've backed it to about two years this specific one covered all of the pandemic it was crazy times we saw such a massive shift to Cloud that we had some new findings which I'll show you on the next slide so as you can see these were the 11 that we came up with like I said you start with 40 on the survey we had 11 that were so narrowly gapped in percentages that's that's where the cutoff is a lot of people ask me well how do you find 11. it's been 11 the last two times uh it's been 12 on one of them what we do is we find the deviation for that percentage so 11 to 12 that was a massive Gap that we said well okay so people probably aren't identifying with number 12 and on so we'll just keep that tightly knit group to the 11. um and funny enough the number one uh so identity and access management basically privileged accounts that is the number one top threat or risk that enterprises have seen over the last two years during the pandemic now funny enough pre-pandemic that was actually number four on the list not many people