The document summarizes the highlights of the CSA conference held in Orlando in November 2010. It includes the agenda with presentations on topics like CCSK certification, the Technology Showcase Wiki, security management in the cloud, and OWASP top 10 security risks. It also provides information about the Cloud Security Alliance (CSA) such as its objectives to promote research and awareness. The conference had hundreds of participants from around the world and insightful keynotes. There was significant interest from vendors, clients, and regulators in cloud security. Quantum Datum presented an information-centric approach to cloud security based on quantum mechanics principles.

1. Highlights of the CSA Conference
Orlando, Nov. 2010
Guy
Alfassi
Alfa
Consul.ng

2. Agenda
• 14:00 Registration, networking and general chaos
• 14:20 Highlights of the CSA event in Orlando - Guy Alfassi, General Manager,
Alfa Consulting
• 14:40 CCSK - Ariel Litvin, Technology Innovation Leader, PWC
• 14:50 The Technology Showcase Wiki - Iftach Amit, VP Business
Development, Security Art
• 15:00 Security management to, for, and from the cloud - Oded Tsur, Senior
Solution Strategist, CA
• 15:30 Short break
• 15:50 OWASP Israel & Introduction to OWASP Top 10- Ofer Maor, CTO -
Hacktics & Chairman - OWASP Israel
• 16:20 Practical Enterprise use cases of data protection in the cloud - Guy
Bejerano, Chief Security Officer, LivePerson
• 16:50 Virtual Private SaaS - the solution to data privacy and data compliance
issues in SaaS - Dr. David Movshovitz, CTO, Navajo Systems

3. About CSA
Formed in 2008 as a non-profit organization.
Objectives:
• Promote a common level of understanding
• Promote research
• Awareness
• Create consensus lists and guidance.

4. CSA Members

5. CSA Research
• Cloud Control Matrix
• Top threats to Cloud Computing
• Guidance for Identity and Access Management
• Application Security Whitepaper

6. How to get there
http://cloudsecurityalliance.org/
Managed through a LinkedIn group:
Cloud Security Alliance
http://www.linkedin.com/groups?
mostPopular=&gid=1864210

7. CSA Israel
• An Israeli chapter of the CSA, formalized in June 2010.
• Our focus:
– Cloud Security technology innovations
– localization of Cloud Security best practices
– LinkedIn group:
http://www.linkedin.com/groups?
mostPopular=&gid=3050440
Join CSA at
http://cloudsecurityalliance.org/Membership.html ,
And then request to join our chapter.

8. About the conference
First independent global event for CSA
2 days, 4 tracks , 32 presentations, 4 keynotes
Hundreds of participants from all over the world

9. About the conference
Keynotes were very insightful
and surprisingly not
own-company-oriented.

10. About the conference
• General impression: Vendors, clients and
regulators are highly interested in cloud
security.
• Some might actually try it sometime.

11. FedRAMP
• Federal Risk and Authorization
Management Program
• Providing a standard approach to Assessing
and Authorizing (A&A) cloud computing
services and products.

12. FedRAMP – Applicability to Israel
• The standard itself does not apply here.
• The need for such a standard exists.
• A call to action to government / the private
sector :
Let’s do our own version / adopt FedRamp !

13. Quantum Datum
Information Centric Security for Cloud
Computing
Rich Mogull, Securossis

14. Quantum Datum
• An analogy between quantum mechanics
and cloud computing
• Quantum: The minimum unit of a physical
entity.
• Datum: the singular form of Data. A single
piece of information.

15. Quantum Mechanics
• Quantum mechanics looks at the particle,
and tries to explain its behavior.
• Wave- Particle duality
• The uncertainty principle: Heisenberg
principle

16. Why is this relevant?
• The perimeter shrinks to the size of a datum.
• Datum can be in multiple places at the same
time, and have different security levels.
• A breach for one instance of the datum affects
other instances.
• Leakage can occur even when the probability is
low.

17. What can we do?
• Use data labeling.
• Use data encryption according to security
needs.
• Implement DLP and DRM in our
architecture.