2017 CSA Summit

The fourth Cloud Security Alliance (CSA) Summit was held Monday, November 13, 2017 at the MTCC in Toronto as part of SecTor’s pre-conference activities.

Set to unravel the issues defining the future of cloud computing in Canada while discussing the changing face of global compliance regulations, the CSA Summit is an invaluable opportunity for cloud security professionals to network with peers and engage with and learn from industry leaders.

Built on a training platform like SecTor, The 2017 Summit featured keynote speakers, panel discussions and sponsored sessions. Lunch and light refreshments were provided. A successful onsite Networking Reception followed the event.

The Details

Date: Monday November 13, 2017.

Price: $60 ($35 with the purchase of a SecTor 2017 full conference pass).

Registration: To register for the 2017 CSA Summit visit sector.ca/register and add CSA Summit to your SecTor full conference or expo only conference registration.

SecTor 2017: Conference Sessions take place on Tuesday November 14 and Wednesday November 15, 2017. The full conference schedule will be released after the second-round speaker announcement in September.

Venue: SecTor and the CSA Summit will be held on Levels 700 and 800 in the South Building of the Metro Toronto Convention Center (MTCC) in downtown Toronto for. More information on how to get there is available at sector.ca/travel.



10:00 – 10:15 Welcome: Eric Swenson
10:15 – 11:00 Keynote #1: John DiMaria, “Evolution of privacy requirements: a global update”
11:00 – 11:45 Panel #1: “Shared Responsibility – what does it actually mean”
11:45 – 12:15 CSA Update: John Yeoh
12:15 – 13:15 Lunch and networking
13:15 – 14:00 Keynote #2: Rich Mogull, “Five-Ish Ways to Kick Traditional Security’s Ass with Cloud and DevOps”
14:00 – 14:30 Sponsor session: Scalar, Rene Heroux, “Automating Cloud Security”
14:30 – 15:00 Sponsor session: Centrify, Wade Tongen, “Privileged Access Security for Hybrid Cloud: Secure Amazon, Azure and Google Environments”
15:00 – 15:15 Afternoon Break
15:15 – 16:00 Panel #2: “Security response in a cloud world – where do I start?”
16:00 – 16:45 Keynote #3: Anil Karmel, “Best Practices to Secure Application Containers and Microservices”
16:45 – 17:00 Wrap-Up: Bruce Cowper
17:00 – 19:00 Networking Reception sponsored by Global Knowledge

Who is the Cloud Security Alliance?

The Cloud Security Alliance is a global member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing. Go to cloudsecurityalliance.org to find out more.


Speakers, Sessions, Bios

Below is the schedule for the 2017 CSA Summit. Expand each one to watch the session or click here for the full library of 2015, 2016 and 2017 CSA Summit sessions.

Whether you noticed or not, Privacy is very much back on the agenda globally. From the European General Data Protection Regulation (GDPR), to Qatar’s new personal data privacy law, and everything in between, when doing business globally, privacy is an increasingly important consideration. During this keynote, we will take you through the major changes around the world, delve in to GDPR and how it may impact you, and provide some predictions of upcoming trends. Closer to home, we will discuss the current privacy landscape in Canada and why PIPEDA’s “adequacy” remains the overwhelmingly relevant question, and what the Trump administration has recently changed.

John DiMariaJohn DiMaria – Global Product Champion for Information Security and Business Continuity, BSI Group

John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, is the Global Product Champion for Information Security and Business Continuity for BSI Group, a Cloud Security Alliance (CSA) Research Fellow, AMBCI and Certified Enterprise Resilience Practitioner. He has 30 years of successful experience in Standards and Management System Development, including Information Systems, ISMS, Business Continuity and Quality Assurance. John was one of the key innovators of CSA STAR Security Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook and a working group member and key contributor to the NIST Cybersecurity Framework. He currently serves on international standards and industry committees that influence legislation and drive international harmonization.

John is an author and keynote speaker internationally, and featured in many publications concerning various topics regarding security, quality and business continuity. He is a Business Continuity Institute award winner and BSI Innovation award winner.


Most vendors talk about security in the cloud world as a “shared responsibility”, but what does it actually mean? Cloud providers all ask you to trust them, but how far… In this panel discussion we will look at where the cloud vendor’s security responsibility starts and ends, and how to get the assurances you need.

Dave MillierDave Millier (moderator) – CEO, UZADO

Dave Millier is a serial entrepreneur, off-road motorcycle rider and food lover. Dave has been involved in cybersecurity for almost 20 years. He founded the InfoSec company Sentry Metrics, one of Canada’s most successful MSSPs. After the sale of Sentry Metrics, Dave’s lifelong passion for reading led him to finally sit down and write his first book, Breached! In late 2014, Dave launched Uzado (http://www.uzado.com), a cloud-based InfoSec company focused on helping companies simplify cybersecurity by answering the questions “what now?” or “what next?” Dave is also the CSO of Quick Intelligence (https://www.quickintel.com), a boutique VAR and cybersecurity consulting company, and is the CEO of MIDAC Solutions (https://www.midac.ca), a Managed IT services provider focused on small to mid-size clients.


Mark GaudetMark Gaudet – Product and Business Develpment Manager, CIRA
Mark Gaudet is a product and business development manager at the Canadian Internet Registration Authority (CIRA). In this role, he leads CIRA’s DNS and domain name security product offerings that are complementary to its core .CA registration service. Mark holds a B.Sc. in Engineering Physics from Queens University and a Master of Business Administration from the University of Ottawa. Mark’s extensive experience in DNS management began as one of the founders of a start-up that developed NetID, one of the first enterprise DNS, DHCP and IP address management products. He also sits on the board of directors for the Halifax IXP.


Krishna NarayanaswamyKrishna Narayanaswamy – Co-Founder and Chief Scientist, Netskope
Krishna has over 25 years of experience in the areas of security and data networking and is an expert in deep packet inspection and behavioral anomaly detection technologies. Prior to Netskope, Krishna was a Distinguished Engineer in the Security business unit at Juniper Networks leading the NGFW architecture. Before that, he was a co-founder and system architect at Top Layer Networks where he was instrumental in delivering multiple products in the areas of security and load balancing to the market. He has also held senior engineering roles at FORE Systems and Digital Equipment Corporation. He has been awarded 20 patents covering a broad set of technologies and has a dozen more pending patent applications.


Peter CresswellPeter Cresswell – Trend Micro
Peter Cresswell has been working in IT and Security for over 25 years, joining Trend Micro seven years ago. Peter works with Trend Micro’s largest customers to help design and deliver reliable, secure infrastructure in support of their business goals. The past few years have seen a focus on taking advantage of virtual and abstracted (cloud) environments to achieve security objectives in new and dynamic ways. With Trend this has especially focused on the Canadian built Deep Security solution. Peter holds several security certifications including CISSP, ISSAP, CISA and CISM.


In this session John Yeoh will provide an update on the Cloud Security Alliance and their activities in Canada and across the globe.

John_YeohJohn Yeoh – CSA Global

With over 15 years of experience in research and technology, John provides executive-level leadership, relationship management, and strategy development. He is a published author, technologist, and researcher with areas of expertise in cybersecurity, cloud computing, information security, and next generation technology (IoT, Big Data, SecaaS, Quantum). John specializes in risk management, third party assessment, GRC, data protection, incident response, and business development within multiple industry sectors, including government. His thought leadership has been presented in SC Magazine, USA today, Information Week, and others.

John’s contributions continue with involvement in professional organizations such as CSA, IAPP, ISSA, ISC2, and ISACA. John sits on numerous technology committees in government and industry with the FCC, NIST, ISO, CSA, IEEE, and CIS.


Think cloud is less secure? Think DevOps is less compliant? Come to see yourself proven wrong. In this demo-laden session we will detail 5 (or more) specific examples where cloud and DevOps beat out traditional security approaches. We’ll microsegregate with accounts and SDN, build immutable infrastructure, upend patching and updating, automated security testing, manage with code, and more.

Rich MogullRich Mogull – Analyst & CEO, Securosis

Rich has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where he’s happy to speak for free – assuming travel is covered).

Prior to his technology career, Rich also worked as a security director for major events such as football games and concerts. He was a bouncer at the age of 19, weighing about 135 lbs (wet). Rich has worked or volunteered as a paramedic, firefighter, and ski patroller at a major resort (on a snowboard); and spent over a decade with Rocky Mountain Rescue. He currently serves as a responder on a federal disaster medicine and terrorism response team, where he mostly drives a truck and lifts heavy objects. He has a black belt, but does not play golf. Rich can be reached at rmogull (at) securosis (dot) com.


Join Rene Heroux, Chief Technology Officer – Cloud at Scalar Decisions, for a keynote discussing the importance of automating your cloud security architecture. As organizations migrate or deploy greenfield applications to public and private cloud environments, the need to properly secure these applications becomes more paramount than ever.

Rene HerouxRene Heroux – CTO, Scalar Decisions

As the Chief Technology Officer, Cloud at Scalar Decisions, Rene focuses on building Scalar’s Cloud practice to be the best in the industry. With 15+ years experience, he leads a team of highly skilled and respected Cloud SAs and DevOps Engineers at Scalar, all working to make sure Scalar’s customers are choosing the correct technologies and products in the Cloud space that will help them achieve their business goals and differentiate them in their prospective markets.


Organizations are increasingly moving workloads to hosted Infrastructure-as-a-Service (IaaS) environments. In many cases, they are extending their data centers across one or more IaaS providers, creating hybrid cloud environments. This session will explore best practices for extending data centers to hosted environments, and review how to secure privileged access to hosted infrastructure and virtual machines distributed across Amazon, Microsoft Azure and Google data centers.

Wade TongenWade Tongen – Regional Vice President, Systems Engineering, Centrify
I work with enterprise accounts in the western US, LATAM and in Canada to help them move to the next generation of identity. I do this with the help of a team of 10 dedicated system engineers to make this a reality for our customers. The new reality of our customers are that people need to work where they are and not at a specific location. Centrify helps our customers embrace the new world of identity as the new perimeter to resources. No matter if that resource is a device (Windows, Mac, IOS, or Android), or a SaaS application (O365, Google Apps, Salesforce, or SAML), internal applications (SAP or Apache), or providing least privileged access to Windows or *NIX servers in a datacenter Centrify provides the necessary access and controls. Centrify allows our customers to use a single identity to be granted just enough privilege to the device, application, or server to accomplish their job, but no more with accountability for the actions they have taken and the ability to require multi-factor authentication based on where they are when they need to get their job done.


The last thing you need in a crisis is uncertainty. However, when it comes to the cloud, how do you differentiate between an outage and a DDoS attack? When the brown smelly stuff hits the whirly thing, who do you call, and when? In this panel discussion, our experts will be providing tips and tricks on gaining insights in to the status of your cloud services, response best practices and planning techniques.

brian_bourneBrian Bourne (moderator) – Director and Co-Founder, Black Arts Illuminated
Brian has a passion for security and has been an active member of the IT security community for over 20 years. Being part of the IT community has always been important to Brian and his entrepreneurial spirit and industry experiences are what helped establish TASK and SecTor as part of Black Arts Illuminated.

When he’s not running conferences and events, Brian maintains his technical edge as Executive Vice President, Products, New Signature, a Microsoft National Solution Provider headquartered in Washington DC. In June 2015, New Signature acquired Microsoft technology consultancy CMS Consulting and cloud management service Infrastructure Guardian, two businesses Brian founded.

Brian also holds certifications including CISSP, MCITP, MCT and MVP status. When he’s not around a computer, you’ll find him out burning gasoline in a motorized vehicle, running a marathon or participating in a triathlon.

Kevin BellKen Bell – Deputy CISO, Forcepoint
Ken Bell is the Deputy Chief Information Security Officer for Forcepoint and is responsible for securing the company and sharing our key learning with customers. Ken has more than 24 years of information security and law enforcement experience. Ken specializes in computer and network forensics and has conducted hundreds of computer and network forensic investigations. Ken holds a Bachelor’s degree in Criminal Justice and Computer Information Systems, and a Master’s Degree in Information Assurance from Norwich University. In addition, Ken holds several indu
stry recognized certifications to include, CISM, CEH, and CFCE.


Sean SweeneySean Sweeney – Chief Security Advisor, Microsoft

Sean Sweeney serves as a Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group. Sean is both an experienced Chief Information Security Officer and Chief Information Officer, adept at managing enterprise cyber risk using people, process, and technology. Sean works with customers on cybersecurity strategy, how Microsoft sees the threat landscape, how we are investing in the future of security at Microsoft, and how organizations can take advantage Microsoft’s security solutions to help improve their security posture and reduce costs.

Sean joined Microsoft from the University of Pittsburgh where he was the Chief Information Security Officer. Prior to that, he was a CIO and co-founder of a Pittsburgh-based eDiscovery startup. He was the Director of Technology for a national law firm based in Pittsburgh, and Applications Manager and Trainer for the U.S. Department of Justice in Washington, D.C.


Jonathon PolingJonathon Poling – Principal Consultant, Incident Response & Forensics, SecureWorks

Jonathon Poling has over a decade of experience in Network Security Monitoring, Digital Forensics, and Incident Response. Serving in a variety of roles within the government, contractor, and private sectors, he has built and honed his DFIR expertise in all the major operating systems, most recently focusing on AWS. He is most at home on the *nix command line, performing the large majority of DFIR using solely FOSS tools.


Containers such as Docker and CoreOS Rkt deliver incredible capabilities to developers and operators and are powering the DevOps revolution in application development and deployment. Docker in particular has taken industry by storm, resulting in over 8 billion downloads and 500,000+ containerized applications in this open source platform. With all this new-found power comes significant challenges and concerns. Come learn how application containers and micro-services work via the definition published in the NIST publication SP 800-180, understand the security challenges leveraging this new approach, and best practices to address the same as documented in future NIST publications.

Anil KarmelAnil Karmel – Founder and CEO at C2 Labs, Inc.

Anil Karmel is the co-founder and CEO of C2 Labs, a company that partners with organizations on their journey, from designing and implementing IT Strategic Plans to allow IT to take back control leveraging our forward-leaning products and services to a deep specialization in Application Rationalization and Transformation (ART), leveraging Secure Development Operations (SecDevOps), cutting edge application architecture methodologies and a secure application container management platform in C2’s Intermodal Operations Navigator (ION). Formerly, Anil served as the National Nuclear Security Administration’s (NNSA) Deputy Chief Technology Officer. Within NNSA, Karmel served as the RightPath Chief Architect and Management and Operations (M&O) Implementation Lead for a range of enterprise information technology (IT) solutions including cloud computing, enterprise mobility, unified communications and enterprise wireless.

Karmel has been in the IT Industry for over fifteen years, working with various Fortune 500 companies and government in the areas of cloud, cybersecurity and collaboration. He and his team garnered industry and government accolades, including the SANS National Cyber Security Innovators Award for Cloud Security, InformationWeek 500 Top Government IT Innovators, ACT/IAC Excellence.gov Award and the DOE Secretary’s Achievement Award. His team at Los Alamos National Laboratory was named an ACT/IAC Excellence.gov Finalist two years running. Karmel is a internationally recognized speaker and has been featured at numerous IT conferences and webinars.

Anil serves as the co-chair of the National Institute of Standards and Technology (NIST) Cloud Security Working Group, currently leading the security working group to document best practices for application container and microservices security. He authored the NIST Definition of Application Containers and Microservices, SP 800-180 and co-chairs the Cloud Security Alliance’s (CSA) Application Container and Microservices Working Group documenting best practices for application containers and microservices.


2017 CSA Summit Sponsors











Global Knowledge

Sponsorship opportunities for the 2017 CSA Summit are now available. If you’re interested in becoming a sponsor, please email sponsorship@sector.ca.