1st Security Practitioners Conference
February 4-5 2009, San Diego, CA

Objective of Meeting

This inaugural event featured plenary presentations and a focus track session presented by industry experts. The theme for Day 1 was Securing Services in the Cloud, while Day 2 included a number of presentations on hot topics in the information security world, all of which have associated activities underway in our Open Group Security Program. The SPC was preceded by a one-day special conference on Enterprise Cloud Computing, which provided a good introduction to the "cloud" theme of our Wednesday SPC, on a variety of security topics including security architecture, secure software development, and audit and logging.

A distinguishing feature of our Security Practitioners Conferences is "focus sessions" in which we explore key topics in information security in-depth. These sessions utilize a use-case format to explore security issues at a deeper level. Attendees have plenty of opportunity to provide input, and requirements are expected to be developed that can help shape the future of information security.

In San Diego, attendees participated in a focus session exploring Cloud Computing Security.

Summary

Day 1 began with a keynote presentation on the Jericho Forum's new direction - "securing enterprise collaboration in the cloud". This was followed by presentations from experienced security practitioners on securing services and storage in the cloud, and business inhibitors to adoption of cloud computing. The "focus session" which followed addressed how major cloud services suppliers provide secure services today, and how their security measures are continuing to evolve to meet the high expectations of their rapidly increasing numbers of customers. This focus session concluded with a panel session in which the services suppliers answered challenging questions and comments from the audience, in a refreshingly welcome open spirit.

Day 2 provided presentations on hot topics in the information security world, including identity management, risk management, secure coding, securing Web 2.0 for the enterprise, audit & logging, compliance and how it can be automated, and securing SOA. All of these topics have associated activities underway in our Open Group Security program.

The presentations can be accessed from the links below under separate daily headings:

• Wednesday February 4 2009
• Thursday February 5 2009

The presentations referenced below are freely available only to members of The Open Group and conference attendees.

Wednesday February 4 2009

Plenary: Security Practitioners Conference

• Introduction
  Allen Brown, President & CEO, The Open Group
• Keynote
  Steve Whitlock, Jericho Forum Board of Management
• Securing Services in Clouds
  Steve Hanna, Distinguished Engineer, Juniper Networks
• Securing Stored Data in Clouds
  Cyril Guyot, Senior Engineer, Hitachi Global Storage Technologies
• Security Issues Inhibiting Adoption of Cloud Services in the Enterprise
  Kristin Lovejoy, Executive, Corporate Governance, Risk, Compliance, & Security Strategies, IBM

Focus Session: Securing Services in Clouds

• Cloud Computing Security Issues
  Chenxi Wang, Senior Analyst, Forrester Research
• Securing Services in the Cloud
  Peter Coffee, Salesforce.com
• Ensuring Security for an Enterprise Cloud-based Managed Security Service
  Wolfgang Kandek, Chief Technical Officer, Qualys
• Cloud Security Processes and Practices
  Jinesh Varia, Amazon Web Services
• PANEL DISCUSSION: Cloud Security Issues
  Moderated by Eric Maiwald, VP & Research Director, Security & Risk Management Strategies, Burton Group

Thursday February 5 2009

Plenary: Security Practitioners Conference

• Identity Management in Clouds
  Darren Platt, Chief Technical Officer, Symplified
• Security and Virtualization
  Michael Williams, Information Systems Architect, HP
• Visualization of Risk
  Alexander Ernst, Technische Universität München
• Secure Coding Standards
  Robert Seacord, Senior Vulnerability Analyst, CERT

Conference Sessions

• Web 2.0 Security
  David Lavenda, Worklight
• Automated Compliance Expert Standard
  Shawn Mullen, IBM
• Common Event Reporting Standard
  David Corlette, GRC Solution Architect, Novell
• Stop Wasting Money on Regulatory Compliance
  Jeromie Jackson, Comsec Inc.
• Understanding the Role of Security in SOA and Cloud Computing
  Nikhil Kumar, Applied Technology Solutions, Inc.

Outputs

The presentations and panel sessions were delivered by security professional practitioners from both vendor and customer organizations, and provided experience-based insights into the approaches and methods that are currently in use and under development in the information security industry.

The presentations, tutorials, and workshops at the meeting, and the associated discussions and panel sessions, all provided participants with a wealth of experience-based insight into current best practice in security, from leading experts and practitioners around the world.

Next Steps

The next Security Practitioners' Conference will be held in London, April 27-29, 2009, where the theme will be "Identity Management in the Cloud".

If you are interested in presenting at a future conference, then please submit a Presentation Proposal.

Links

• More about The Open Group Security Forum