Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Cloud INsecurity Summit

Avoiding the Top 10 Mistakes in Designing AWS Infrastructure and Applications

Cloud-based services are becoming increasingly more attractive to organizations as they offer cost savings, flexibility, and increased operational efficiency. However, protecting systems, applications, and data in the cloud presents a new set of challenges for organizations to overcome. If done well, security in the cloud can represent an environment that is, in a very practical sense, more secure than its counterpart in a physical data center. If done poorly, the risks associated with this approach can often outweigh the benefits.

This Summit will bring together a unique combination of real-world user experiences and case studies, and practical, technical training oriented on specific approaches and skills for building a secure AWS-based environment... all in a single-day format.

Five Reasons you Can't Miss the Cloud INsecurity Summit

  1. Discover the ten most damaging mistakes large cloud users make (without knowing they are making mistakes) and approaches to fixing them. This is the only program where the 10 are being delineated.
  2. Hear real world, first person stories of errors and corrections from three of the nation's most experienced cloud architects.
  3. Learn from practitioners, rather than consultants or vendors trying to pitch services and software.
  4. Attend half-day courses as integral parts of the Summit, for more depth on key problem solving
  5. Be part of the inaugural Cloud INsecurity Summit and participate in launching a SANS program destined to be as important to the security field as the SANS ICS Security Summits.

Cloud INsecurity Summit Speakers

Sessions will feature practitioners providing examples and case studies from their real-world experience of building out and scaling secure architectures at a diverse set of organizations.

Will Bengtson (@_muscles), Senior Security Engineer, Netflix

Will Bengtson is senior security engineer at Netflix focused on securing the cloud as a member of the security operations and tooling team. He loves tackling hard problems that have high impact from both a success and failure standpoint. Prior to Netflix, Will led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years at a Department of Defense contractor. Will is highly active in the security community and is on the BSidesSF and Bay Area OWASP leadership team. When not working, Will can be found working out, appreciating fine whiskey, or doing research/side projects.

Ben Hagen (@benhagen), Security Leader, Global Social Media Outlet

Ben Hagen is likely the only security professional in the world who has won both a presidential election and an Emmy. He loves security and both building and breaking things. Ben is currently the head of Corporate Information Security at Facebook and has been a Vice President/Principle Infrastructure Security Architect at Salesforce and lead the Cloud Security Tools and Operations team at Netflix. During the 2012 US Presidential Election he was in charge of security for the Obama re-election campaign's technology program. Prior to this role, he was a Security Consultant with Neohapsis, and Motorola where he had to break into, and then help fix, the computer networks of lots of organizations. He has built lots of fun tools and systems, has held many impressive sounding certifications, and enjoys pizza and cats.

Mark Hillick (@markofu), Head of Player Security, Riot Games

Mark leads Player Security at Riot Games, makers of League Legends. Prior to moving to the US, Mark built and led Riot's InfoSec team in Europe. At Riot, he has done everything from building a team from scratch, engineering cool solutions, levelling up the security program, dealing with DDoS attacks and providing a secure cloud for Riot's developers. Before Riot, Mark worked in the financial industry, Citrix and MongoDB, architecting secure solutions and first coming across the cloud in early 2010. He has done numerous SANS courses and has held the GIAC GSE for several years. In his spare time, now that he lives somewhere with sun, Mark can usually be found in the water, on the slopes or struggling to keep up with his kids.

Thomas Vachon (@TomVachon), Principal Cloud Architect, Harvard University

Tom Vachon is a self-described "Cloud Gray Beard" who has been consuming and advocating the use of Public Cloud since 2008. He has a passion for both the technical as well as the cultural challenges resulting from enterprise use of the Cloud. Tom is currently the Principal Cloud Architect at Harvard University and has previously worked at SessionM, KAYAK.com, and other mid-sized enterprises.In his previous roles, he has architected numerous high security financially significant systems both on-premises and in the Cloud. Currently his focus is architecting multi-cloud solutions to provide equivalent controls and availability regardless of the workload's location. When he isn't working in the Cloud, he is flying near the clouds through his hobby of drone photography.

Stephen Woodrow, Security Engineering Manager, Lyft

Stephen works on infrastructure security engineering at Lyft. As Lyft's first security hire, he built out and led Lyft's security engineering team and program, and is now focused on supporting Lyft's growth with safe and scalable engineering practices. Prior to joining Lyft, Stephen was an early engineer at Stripe where he worked on fraud and infrastructure, and later co-founded Stripe's security team, and also spent time building research infrastructure for measuring Internet performance at Georgia Tech.

Limited seating for each Summit location. Register now as seats are filling up fast!

June 8th | Washington DC

Register Now

June 11th | Austin, TX

Register Now

Alumni of SANS cloud security courses and summits will save $700 off their Summit fee. Use discount code CloudAlumni at registration.

Summit Chair

Ben Hagen, Security Leader, Facebook

Summit Agenda

9:00 am
Keynote: AWS Lessons from the Field
Ben Hagen

9:30 am - 12:00 pm
Case Studies & Panel Discussions

12:00 - 1:00 pm

1:00 - 5:00 pm
Securing AWS Training Session

Note: Laptop required for the afternoon training session

Complete Summit Agenda - Washington DC
Complete Summit Agenda - Austin, TX

Learn how to avoid the Top 10 AWS Security Risks

  1. Insecure use of developer credentials
  2. Publicly accessible S3 buckets
  3. Improper use of default configurations
    • Improper configurations
  4. Access controls do not follow principles of least privilege
    • Lack of MFA
    • Lack of conditions
  5. Misconfigured network constructs
    • Default behavior to allow all egress on an instance
  6. Lack of appropriate logging and monitoring
  7. Lack of inventory management
  8. Domain hijacking
  9. Lack of a disaster recovery plan
  10. Manual account configuration

Who Should Attend

  • Security personnel who are tasked with designing, implementing and supporting applications in an AWS environment
  • Network and systems administrators who need to understand how to architect, secure and maintain these same applications
  • Technical auditors and consultants who need to gain a deeper understanding of cloud computing and security concerns within AWS
  • Security and IT leaders who need to understand the risks of cloud computing in AWS and advise business management of the risks and various approaches involved