Summit Sessions

Summit Sessions are moderated sets of sessions within the conference where a select group of experts engage in open forums, brief presentations and debates on a variety of "hot button" topics—diversity of opinion guaranteed.

You'll come away with a fuller understanding of the issues and how they affect your organization, allowing you to draw your own conclusions and action plan.

Monday

Virtualization:

While virtualization's greatest security benefit is how it enables resource isolation (i.e. putting each egg in its own basket), virtualization's greatest security risk is how it enables resource consolidation (i.e. putting too many eggs in one basket). While virtualization saves money on hardware and operational costs, a virtual environment could cost more to secure. Discover and discuss the truth about: the costs of running and securing a virtual environment; the risks of VM sprawl, VMotioning, and virtualization-based malware; the need for optimized security tools, and; the ways to use virtualization as a security tool.

Identity 2.0:

Does adding an "identity metasystem" to the Internet create a framework for accountability that deters online crime? If that seems possible, then which of the several "user-centric" options—things like OpenID, InfoCards, and Higgins-is the roadmap? Even if Microsoft's version of InfoCards (CardSpace) becomes the de facto Internet identity management tool, should enterprise network architects reject it and its notion of connecting to the broader world? In short: learn how to tie your enterprise identity management system to other organizations and, if warranted, how to interoperate with next-generation identity management schemes.

Data Security:

To prevent one's organization from experiencing the next disastrous, high-profile data breach, security professionals must strategize the entire data lifecycle-monitoring, limiting and logging when, how, by whom, and on what device data is created, stored, accessed, copied, transmitted, outsourced and destroyed. This series of sessions will discuss whether or not an off-the-shelf Data Loss Prevention (DLP) solution is the right answer. Learn more about how best to monitor a document's chain of custody. Learn how to develop a successful encryption strategy and discuss whether that strategy can be strengthened by new developments in key management and identity-based encryption methods.

SIEM:

It's hard to find anything objectionable in the idea of SIEM. Who wouldn't want a console that could aggregate and correlate the vast quantities of intrusion detection and other data generated by network security devices? But granted that it sounds good, what does it ultimately gain for you? In theory, it allows for more sophisticated correlation across multiple monitors, showing you stealth attacks and alerting managers to unfamiliar traffic patterns. How much are these systems capable of today and how much smarter can they become over the next few years?

Tuesday

Government:

Once again the government as a whole received a mediocre grade on information security, and several agencies failed for the third straight year. How much of the problem is with the agencies' security practices and how much of the problem is with the way the Federal Information Security Management Act (FISMA) measures and rates agencies' security? Do further standards and regulations-FDCC, HSPD-12, DoDAF-make the situation better or worse? We'll discuss how to balance compliance efforts and security efforts, and how to address now the emerging threats/ technologies—like electronic voting, cyber terrorism and public municipal Wi-Fi networks-that may redefine government agencies' information security in the future.

Web 2.0:

Adopting Web 2.0 as the new, user-centric, service-oriented platform offers both irresistible business opportunities and undeniable security threats. Learn more about the security risks of Web 2.0 (including social networking, SaaS, Google Apps, cloud computing, etc.) and how to measure the security of your Web applications. Discuss how to embrace Web 2.0 now as securely as is currently possible, and how to effectively work with Web developers now to head off the Web security problems of the future.

Trusted Computing Summit

The purest vision of endpoint control begins with an embedded hardware TPM. But a clash of industry titans has erupted over the race to avoid using a TPM by using NAC, NAP, TCN, or whatever flavor you happen to fancy. Meanwhile, current generation computers have TPM chips onboard and this is the perfect venue where you can decide whether this matters to you. If a hardware TPM is where you're headed, what's the roadmap? If it's not, how good does endpoint management need to be to provide reasonable security? We expect some of the sharpest divergences of opinion to occur in this summit series.

Fate of the OS:

Windows Vista is arguably the most secure operating system ever, in part because it embraces now some of the more promising security tools of the future like Identity 2.0 and trusted computing. Yet Vista sales are dismal and XP users are rebelling against migration. Will enterprises that use Windows XP eventually migrate to Vista whether they like it or not? Will they wait until the following Windows OS? Or will they change over to Mac or Linux, making a non-Windows OS the new standard? Compare the next-gen operating systems-security, user-friendliness, scalability—debate the options and ask: what does the future hold for OS security?

Wednesday

Secure Design:

Much has been made of the need for programming practices that include security as a primary concern. But Secure Design encompasses more than just the programming (though that's certainly the source of an enormous number of vulnerabilities). It's equally important to think through the lifecycle of user identities, the recasting of core Internet protocols (such as DNS) in hardened versions, and tricky overlaps in user roles that create inadvertent escalations of privilege. How to we retune decision and design processes to make better security inherent?

Green IT:

How does an organization reduce its carbon footprint and go green? Travel less by swapping in-person meetings for social networking tools; reduce waste and pollution by reusing and recycling hardware; reduce energy consumption by consolidating data centers using virtualization technology. While social networking, virtualization, and hardware recycling are excellent methods for going green, they're also inherently, seriously insecure. In this summit both security professionals and green IT practitioners weigh in, and discuss how organizations can go green without scrapping security.

Control Systems:

Security professionals often polarize around the topic of control systems (SCADA)—the information systems that control physical systems like power grids and water treatment facilities. Are these systems truly the weakest link in the security of our critical infrastructure; or is that sort of talk merely fear-mongering? How do we best secure these systems? Hear from people on both sides about the "real" security threats facing control systems and decide for yourself.