illustration of a paper airplane in front of clouds that surround an air traffic control tower above text that reads fwd:cloudsec

Call For Participation (CFP)

fwd:cloudsec is back once more, visiting sunny Anaheim for practitioner-led discussions about The Cloud, what it all means in 2023, and how to operate it safely.

Our main theme for this year is “Blurring Lines” - alongside the usual practical, in-depth discussions about wrangling the technology cloud providers give us, we’re especially interested in talks that show how we’re navigating the changing boundaries in our cloud environments - and the evolution in “shared responsibility” as a result. Are we getting better at telling what’s inside & outside “our” systems? How are we navigating our responsibilities toward “infrastructure,” “platform” and higher X-as-a-services? Are there new security boundaries we need to consider? Impedance mismatches between cloud providers? Concepts that used to be simple but which now have hidden depth? Changes in the role of “cloud security” and “cloud engineering” that we need to adapt to?

Who Should Submit

As a side conference, and one specifically focused on the needs of the independent cloud practitioner community, we’re particularly interested in presentations that don’t fit neatly into the main tracks of other cloud conferences.

We’re looking for talks from any practitioner who is responsible for securing a cloud service or service provider. The definition of “practitioner” here is deliberately vague - and definitely encompasses more than just “engineer”. The program committee specifically encourages new speakers, or who’ve never spoken at a national conference before, to submit: some of our most memorable hallway conversations come from bringing together speakers of different backgrounds and experience levels, so we reserve time during reviews to provide feedback, develop and highlight the work of others. For more, see details below.

In order to help encourage participation, fwd:cloudsec has set aside several hotel rooms for speakers who will be covering their own travel. These rooms will be available to speakers whose employers are not covering their travel from Sunday night through Wednesday night.

Conference Format

We keep fwd:cloudsec small and approachable to encourage attendees to interact in real-time. We have a strong preference for talks that can be presented live in Anaheim. In either case, we’re looking for talks that inspire others to ask questions and build together. As in previous years, we will be live-streaming the sessions and hosts will be soliciting questions from the in-person audience, Cloud Security Forum Slack and social media in real-time.

Themes for 2023

This year, we’re looking for contributions loosely grouped into the following themes:

Inside & outside

We want to see your tools, war stories and hands-on techniques for dealing with the blurred lines between “inside and outside” our environment.

Share your unexpected IAM edge cases and architecture diagrams for defining network edges in a world of shared subnets and vendor-defined wormholes. Show us surprising TTPs & IoCs; stories of pulled vulnerability threads that unraveled security boundaries you thought were strong; and asset management and discovery practices your organization has put in place to define and secure “your stuff” in actionable ways.

Infrastructure & superstructure

In 2023 it’s rare to find a cloud team that relies only on raw networking, storage and compute abstractions. We’ve had 15 years to get to understand those primitives - but now we all rely on a raft of higher-order services to build products: cross-cloud infrastructure abstractions and development kits; edge compute services that package new types of containers into bespoke “workers”; CI/CD tools that have broad access to infrastructure being used as generic job runners; or platform-as-a-service tools that (surprise!) expose a hidden control plane.

CloudNativeCon may have your Kubernetes content covered - but we want you to share the rest of the story: your experience working with development teams – who want to pick the tools that best map to their project domain - to secure systems that don’t fit neatly into the “infrastructure” vs “appsec” boundaries of the past; practical guidance for creating visibility and clarity across broad, heterogeneous environments.

Control & data

The “CSPM” category protects the control plane; the “DLP” category protects data wherever it’s stored. Network protection technologies are used for cloud & on-premise. That should be enough, right (they said, sarcastically)?

Share stories of new focus points you’ve found - ways to guardrail or break the environment at a point in the stack not always covered by cloud infrastructure teams. Maybe you gave them fun names, like “mesh” or “gateway” (in the services layer), “vault” (for special sauce or secrets), or “policy framework” (for OSI Layer 8 protections).

Birds-of-a-feather, business & behind-the-scenes

Some of the best conversations at fwd:cloudsec aren’t entirely technical in nature: they include commercial considerations, organizational politics and off-the-record collaboration that helps amplify messages we want to send to cloud providers.

Suggest ideas for these kinds of topics, and we’ll be reserving space for them during the event - as we’ve done the past few years, we want you to run these sessions off-camera/off-stream and “Chatham House rule” style. Submitters are expected to facilitate the discussion with a few talking points and maybe a short five-minute presentation, but encouraging everyone in the room to speak up with the understanding that any opinions or notes shared will not be attached to the name (or organization) that shared them.

And more

Your talk doesn’t have to fit strictly into one of the above tracks. We’re seeking innovative ideas along with new topics and tools - these themes are there to help spark ideas and guide us toward the reviewers most passionate about different kinds of problems.

Defensive and offensive talks are welcome - even better if they’re a blend of both; noting that we’re supporters of responsible disclosure - if you’re looking for a place to announce an interesting vulnerability result, the fwd:cloudsec attendees would love to hear it provided you’ve brought it to the attention of the group that built the product first. If the submission describes, or otherwise takes advantage of, newly identified vulnerabilities, the authors should disclose these vulnerabilities to the vendors/maintainers of affected software or hardware systems prior to the CFP deadline. When disclosure is necessary, authors should include a statement within their submission or final paper about steps taken to fulfill the goal of the disclosure.

What Not to Submit

All experience levels are welcome, but fwd:cloudsec attendees will typically have a fair amount of hands-on experience with cloud engineering and security. Introductory-level talks on broadly-deployed technologies, vendor presentations, or purely theoretical architecture talks will not be accepted and may not even be referred to the whole team for review.

As a smaller conference, we’re particularly looking for talks that spark discussion, challenges and hallways exchanges — not just lectures expected to be taken as gospel.

Speakers and reviewers are expected to disclose conflicts of interest - if research was paid for by a particular vendor, that’s not disqualifying but the chairs would like to know to ensure we stay neutral.

We want you to be selective in what you submit, so we are putting a few restrictions in place this year:

Encouraging diverse and first-time speakers

We especially encourage first-time speakers, women, and members of other groups less represented at security conferences to present at fwd:cloudsec - first pass reviews by our committee members are performed blind (without author information attached), though as we approach final selections we strive to build a balanced program and are proud to have a review committee comprised of many different backgrounds.

If you’ve never spoken a national conference before (something where most attendees do not live within a day’s drive), we’re especially interested in hearing from you and want to help you find the best fit talks. If you submit by March 24th, we’ll share review committee feedback in depth and provide you a point of contact on the review committee who can offer suggestions to hone your talk for the fwd:cloudsec audience.

How to Submit

Most talks are expected to be 20-minute lightning talks on a single topic. There are a limited number of 40-minute slots available, so when proposing a 40-minute talk, please be sure to include an agenda that explains how you will use the additional time.

Submissions must include:

Schedule

Submit your proposal

Proposals can be submitted via PreTalx.