fwd:cloudsec Europe 2024

Call for Participation (CFP)

Overview

fwd:cloudsec is making its first foray into Europe, in Brussels on 17th September 2024. We’ll be taking the same approach and ethos as the fwd:cloudsec North America events - an independent, practitioner-focused event covering the realities on the ground. We want to hear the results of novel research, new problems on the bleeding edge, new angles on unsolved problems, and experience gained the hard way trying to wrangle the sharp edges of cloud security. For this event, we’ll consider security-focused content on both public cloud infrastructure providers, such as AWS, Azure, Google Cloud etc, and cloud native technologies such as Kubernetes.

Topics and Themes

This year for fwd:cloudsec Europe, we’re running a defenders & breakers theme, to cover both the defensive and offensive sides of the security coin. We’re also interested in more European-focused topics. This could include things like the effect EU-specific regulations are having on cloud security in the European technology sphere, or the challenges of managing the varying adoption rates and maturity levels across the nations of Europe.

Defending the Cloud

The cloud providers and the software stacks offer a wide variety of tools and controls for organizations to use to ensure the security of their cloud workloads. These are often far from straightforward in practice, and even where they are, wrangling them at scale in a large, complex organization brings all kinds of challenges. That’s before we introduce the complexities of defending a large cloud estate against modern, sophisticated attackers. While much of this has been discussed at length in the Well Architected Frameworks and various other standards, we’re looking for fresh perspectives, new approaches, and lessons learned out in the real world. In this category, we’re interested in talks on topics such as:

  • Real-world experiences and hard-learned lessons of architecting and engineering securely in fast-moving cloud environments
  • Novel, engineering-focused and business-enabling approaches to governance and risk management for organizations moving at speed in the cloud
  • Practical advice from real-world experience on defining and implementing Identity and Access Management, just-in-time administrative access and other identity-related topics
  • Up-to-date threat intelligence focused on cloud and cloud-native workloads, or approaches to gathering, working with/using and sharing such threat intelligence
  • Lessons from the trenches on security monitoring, threat hunting and attack detection on cloud-native workloads
  • Case studies on incident response in the cloud, and new techniques and novel approaches

Breaking the Cloud

As much as the cloud providers do their best to build hardened and secure platforms and systems for us to operate within, there are a lot of sharp edges, both in how engineers implement on their systems and in the underlying provider tech themselves. In this category, we’re looking for new research and hard-won experience covering what can go wrong, the hidden edge cases, and the ways an attacker might use and abuse cloud systems to effect an attack against an organization. This includes content on topics such as:

  • Vulnerability research into cloud and cloud-native systems
  • Cloud security control bypasses and “insecure-by-default” discoveries
  • Cloud and cloud-native logging and monitoring failures, bypasses and detection avoidance techniques
  • Cloud attack surface mapping and reconnaissance, identifying and exploiting publicly exposed resources in novel ways and so on
  • Penetration testing and red teaming approaches, lessons learned and war stories focused on modern, fast-moving cloud and cloud-native estates

… And the Rest

If you’ve got interesting cloud security content that you don’t feel fits either track particularly well, don’t worry - put it in anyway, and pick whichever track tickles your fancy. The review board will consider it on its merits just as any other submission.

We’re also open to birds-of-a-feather style discussion sessions, as the US conference has previously hosted. As has been done in previous years in the US, we want you to run these sessions off-camera/off-stream and “Chatham House rule” style. For these, submitters are expected to facilitate the discussion with a few talking points and maybe a short five-minute presentation, but encouraging everyone in the room to speak up with the understanding that any opinions or notes shared will not be attached to the name (or organization) that shared them.

Who Should Submit

As a conference specifically focused on the independent cloud practitioner community, we’re particularly interested in presentations that don’t fit neatly into the main tracks of other cloud conferences.

We’re looking for talks from any practitioner who is responsible for securing a cloud service or service provider. The definition of “practitioner” here is deliberately vague - and definitely encompasses more than just “engineer” or “security consultant”. If you’re involved in cloud security, at any level from deep in the technical trenches up to cloud security grand strategy, we’re interested in what you have to say. The program committee specifically encourages new speakers, or who’ve never spoken at a significant conference before, to submit; some of our most memorable hallway conversations come from bringing together speakers of different backgrounds and experience levels. As a result, we reserve time during reviews to provide feedback, and to develop and highlight the work of others.

Conference Format

Most talks are expected to be 20-minute talks on a single topic. It has been our experience that 20 minutes is enough time to deliver a focused talk to other experienced practitioners on most topics. There are a very limited number of 40-minute slots available for more in-depth discussions. If you’d like to propose a 40-minute talk, please be sure to include a clear justification of what would merit the additional time.

We keep fwd:cloudsec small and approachable to encourage attendees to interact in real-time. We’re looking for talks that inspire others to ask questions and build together. We expect that presenters will be able to attend the conference to deliver their content in-person. As with fwd:cloudsec North America, we will be live-streaming the sessions and hosts will be soliciting questions from the in-person audience, Cloud Security Forum Slack and social media in real-time.

What Not to Submit

All experience levels are welcome, but fwd:cloudsec attendees will typically have a fair amount of hands-on experience with cloud engineering and security. Introductory-level talks on broadly-deployed technologies, vendor presentations, or purely theoretical architecture talks will not be accepted and may not even be referred to the whole team for review.

Content that is not focused on the security of public cloud or cloud native workloads will also not be accepted. This includes general content on the use and operation of the various cloud providers or kubernetes, or security content focused on other topics, such as web application or API security.

As a smaller conference, we’re particularly looking for talks that spark discussion, challenges and hallway exchanges — not just lectures expected to be taken as gospel.

Speakers and reviewers are expected to disclose conflicts of interest - if research was paid for by a particular vendor, that’s not disqualifying but the chairs would like to know to ensure we stay neutral.

We want you to be selective in what you submit, so we are putting a few restrictions in place:

  • Any author may only submit up to two talks. If you submit more than two talks, all of them will be rejected. Where multiple authors are speaking together, an author may be listed on only two talks or all of their talks may be rejected. If you want community feedback on half-formed ideas before submitting: many prior year attendees, speakers and review team members are still active in the #fwdcloudsec channel in the Cloud Security Forum slack.
  • Talks must be submitted by the author / speaker, and not by PR agencies or marketing teams on the speaker’s behalf.

Diverse and First-Time Speakers

We especially encourage first-time speakers and those who are part of under-represented minorities in the security industry (by gender, race, background or other circumstance) to present at fwd:cloudsec. First pass reviews by our committee members are performed blind (without author information attached), though as we approach final selections we strive to build a balanced program and are proud to have a review committee comprised of many different backgrounds.

If you’re new to the industry and/or a novice speaker, and have never spoken at a major conference before, we’re especially interested in hearing from you and want to help you find the best fit talks. If you submit by the 3rd of May, we’ll share review committee feedback in depth and provide you a point of contact on the review committee who can offer suggestions to hone your talk for the fwd:cloudsec audience. Please do not select this box if you’re an industry veteran with years of experience - we appreciate that everyone would like feedback on their submissions, and we’d love to provide it, but the review board is time limited and we’d like to focus our feedback efforts where it’s most needed.

While all talks are to be presented in English, we are aware that not everyone is a native speaker. The review board will do their best to take that into consideration when we assess submissions.

Disclosure Policy

We support responsible disclosure. As an independent conference, that does not mean giving vendors a veto over all possible presentation topics. Submitters should inform vendors of any discovered vulnerability as early as possible to give them a chance to patch the issue, and we won’t accept any talks that have not made good-faith efforts to work through their vulnerability disclosure processes.

Beyond that - we admire the work Project Zero has done here: 90 days from notification is generally a reasonable time to patch an issue, plus 30 days to coordinate disclosure. After that time has elapsed, it may be more important to let the public know than to continue to keep the issue under wraps. If you still have disagreements as to whether a vulnerability should be presented, let’s talk through options.

How to Submit

Most talks are expected to be 20-minute lightning talks on a single topic. There are a limited number of 40-minute slots available, so when proposing a 40-minute talk, please be sure to include an agenda that explains how you will use the additional time.

Submissions must include:

  • Speaker name(s) and contact information
  • Presentation title
  • Preferred talk length - 20-minute or 40-minute
  • Abstract (will be shown on the schedule); please do not include identifying information
  • Speaker bio(s), limited to 100 words
  • A detailed description of the talk: explain what you are presenting, and how you intend to cover the topic. Do you intend to include a demo or release code? Here is a good place to include that information.
  • How can the audience benefit from watching your talk live? Will there be Q&A, live demos, etc.
  • Other venues this talk has been presented or submitted
  • Any special presentation facilities that may be required (aside from power, projector, sound and Internet connectivity)
  • Any objections to having your talk recorded for future open access
  • If your topic relates to a tool or code you’ve written, is that tool or code open-source, or will it be made open-source by the end of the conference?

Timeline

  • April 1st - Call for Participants opens.
  • May 5th - ROUND ONE SUBMISSIONS CLOSE at 23:59 Central European Summer Time (GMT+2)
  • May 17th - Participants who submit by the Round One deadline will hear back from the program committee. First time speakers who requested feedback and meet the submission criteria will receive feedback on how to improve during the second round.
  • June 28th - FINAL ROUND SUBMISSIONS CLOSE at 23:59 Central European Summer Time (GMT+2)
  • July 12th - Final acceptance, alternate and rejections are sent out
  • July 19th - Speakers must confirm attendance and hotel benefits (if applicable) by this date
  • July 26th - Schedule published to https://fwdcloudsec.org/
  • September 17th - fwd:cloudsec Europe 2024 held in Brussels, Belgium and virtually

Submit your proposal

Proposals can be submitted via Pretalx.