Ethan Troy
Principal @ Fortreum | Cloud Security Compliance and Automation
Orlando, Florida, United States
Actions
Ethan Troy is a Principal at Fortreum, where he bridges the gap between security compliance and engineering. He specializes in automating FedRAMP, NIST, and cloud-native controls across AWS, GCP, and Azure. Ethan’s work focuses on making audits less painful and compliance more scalable.
https://github.com/ethanolivertroy
Links
Badges
Area of Expertise
Topics
Bootable Containers for Secure and Compliant 'Appliance' Operating Systems
Bootable containers (bootc), a CNCF Sandbox project, allow teams to define and ship entire operating systems as container images. This model is compelling for security appliances and edge devices that benefit from atomic updates, extending ostree with the familiar Containerfile build construct.
However, making appliance operating systems easy to build is only half the problem. For security sensitive systems, how do you ensure they cannot jump off their defined release train? This requires hardening the build, release, and update cycle.
This talk demonstrates a hardening strategy for bootc-based Fedora appliances: CI that builds, hardens via CIS benchmarks, and signs with Sigstore cosign. On deployed systems, policy enforcement SELinux lockdown, and enforced kernel arguments close attack surfaces — even against root. Attendees will learn to build and enforce a complete OS image trust chain using container tooling.
Developer native compliance with OSCAL Compass and backstage
No developer likes writing compliance documentation. Worse still is hand-collecting evidence with screenshots from production environments. This applies just as much to auditors as it does to developers! The dream is full compliance automation hidden from developers, but achieving this means enforcing a rigid development environment — one developers run away from.
Internal developer portals like Backstage template the "standard" approach so that good security posture becomes the path of least resistance, while allowing flexibility where justified. OSCAL Compass, a CNCF Sandbox project, extends this to compliance by providing machine-readable artifacts using the OSCAL standard.
This talk demonstrates how combining these two CNCF projects lets developers produce correct compliance artifacts without leaving their ecosystem. The speakers bring two perspectives: an automation-friendly compliance auditor, and a developer who wants to write less documentation.
GRC Engineering: Build Your Own Trust Center for Continuous Assurance
The traditional GRC model relies on "Point-in-Time" artifacts—static PDFs and annual audit reports that are obsolete the moment they are exported. In a cloud-native world, trust shouldn't have an expiration date.
This session dives into the discipline of GRC Engineering to show you how to Build Your Own Trust Center. We move beyond static documentation to explore how to build "Evidence Pipelines" that treat security claims as code. By pulling real-time signals from your infrastructure (IAM, encryption status, CI/CD gates), you can transform your security posture from a "snapshot" into a continuous stream of verifiable truth.
Attendees will learn:
The GRC Engineering Framework: Shifting from manual data collection to automated evidence pipelines.
Architecture of a Trust Center: How to map live technical signals to high-level compliance controls (SOC 2, ISO 27001, etc.).
Continuous vs. Point-in-Time: Methods for detecting "compliance drift" before your next audit cycle.
DIY Build Plan: A 90-day roadmap to move from static folders to a "Continuously True" trust model using your existing tech stack.
Attendees will leave with a practical blueprint for building a high-integrity Trust Center that reduces the "prove it" burden on engineering teams and provides a transparent, real-time view of business security impact.
GRC Engineering in the Cloud
A practical look at GRC Engineering through the lens of automation. Learn how to build and scale compliance checks across AWS, Azure, and GCP using open source tools, APIs, and scripting. Walk away with real examples you can use to modernize your cloud GRC workflows.
BSides Orlando 2025 Sessionize Event
Ethan Troy
Principal @ Fortreum | Cloud Security Compliance and Automation
Orlando, Florida, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top