My name is Eric Smith and we're here to talk about Cloud Data Security. This is the second course in the University of Minnesota's four-part Cloud security specialization. We strongly recommend you take the first course, Cloud Security Basics before you start this one. Our security focuses on network services hosted by a company. In this course, company might be a private enterprise a non-profit association or a government bureau. These organizations, enterprises and so forth, all rely on distributed authority, responsibility, and ownership. Even a sole proprietor running their own company will outsource many tasks. Outsourcing is delegation, which distributes the owner's responsibilities to others. We are not looking directly at company applications, we're looking at the applications, underlying services. These enable the app to list products, collect them into an order for you and so on. Even when the company deals in physical products it stores no physical products on the Cloud. We represent them with data and implement them with data services. The company's Cloud services generally provide an application programming interface to use these services. A typical Cloud service provides flexible resources to quickly respond to customer needs. Let's look for a ball to purchase. The Cloud service contains data items to represent the vendors merchandise, including balls. The service search system was the product data in order to find all ball products and list them. To actually buy and receive a ball, the buyer creates a data item called an order. Modern delivery systems track packages, usually by scanning them every time they move from one place to another. Each scan creates a data item that is tied to its parcel. The buyer tracks the data on the balls delivery by retrieving those data items. Modern security consists of two interrelated parts. First, there's complying with standards and regulations. Then there's awareness of emerging threats so you can protect against them. Both of these place requirements on our security systems. Here are some external laws and regulations that we might need to comply with. We saw these briefly earlier in the specialization. When we talk about different kinds of data, we'll look closer at different laws and regulations. After we comply with our industry standards and legislative mandates, we have a lot of security measures deployed. Are we done yet? We often comply with standards by using a checklist. The checklist is created by a team of experts working for standards organizations. They assess cybersecurity risks and publish a list of defensive steps to take. What could possibly go wrong? Everything in technology gets old, even standards. We can't afford to replace standards every few months. The experts writing them try to anticipate evolving risks. But security risks arise organically and unpredictably. People who write standards can't magically predict the future. Every business decision depends on business objectives. Companies want to save money. If your strategy is to meet minimum standards, you might avoid liability for carelessness of a security measure fails. But the savings won't matter if the failure seriously damages your company. It can take years for the public to forget about a major data breach. Compliance measures fail when a new attack emerges, often from newly-found software flaws. Depending upon the industry, compliance measures might not address denial-of-service attacks, and these can seriously disrupt organizations. To keep ahead of security risks, we take these steps. First, we watch the security news for reports of recent attacks. Most attacks repeat earlier ones. Second, we looked at attack risks and identify the ones that might particularly hit our organization. If an attack is likely or if it's unlikely but catastrophic, we want to guard against it. In general terms, our data falls into four categories. The first two focus on the company's information assets, data whose damage or disclosure might injure the company itself. The second two involve information about the others we involve in our work. Sometimes they're companies and sometimes it's people. If we're careless with their information, it might not directly injure our company, but that might injure them. Modern privacy regulations affect how we manage this data. The rest of the course, we'll examine data and data protection in these terms. The classic way of protecting data is to physically lock it up. We put it somewhere that blocks access by untrustworthy people. In the computer world, software applies access controlled to regions of data storage. Cryptography lets us protect data when we can't rely on physical protection or software protection. Like other online courses, learners will watch instructional videos, read some materials, and answer quizzes. There are also research tasks that are graded using peer review. To receive a certificate for this course, you must earn at least 80 percent on the graded assessments. There are two types of graded assessments, the online quizzes and the peer review documents. Unlike peer reviewing in many courses, the documents you need to review and assess will often be solving different problems from yours. The peer review should also be a learning experience. If you miss the mark on a quiz, you may always take it over. To repeat a peer review assignment, you must register for the next session of the course. Coursera will automatically transfer assessments you've successfully completed and allow you to retake the ones you need. Welcome to Cloud data security.
