My name is Rick Smith, and we are here to talk about Cloud Security. This is the first course in the University of Minnesota's four-part Cloud Security specialization. To get started, let's see what cybersecurity is about. First of all, we're proactive. We try to stop problems before they occur. Effective security controls balance efficiency with safety. They block attacks, and ideally, they don't get in the way of real work. We also plan for trouble. We know security controls will fail. Some organizations try to combine their compliance and security operations. While it's true that they have overlapping requirements, they pursue different goals. It's easy to be compliant without being secure, and vice versa. Twenty-five years ago, I was hired to build security software for the US Department of Defense. Some of us thought we could build a truly secure computer. We were wrong. But I've been working in cybersecurity ever since. It's fascinating if complicated. I've written three books to help understand it. While we can't make our security 100 percent full proof, we can make the bad guys work harder for less benefit. Sometimes we have to stop people like Ron Joyce. Ron use to be the top hacker at the National Security Agency. Let him explain why the NSA can break into your network. If you really want to protect your network, you really have to know your network. You have to know the devices, the security, technologies, and the things inside it. So why are we successful? We put the time in to know that network. We put the time in to know it better than the people who designed it, and the people who are securing it. Does that sound easy? It shouldn't. In a connected country, a typical employee owns three Internet-capable devices. They all end up on the company network. What if there are 16 employees? A lot of devices end up on the network. The problem goes beyond portable devices. Employees can by their very own routers and switches at the local electronics store and it's easy to install such things on your network which makes it really hard to know your own network. Neither the NSA nor the CIA or safe from hackers. We start this course with a deceptively simple insecure web service addressing the problems arising as we improve it. The improvements take us through a series of architectural steps. Each step make strategic choices that both improve functionality and open security vulnerabilities. In response, each step introduces essential security measures. As we work through these scenarios, we look at relevant security scenarios, the vulnerabilities behind them, and how we assess the properties of those vulnerabilities. Fortunately, there are a lot of incidents to choose from. This course has four overall learning objectives; Design and secure a simple Cloud service. Establish roles for a service. Assess the risks embodied in recent vulnerabilities, and apply basic security techniques. In addition to the inevitable multiple choice quizzes, you'll construct three types of cloud-related documents. The service outline describes an online service in terms of what it does, who uses it, who provides it, and the impact of security failures. In the vulnerability assessment, you assign a standard set of characteristics to a chosen vulnerability and justify your choices. In the basic security plan, you create a high-level design of a Cloud Service and describe the security measures it requires. To receive a certificate for this course, you must earn at least 80 percent on the measured assessments. There are two types of assessments, the online quizzes and the peer review documents. Unlike peer reviewing in many courses, the documents you need to review and assess will be solving different problems from yours. The peer review should be a learning experience. If you miss the mark on a quiz, you may always take it over. To repeat a peer review assignment, you need to register for the next session. Coursera will automatically save and transfer all the grades you've made so far and all of the assessments you've successfully completed, and you only need to retake the ones that you'd need to. This course is the first one in the Cloud Security specialization. The remaining three classes challenge you to solve problems using vendor-specific Cloud service documents. Welcome to Cloud Security Basics
