With 60% of all corporate data now being stored in the cloud, companies face unique challenges that are amplified by insufficient cloud security expertise. To address industry needs in this critical area while also supporting students, UC Irvine’s Cybersecurity Policy & Research Institute (CPRI) and the Donald Bren School of Information and Computer Sciences (ICS) partnered with Southern California industry leaders to create a new course offering. A cloud security course was piloted last spring as part of UCI’s Master of Software Engineering (MSWE) program, providing highly employable skills to MSWE students.
“This course was two years in the making, and it was a real group effort between some of us at UCI and some industry colleagues who care about educating the next generation of software engineers,” says Chancellor’s Professor of Informatics Crista Lopes, who serves as MSWE director in ICS. “It has added a much-needed cloud security angle to MSWE’s curriculum, something that every software engineer needs to know.”
Computer Science Professor Ian Harris taught the course in spring 2023, focusing on fundamental cloud design and security principles. As Harris explains, the curriculum was motivated by discussions with Bryan Cunningham, executive director of CPRI. “He knows a lot of people from industry in security through the CPRI Advisory Committee, and one thing they said was, ‘look, we need to hire, and you’re a university … can you help us?’” The answer was yes, and the result is “SWE 267P: Cloud and Security Foundations.”
Supporting Industry Needs
“It’s not a secret that there’s something like 700,000 unfilled cybersecurity jobs right now,” says Cunningham, noting that one of CPRI’s original goals was to develop more curricula around cybersecurity. “The idea was to figure out, from an industry perspective, what would be the most important set of skills to teach students.”
Cunningham started having discussions with Shabnam Jalakian, senior vice president of security at First American Financial; Ryan Permeh of SYN Ventures (who was with BlackBerry at the time); and Allen Allison, senior delivery practice manager of ProServe Security at AWS.
“Students come in ill-prepared to hit the ground running,” says Jalakian, a UCI alumna who has been in the field of cybersecurity for more than a decade. “Bridging the gap requires providing some relevant domain knowledge that helps [students] immediately apply what they have learned. … The missing piece is marrying the real-life application of what they learn to the academic rigor that comes with a program.”
The group decided that focusing on the cloud could help close the gap. “We decided on this idea of cloud security architecture as a way to get a lot of the fundamental cybersecurity principles taught,” says Cunningham. After talking with Harris and Lopes, they settled on incorporating the course into the MSWE professional program as an elective (complementing the more general Software Security and Dependability course already offered).
Cloud and Security Foundations
SWE 267P: Cloud and Security Foundations covers topics such as cloud concepts and architectures, cloud security, data protection, privacy compliance and governance, and security by design. Interest was very strong, with 46 students enrolling in the new course (nearly 100% of the MSWE cohort). “The students liked it a lot,” says Harris. “This class was very hands on, with four big projects.” The first project involved password hacking, helping students better understand what they’re defending against.
“The password hacking assignment made so much sense because of its link to my work,” says MSWE student Paula Yamashita de Moura, a full stack developer at Rockley Photonics. “I was training my team on how to properly set passwords and why you shouldn’t share them, but I never realized how easy it is to crack passwords until I did the assignment.” Passing along her first-hand hacking experience boosted the legitimacy of the training she was providing to her team.
The academic-industry tie-in occurred for the second project as well, which focused on risk assessment. “I just kept seeing these everyday examples walking around my office,” says Moura. “I was talking to people, saying ‘I think we should do a risk assessment,’ because each assignment provided this knowledge and awareness.”
The third project was a more specific assessment of UCI cloud assets, while the final project involved attacking a web application, highlighting how an incorrect cloud services configuration can compromise data privacy. Grading was based on conversations with each student after each assignment. “We would talk one-on-one with them to ask about the work to make sure they had a solid understanding,” says Harris, noting that this was a time-consuming process for him and the teaching assistants.
“But this was a fun class to teach,” he says. “It was hard because it was the first time through, but I got a lot of enjoyment from the students’ enthusiasm. Especially when it’s part of the professional master’s program, they see the relevance of what they’re learning.”
For the offering next spring, Harris plans to regularly bring in guest speakers from industry to further enhance the curriculum’s real-world relevance.
“I can come in and I can talk about what large enterprises are looking to do to secure their environments, regardless of the underlying platform,” says Allen, a UCI alumnus with 25 years of security experience in both industry and government. “Being a part of the world’s largest cloud provider, I have a vested interest in ensuring that we get more of these skills out there.” Yet he also truly enjoys mentoring students. “I’m at that time in my career that I would love to spend more time helping others, especially younger security professionals.”
Allen adds that he could also talk about soft skills and provide insight into how the industry has evolved. “It doesn’t matter if it’s healthcare, retail, banking and finance, aerospace — you name it,” he says of the industry today. “There’s a significant component of cybersecurity in there.”
He further stresses the potential for new research projects for faculty. “I would love to see more research in cloud security,” he says. “If you think about the advancements that we’ve seen over the last 20–25 years in cryptography and key management and things along those lines, most of that advancement has really come from research in academia.”
The course is still in its infancy, but the wide variety of benefits is clear. “When people think of security, they think, ‘Oh God, hackers and blinking lights,’ whereas today it’s akin to locking your front door,” says Jalakian. “It’s better preparing people to not think about security as such a foreign concept.” Students completing the Cloud and Security Foundations course will be well-versed in cloud security and ready to hit the ground running.
— Shani Murray