Proactive Data Security Practices to Build Cyber Resilience and Manage AI Risk
In the past few years, cybercrime and ransomware attacks have surged to unprecedented heights. Enhancing cyber resilience and tackling data security challenges have naturally become top priorities for organizations.
Since AI took the world over by storm, priorities have shifted— business and technology leaders are now racing to lay out their AI strategy and chart how AI will propel their business forward.
But as with any new technology, and perhaps more than anything we’ve ever seen before, there is a legitimate concern on how AI can create new threat vectors. Data security concerns remain paramount as ever before, coupled with growing apprehension about the availability and integrity of data used in AI models.
AI Opens Up New Security Risks
AI systems, particularly those using Gen AI raise significant security and privacy concerns due to their extensive data collection and processing capabilities, namely:
- What data is used in the model-- personal data, such as names and addresses to financial or health records, can make AI technology function more effectively. But the use of such data can certainly feel like an invasion of privacy and is likely to violate numerous global data privacy laws and regulations.
- Data persistency— the data used for computation must be readily accessible and available. The concern here is where/how the data is stored-- this data depot is now an attractive and lucrative target for hackers. Moreover, sensitive or personal data persisting indefinitely in databases or across clouds is, again, in violation with data privacy laws.
- Data repurposing— some data is used over and over again, not necessarily in accordance with the original intent. Large datasets are often used to train and refine algorithms, so data repurposing is inevitable. As you retrain the model, is sensitive data perpetually exposed?
- Data leakage—unlike data repurposing, where data is intentionally repurposed without much thought or consideration, data leaks are unintended and accidental. It can be as simple as sharing data through applications or across workflows or the supply chain.
Gartner® has published a report titled Top Strategic Technology Trends for 2024 that talks about two Technology trends, i.e., AI trust, risk and security management (AI TRiSM) which “supports AI model governance, trustworthiness, fairness, reliability, robustness, transparency and data protection” and Continuous Threat Exposure Management which “is a pragmatic and systemic approach to continuously adjust cybersecurity optimization priorities and use technology.
Intersection of data security with TRISM and CTEM
Fundamentally, the goal of both frameworks is to push organizations to rethink how they protect their data and to identify the loopholes that can allow bad actors to breach their systems. While neither of these frameworks is explicitly about data security, the fact that data is the target of most cybersecurity attacks begs the question of the role of data security in these two frameworks.
Protecting Data in AI
Data at rest should always be encrypted, with the latest NIST-recommended algorithms. That's just the basics. To secure data used in GenAI, consider obfuscating sensitive data. When sending data into the AI pipeline, ensure that any PII data is masked.
Tokenizing data through Format Preserving Encryption keeps the format of the dataset, so there is no additional work needed, yet it makes the data portable, private and compliant. This scenario applies when you will not need any AI work on the sensitive data.
And with all this mandatory encryption, don’t forget to properly manage the encryption keys. Effective key lifecycle management, granular access controls, and secure storage of encryption keys are all critical factors that require thorough consideration as well.
Increasing Threat from Bad Actors Requires Continuous Threat Exposure Management (CTEM)
Whether associated with AI, or more traditional technology, organizations are also at increased risk due to the ever-expanding threats from bad actors. This is what’s behind Gartner’s Continuous Threat Exposure Management (CTEM) framework. And just like with TRISM, data security plays a key role in CTEM.
The goal of CTEM is to help organizations improve their security posture by identifying and addressing areas of concern before attackers can exploit their vulnerabilities. While many organizations have adopted and are proactively using solutions to identify vulnerabilities, exposed PII data, or scan for threats, they are not doing much to assess them cryptographic security posture.
With data that lives everywhere and being protected by siloed teams and point solutions, security teams lack visibility into what is and isn’t being secured, where and how encryption keys are stored, who can access them, and are key management best practices being followed.
Fortanix – Data-First Security
At Fortanix, we take a data-first approach to cyber security, pioneered Confidential Computing, and prioritize data exposure management, as traditional perimeter-defense measures leave data vulnerable to malicious threats in hybrid multicloud environments.
We believe that data security is the last line of defense against the increasing sophistication of cyber threats and reduces the impact of data breaches. In the realm of AI, securing data and ensuring its privacy and integrity when used in GenAI is the only way to safeguard AI pipelines and drive compliance with global data protection regulations.
The Fortanix unified platform helps organizations to:
Assess Risk-- remove blind spots with consolidated insights about data security risks.
Security teams can now assess security posture through centralized dashboards and heatmaps that quickly pinpoint data security risks, gaps, and priorities against established policies, regulations, and industry standards. In turn, it becomes very easy to remediate quickly, eliminate vulnerabilities, and achieve crypto agility at scale for continuous improvements over time.
Encrypt Data-- secure data across its full lifecycle—at-rest, in-transit, and in-use.
From full disk to file system to database encryption, organizations can secure data with NIST-recommended and quantum-ready algorithms to know data cannot be extorted or tampered with. For teams looking to unlock data’s full potential, Fortanix Tokenization applies Format Preserving Encryption to safely feed private data across applications, analytics, and AI.
Manage Keys-- centrally manage the lifecycle of all keys across all environments.
A single, policy-based, easy to use SaaS solution enables teams to create, rotate, and delete keys for data across data centers, clouds, and applications. Security teams now can enforce data security policies with a simple click across all environments at once and ensure that no data is left begins. Bring Your Own Key (BYOK) allows them to keep keys under their control and have them securely stored in FIPS 140-2 level 3-certified HSM, available as SaaS. As a result, with Fortanix, they gain operational efficiency and can know and prove that they have applied consistent security.