Data Security

Data Security Working Group Meeting - 11/07/24

Publications in Development:

• Data security within an AI Environment - Q4 2024
• Data Lifecycle - Q4 2024

Proposed:

• Highly Sensitive/Confidential Data - 2025
• Privacy Enhancing Technologies for AI - 2025
• Perils of Personal Identifiable Information in LLMs - 2025
• DORA Guidelines & Objectives - 2025

Meeting Summary:

The meeting covered upcoming events, publications, and ongoing research projects related to zero trust, AI, and data security. Discussions focused on refining the group's approach to data lifecycle management, exploring ethical considerations in data usage, and addressing challenges in data resiliency and compliance. The team emphasized the importance of responsible data practices, clear ownership, and the need for standardized definitions in their work.

Upcoming Events and Publications Discussed:

• Alex convened a meeting to discuss upcoming events and publications. He highlighted the Zero Trust Summit as the CSA November event, encouraging attendees to sign up and participate. He also mentioned the AI Summit, which took place in the previous month, and encouraged attendees to access the content from past events. 

Zero Trust Guidance and AI Responsibilities:

• Alex discussed the recent publications and upcoming documents related to zero trust guidance for critical infrastructure and operational technology. He mentioned Using asymmetric cryptography to help achieve zero trust objectives and the importance of these documents for the upcoming virtual summit. Alex also highlighted the AI organizational responsibilities paper, which ties governance, risk, management, compliance, and cultural aspects together. He mentioned a peer review and survey for a paper on Context-Based Access Control for Zero Trust, and another paper on AI tools and applications. Lastly, he touched on the topic of shadow access and AI, and the importance of fully homomorphic encryption in data security.

Refining Data Security Publications Approach:

• Alex discussed the progress of their data security publications, highlighting the variety of their papers and the need to refine their focus. Rocco shared his thoughts on the data lifecycle paper, suggesting it could be simplified and potentially split into separate papers. The group agreed on the need to refine their approach and to share their work more seriously with others. They also discussed the possibility of merging all the content into one paper, but no final decision was made.

Data Lifecycle Stages and Definitions:

• The team discussed the concept of a data lifecycle, focusing on its stages and the lack of a standard definition. They debated whether the stages should be seen as sequential or interconnected, with the consensus being that data can be directly destroyed if deemed un-useful. The team also explored different definitions and stages of the data lifecycle, with some sources suggesting 4, 5, 6, 7, or 8 stages. The discussion highlighted the need for a clear and standardized definition of the data lifecycle process.
• NIST SP 1500-1r1: Big Data Interoperability Framework: Volume 1, Definitions
• NIST SP 800-188: De-Identifying Government Datasets: Techniques and Governance

Data Ownership and Security Responsibilities:

• Rocco and Alex discussed the importance of data ownership and responsibility in the context of data life cycle management. Rocco emphasized the need for clear ownership when data is transferred or when new ownership is defined, as this becomes a critical point in the data life cycle. They also touched on the issue of data security and compliance, particularly in relation to GDPR requests and the potential for new regulations. Alex agreed with Rocco's points and suggested that their discussion could be used to clarify the stages of the data life cycle, including the planning stages of assuring and describing data. The conversation ended with a recognition of the growing awareness of data security requirements and the need for clear ownership and responsibility in data management.

Data Resiliency and Compliance Challenges:

• Rocco, Adeeb, and Alex discuss data resiliency and the challenges of maintaining data recoverability while complying with regulations around data deletion. Adeeb raises data resiliency as a key issue, specifically the ability to reproduce data and the required time for recovery. Rocco agrees it is a significant topic deserving further exploration, potentially as a dedicated paper. Alex notes the group previously worked on a cyber resiliency survey report that touched on data resiliency. The discussion highlights concerns around data duplication, storage, and the risks of unencrypted backups leading to data breaches.

Data Ethics in AI Decision-Making

• Adeeb and Rocco discuss the ethical considerations around data usage, particularly in the context of AI and decision-making. Adeeb raises the importance of data ethics throughout the data lifecycle, including ethical data collection, usage, modeling, and decision-making. Rocco acknowledges the difficulty in determining ethical boundaries, questioning who has the authority to define ethical standards. He highlights the potential conflict between business interests and ethical practices, using a hypothetical scenario where employees propose using sensitive data for AI models against ethical guidelines. Ultimately, they agree that the data owner holds the right to grant or revoke access, but the ethical responsibilities of custodians and users remain ambiguous.

Data Collection and Healthcare Ethics

• The discussion focuses on the ethical considerations around data collection and usage, particularly in the healthcare industry. Rocco highlights the common practice of companies collecting excessive personal data without a clear purpose or need, posing privacy risks. He emphasizes the importance of conducting data use analyses to determine the necessity and intended use of collected data. Alex acknowledges the significance of this issue and suggests incorporating these ethical perspectives into their research on AI in medical applications. The conversation underscores the need for responsible data practices, minimizing unnecessary data collection, and aligning with privacy regulations to protect individual rights.

------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------