Data Security

Data Security Working Group Meeting - 1/16/25

Publications in Development:

• Cybersecurity and the Data Lifecycle - Addressing remaining comments, finalizing before copy edit. February 2025 release.
• Data security within an AI Environment - Continue internal development before peer review. Utilize AI Controls Matrix as primary reference and to tie in with CCM, focusing on data and privacy controls. Q2 2025 release.

Proposed (2025):

• Highly Sensitive/Confidential Data
• Privacy Enhancing Technologies for AI
• Perils of Personal Identifiable Information in LLMs
• DORA Guidelines & Objectives

Meeting Summary:

The team discussed the upcoming Virtual AI Summit 2025 and future summits, as well as the progress of the Cybersecurity and the Data Lifecycle paper. They also discussed Data Security within an AI Environment, the potential shutdown of TikTok in the US, and a recent issue with AI bots on Facebook and Meta in the EU. The conversation ended with a focus on Dora and the AI Controls Matrix, with plans to bridge the gap between current data security requirements and the AI Controls Matrix.

Upcoming Summits and Research Updates:

• Alex announced the upcoming Virtual AI Summit, scheduled for the 29th and 30th of the month, and encouraged everyone to sign up. He also mentioned future summits, including the Virtual Fin Cloud Security Summit in February and the Cloud Threats and Vulnerabilities in April. Alex highlighted the latest research on context-based access control for 0 trust and the availability of CCM video series on demand. He also noted the open peer review for the AI controls matrix and the State of SaaS Security 2025 survey. Mahesh, a new member, introduced himself as an independent consultant working in financial services and expressed interest in participating in the working groups.

Data Security Paper Progress and Edits:

• In the meeting, Alex and Rocco discussed the progress of their data security and lifecycle paper. Rocco mentioned that they were close to the end of the document and were considering branching off certain topics into their own papers. They also discussed the need to keep the document within scope and avoid adding too many charts and diagrams. Alex thanked everyone for their contributions and suggested that they should continue to make recommendations or edits until a deadline was reached. Mahesh asked about the process of adding comments or making inline edits, to which Rocco responded that they should add comments and he would update or add as necessary.

Focusing on Data Security in AI:

• Alex, Rocco, and Mahesh discussed the state of security within an AI environment. Rocco suggested that they should focus on the data aspects of the control matrix, as it would provide a framework for outlining data risks. Mahesh asked if there were any training videos or related topics already in progress. Alex agreed with Rocco's suggestion, noting that the control matrix would outline all components and define them, allowing them to outline the data risks of those components. The team decided to pull out information related to data security from the control matrix, as it was not concerned with other network components.

Aligning Data Security With AI Controls:

• Alex, Rocco, and Mahesh discussed the progress of a document related to data security within an AI environment. They agreed to link this document with the AI controls matrix to align with the Cloud Controls Matrix and the whole industry. They also discussed the need for peer buy-in and potential contributions from the CCM group. The team decided to reorganize the document into a template style, possibly including contributors' certifications, and to finalize the layout and technical aspects.

Creating Consumable Documents and AI:

• Alex and Rocco discussed the process of creating consumable documents, including the use of AI systems and the importance of data protection. They agreed that the documents should be approachable for all levels of understanding and should include charts, diagrams, and images. Rocco suggested proposing another paper focusing on the risks and threats to data, which could be a subset of the AI paper. Alex agreed and suggested combining some of the topics into a single paper. Onyeka suggested prioritizing the topics based on the quarter, and Alex agreed that this could be a good approach. They also discussed the possibility of having four papers for the year.

TikTok Shutdown and Data Security:

• The team discussed the potential shutdown of TikTok in the US, which they considered a landmark case for privacy and data security. They speculated on the possible mechanisms for the shutdown, including IP blocking and DNS restrictions. The team also discussed the shift of users to other platforms, such as Chinese-based video sharing apps, and the potential for these platforms to become sales platforms. They acknowledged the financial implications of such a shutdown and the potential for it to set a precedent for other countries. The team also touched on the issue of data security and privacy, with Rocco suggesting that the private sector is already taking steps to block at the national level. The conversation ended with the team expressing curiosity about the future of TikTok and the potential for other platforms to fill the gap.

AI Bots and Phishing Email Issues:

• The team discussed a recent issue with AI bots on Facebook and Meta, where the bots were turned on and then off due to complaints and a dev data mix-up. They also discussed a phishing email from ISACA, which was a result of mixing production and dev data. The team agreed to focus on the DORA piece and the AI controls matrix, with Onyeka offering to help with the latter. They also discussed the need to bridge the gap between their current environment and the desired environment as per the controls matrix.

------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------