Data Security

Data Security Working Group Meeting - 12/19/24

Publications in Development:

• Cybersecurity and the Data Lifecycle - Peer Review - 1/5/25. Review and continue internal development.
• Data security within an AI Environment - Review and continue internal development, prior to public peer review.

Proposed:

• Highly Sensitive/Confidential Data - 2025
• Privacy Enhancing Technologies for AI - 2025
• Perils of Personal Identifiable Information in LLMs - 2025
• DORA Guidelines & Objectives - 2025

Meeting Summary:

Working group members discussed the refinement and editing of a document related to data security and risk management, focusing on the data lifecycle and the importance of security, Cybersecurity and the Data Lifecycle. This paper is still in public peer review until January 5th, but may be extended if necessary. They also discussed the concept of "cross-cutting" in the context of cyber security and risk management, and the need to simplify and focus their data lifecycle document. Lastly, they discussed the progress of their working group, the potential for more paper suggestions, and the importance of focusing on data-centric security. The next meeting is scheduled for January 16th at 11:00 AM PT: https://cloudsecurityalliance.zoom.us/j/89226145898?pwd=eHYwNlBGLzNjMmp1N3ZkSzcrdlI1QT09 

Editing Document and Collaboration Process:

• Alex and Rocco discussed the process of editing a document. They agreed to accept all the changes suggested by others, with the understanding that some parts might be redundant or unnecessary. They decided to leave certain sections intact, such as the chart that outlines the stages of data minimization, as they were deemed relevant. They also discussed the inclusion of statistics and the placement of certain sections. Rocco suggested that the document should not be used as a definitive source of information, but rather as a guide for understanding the topic. They agreed to continue editing the document, with the aim of improving its readability and flow.

Refining Document and Security Measures:

• Alex and Rocco discussed the process of refining a document, focusing on the use of file transfer protocols and the importance of security. They agreed to leave certain sections as they were, but made changes to others, including the addition of a paragraph and the removal of unrelated content for clarity. They also discussed the need for a separate section for encryption and confidential computing. 

Exploring Cross-Cutting in Cyber Security:

• Rocco and Alex discussed the concept of "cross-cutting" in the context of cyber security and risk management. They struggled to define and apply the term, with Rocco suggesting it might be a risk term coming from the risk world. They agreed that it could refer to issues that affect multiple areas or conditions, but found it challenging to apply in practice. They also discussed the idea of a multi-layered defense system and the challenges of making exceptions to security measures. 

Refining Document Structure and Gartner References:

• Alex, Rocco, and Ammar discussed the progress of a document, which was initially a brain dump but has been refined. They agreed on the document's structure, including the table of contents, phases, security, risks, conclusions, recommendations, and references. They also discussed the need for further editing and the addition of more specific Gartner references. Ammar, a new member of the group, introduced himself and expressed his interest in contributing to the document. The team agreed to continue refining the document and encouraged Ammar to provide feedback.

Simplifying Data Lifecycle Document:

• Rocco and Alex discussed the need to simplify and focus their data lifecycle document. They agreed to remove a detailed chart that listed various risks and threats, as it was deemed unnecessary and too extensive for the document's purpose. Instead, they decided to maintain a higher-level comment on the risks and address them in a different section. They also decided to define the data lifecycle and ensure everyone is on the same page regarding its steps. The conversation concluded with the understanding that security is a primary focus, but specific types of attacks or threats should not be detailed in the document.

Risk Analysis Chart and Data Discussion:

• Alex and Rocco discuss removing a detailed chart on risk analysis from their paper, as it provides too much detail. They decide to strike through the chart and leave a comment suggesting the information could potentially be used elsewhere. Regarding a comment on data minimization, Rocco agrees it should be included and suggests finding a suitable place to insert that information in the document. They also confirm that Ammar's suggestion on data labeling and classification has been incorporated.

Data Classification and Document Flow:

• Alex and Rocco discussed the classification and labeling of data in their project. They agreed to include the classification in the data creation and acquisition section. They also decided to remove a section that didn't fit and to include statistics. They discussed the flow of the document, with security coming after the definition piece. They also addressed the title of the document, deciding to change it to better fit the content. They agreed to give people a chance to review the changes before accepting them.

Data Security Document Restructuring:

• Alex, Rocco, and Ammar discussed the restructuring of a document related to data security. They agreed on changes such as using "through" instead of "throughout" and "key principles of securing data lifecycle" instead of "securing data throughout its life cycle". They also considered the placement of a chart and the potential for further additions to the document. The team decided to let the design team handle the formatting and layout of the document.

Enhancing Data Lifecycle Paper Presentation:

• Alex, Rocco, and Ammar discussed the progress of their data lifecycle paper. Alex shared that the paper is nearing completion and suggested adding graphics or images to enhance its visual appeal. Rocco agreed, emphasizing the need to avoid excessive use of Excel spreadsheets. Alex also mentioned the recently published Cyber Resiliency in the Financial Industry 2024 Survey Report, which he and Rocco had contributed to earlier in the year. The team also discussed the possibility of incorporating more references into their paper, similar to AI in Medical Research: Applications & Considerations, a medical research paper Alex had shared. Rocco agreed to look for suitable images and graphics to include in their paper. 

Confidential Computing, Security, and TP-Link:

•  and the potential for a second project. They also discussed the importance of focusing on data-centric security and the challenges of transitioning to Zero Trust. Rocco highlighted the risks associated with the motion of transferring data for confidential computing and the need for encryption in use. They also touched on the topic of side-channel attacks and the potential for exploits in confidential computing, as with the recent BadRAM exploit. Lastly, they discussed a potential ban on TP-Link routers due to security concerns. 

------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------