Data Security

 View Only
Back to discussions
Expand all | Collapse all

Data Security Working Group Meeting - 3/13/25

  • 1.  Data Security Working Group Meeting - 3/13/25

    Posted Mar 14, 2025 04:00:00 PM

    Data Security Working Group Meeting - 3/13/25

    Data Security Publications:

    Development:

    • Data security within an AI Environment - Q2 2025
      • Continued development of remaining sections, utilize AI to find content gaps in paper and assist with data controls context of Data Security and Privacy Lifecycle Management controls (DSP01-24) from AI Controls Matrix. Including privacy enhancing technologies, confidential/sensitive data, and PII in LLMs subtopics.

    Proposed:

    Meeting Summary:

    The team discussed the upcoming Cloud Threats and Vulnerability Summit, the RSA event, and past events, as well as the release of a Shadow Access and AI paper from the Identity and Access Management subgroup. They also explored the use of AI systems in their research process, the importance of transparency in using AI tools, and the potential risks of AI systems accessing confidential data. The team also discussed the issue of data protection, emphasizing the need for encryption in use to prevent breaches.

    Cloud Threats and Vulnerability Summit:

    Organizing Subtopics Under Data Security:

    • Alex and Rocco discussed the organization of subtopics under data security within an AI environment. They agreed to place these subtopics as sub-bullets under data security. Rocco suggested that this might spur better titles for the topics. Alex also mentioned the potential for a Data Loss Prevention paper, which Daniel offered to help with. The team agreed to refine and evolve the content as they progress.

    Project Progress and Content Discussion:

    • Alex, Daniel, Rocco, and Vashti discussed the progress of their project. Alex mentioned that he would add sections and make formatting adjustments. Daniel added content to the project, including prompt guardrails and ethical considerations. Vashti agreed that the current content was sufficient to start a cleanup run. Rocco suggested trimming down the sections to make the paper easier to digest, despite the current 24 pages.

    Exploring AI for Paper Analysis:

    • Alex, Rocco, and Vashti discussed the potential use of AI systems to analyze and extract information from a paper. They considered feeding the entire paper into an AI system to identify gaps and areas for improvement. The team also discussed the importance of transparency in using AI tools, with Rocco suggesting that the use of AI should be mentioned in the final product. Alex proposed a task for the team to run different AI systems on the paper and compare the results. The team agreed to explore this idea further and potentially present their findings in the next meeting.

    AI Usage in Research Transparency:

    • Alex, Rocco, and Vashti discussed the use of AI tools in their research process. They agreed to use AI as a tool, not a source of direct content, and to disclose its use in their papers. They also discussed the importance of transparency and leading by example in their AI usage. The team decided to focus on their current projects, including data loss and door security, and to continue contributing to their document.

    AI Assisted Document Review Process:

    • The team discusses their approach to reviewing and editing a document using AI assistance. They agree to individually use AI to process the document, record their prompts, and compare results at the next meeting. Rocco suggests using AI to cross-reference the document with the controls matrix as a final step. Alex mentions he will clean up the formatting before they proceed. The group decides that the document remains open for edits in the meantime, and they plan to review any recent security breaches or headlines at their next meeting.

    Protecting Confidential Data With AI:

    • Alex, Rocco, and Daniel discussed the increasing concern about privacy and the potential risks of AI systems accessing confidential data. Rocco mentioned that hundreds of thousands of records containing personal information (PII) have been found in AI systems, which is a cause for concern. Daniel suggested that sensitivity labels and Microsoft co-pilot can be used to protect against this issue by putting guardrails around the AI system, preventing it from accessing or providing confidential data. However, this requires the data to be labeled first, which can be a challenge with unstructured data.

    Microsoft's Confidential Data Storage Security:

    • The team discussed the storage and security of confidential data in Microsoft's ecosystem. They questioned how the database storing this data is secured, with Rocco suggesting it might be a plain text Microsoft SQL database. Daniel and Alex agreed that it's likely not fully encrypted, and Rocco emphasized the need for proper protection to prevent hacking. They also discussed the potential risks of labeling data as confidential, making it a target for hackers. The team concluded that the data should be encrypted in use, rather than at rest, but it's unclear if this is being implemented.

    Data Protection in Use Encryption:

    • Rocco discussed the issue of data protection, emphasizing the need for encryption in use to prevent breaches. He highlighted that current solutions only protect data at rest and in transit, leaving it vulnerable when in use. Alex agreed with Rocco's perspective and suggested using the AI controls matrix to address this issue. The team also discussed the importance of visibility and the need for a roadmap to implement these solutions.


    ------------------------------
    Alex Kaluza
    Research Analyst
    Cloud Security Alliance
    ------------------------------