Data Security

 View Only
Back to discussions
Expand all | Collapse all

Data Security Working Group Meeting - 5/8/25

  • 1.  Data Security Working Group Meeting - 5/8/25

    Posted May 09, 2025 12:53:00 PM

    Data Security Working Group Meeting - 5/8/25

    Data Security Publications:

    Development:

    • Data security within an AI Environment - June 2025
      • Development continues on the AI data security paper, with focus on refining gaps across DSP01–DSP24 controls in the AI Controls Matrix. Recent discussions emphasized integrating AI into DLP systems, secure transmission methods, and privacy-enhancing technologies for PHI/PII protection. The working group is exploring content updates on regulatory frameworks, SMPC, and confidential computing. Contributions are being considered for future AICM versions. The goal is to complete revisions and have ready for peer review later this month.

    Proposed:

    Meeting Summary:

    • Alex and Rocco discussed the challenges of continuous auditing, the transition of the Star Level 3 to the Compliance Automation Revolution, and the upcoming virtual Cloud Trust Summit. They also reviewed their recent work on mapping and reviewing content related to AI controls, and discussed the progress of a paper they were working on. The team also discussed the integration of AI into Data Loss Prevention (DLP) systems, the challenges of email and SMS transmission, and the potential inclusion of information from the FHA group and the topic of secure multi-party computation in their paper.

    Continuous Auditing and Automation Transition:

    • Alex and Rocco discussed the challenges of continuous auditing and the transition of the Star Level 3 to the Compliance Automation Revolution. Rocco mentioned that they had previously tried to get involved but faced difficulties due to a transition in personnel. Alex clarified that the issue was resolved and that Rocco should now be able to proceed. They also discussed the shift in the company's security posture towards continuous automation.

    Cloud Trust Summit and Security Incidents:

    • Alex discussed the upcoming virtual Cloud Trust Summit, scheduled for June 11th and 12th, which will focus on trust and star-related topics and continuous automation. He also mentioned a recent publication on top threats to cloud computing, which includes case studies of security incidents. Additionally, he mentioned a presentation he worked on and a data security AI environment paper in progress. He also mentioned two peer reviews and an open survey on AI trends.

    AI Controls Matrix Expansion Discussion:

    • Alex presents his recent work on mapping and reviewing content related to AI controls. He proposes four additional data-related controls that are not currently covered in the existing AI controls matrix. Rocco suggests sharing these findings with the AI group, as they may consider adding these controls to their documentation. The team discusses the potential impact of their work, including the possibility of influencing future versions of the AI controls paper through the peer review process. They see this as an opportunity to contribute to the field and create synergy between their work and the existing AI controls framework.

    Paper Progress and Future Focus:

    • Alex and Rocco discussed the progress of a paper they were working on. Alex mentioned that the paper was looking good and had a well thought out content. He also mentioned that he had added an intro to the paper. Vashti agreed that the paper was shaping up well. Rocco mentioned that the paper would lead perfectly into another focus, which was the DLP side of things.

    Data Breaches and Privacy Laws:

    • Rocco discussed the issue of data breaches and privacy laws, highlighting that DLP companies have been creating a larger threat landscape by investing millions of dollars in solutions that have not been effective. He noted that the industry is now focusing on data-centric questions and shifting the focus from the perimeter to the data inside out to find threat actors. Rocco also mentioned the importance of protecting data in databases, which is often in plain text, and the need for technologies like database row encryption, column encryption, and secure computing environments to address this issue.

    AI Integration in DLP Systems:

    • The discussion focuses on the integration of AI into Data Loss Prevention (DLP) systems and its impact on the software industry. Rocco explains that many companies are adding AI components to their existing DLP solutions, often as a marketing strategy to justify price increases and remain competitive. Alex and Rocco agree that this trend is widespread in the industry, with companies rushing to adopt AI capabilities regardless of their effectiveness. They also discuss the importance of human oversight in AI systems and the potential for future developments in DLP technology, particularly in the healthcare sector.

    Email and SMS Security Challenges:

    • Rocco discussed the challenges of email and SMS transmission, noting that it's no longer feasible for companies to manage these services themselves. He highlighted the need for third-party services, especially for companies using Office 365 or Google, as these platforms are vulnerable to threat actors. Rocco also emphasized the importance of proper identity management and the role of phones as identity verification tools. The team agreed on the necessity of secure authentication methods, such as pass keys, to protect against identity theft.

    AI and Regulatory Frameworks Discussion:

    • Alex presents a chart breaking down categories, which Rocco finds helpful but suggests enlarging the font for better readability. They discuss removing some redundant content, particularly where bullet points are already represented in the chart. The team considers adding lessons learned from recent incidents, though they struggle to recall specific examples. They review sections on AI-specific requirements and regulatory frameworks, noting that some content needs reorganization and expansion. Rocco mentions the potential inclusion of information from the FHA group and briefly touches on the complex topic of secure multi-party computation, drawing parallels to blockchain technology and its potential applications in AI.

    Paper Progress and Future Directions:

    • Alex and Rocco discussed the progress of their paper, focusing on the need for additional content in various sections. They agreed to remove the case study section for now, as it lacked relevant information. They also discussed the potential inclusion of DORA and GDPR in the paper. Alex mentioned the need to clean up the paper and eventually push it to peer view for further refinement. They also touched on the topic of confidential computing in healthcare, which Alex suggested could be a valuable addition to the paper.


    ------------------------------
    Alex Kaluza
    Research Analyst
    Cloud Security Alliance
    ------------------------------