As organizations continue to invest in AI and AI-powered software, “Data Security” is also entering the conversation. Data security, as defined by NIST, is “the process of maintaining the confidentiality, integrity, and availability of an organization’s data,” which most organizations’ cybersecurity programs strive to do. What makes this conversation around AI different than standard cybersecurity-related programs, is that risks and challenges around data security are different because of the nature of AI itself.
AI, for all its current magical capabilities, is still in its early stages. When organizations add AI to their systems, they effectively add a new user with access, but not reason. AI has the ability to consume data but has limited context to understand how to use it and handle it. A poor example, but accurate, is viewing AI the same as an intern. They have a lot of knowledge and enthusiasm but none of the wisdom, discretion, and strategic thinking of more seasoned employees.
How does a data security mindset approach this? At its core, data security is focused on whether the appropriate access controls are in place. Data that can only be accessed by those with appropriate access is “secure.” Ensuring that AI, or the intern, can only access the correct data is a good first step.
There is more to this, however, as, unlike an intern, AI is part of a multiple-terabyte software program that doesn’t sleep and can be in thousands of accounts and devices at the same time, consuming and processing data. Further, AI currently cannot limit their knowledge so far as if they know something, they know it forever and across all thought streams. The only limitation is their connection with other large language model programs. For example, if you use an enterprise version of Open AI, knowledge shared with it is limited to your instance. However, anyone with access to that instance is able to access that data. Thus, limiting the exposure of AI to only the data it should have access to is required.
But how do you truly understand what data to limit access to and why? Security teams cannot revert to being the department of “NO” when it comes to AI, no matter how tempting it may be.
Enter data security’s parent: data governance. Data governance is the structure that identifies, manages, and ultimately “governs” the data, and is required to implement AI properly. Data governance helps organizations understand where their data resides, its purpose, and what protections are needed, to name a few focuses. Data security can then look to the guidance of the data governance to identify who to give access to, how it can be accessed, and what can be done with that access.
Why is this the best path?
We have a similar example to reference in the previous move to the cloud, when network management failed to listen to its parent, IT governance. When the cloud was first introduced, the “Lift and Shift” model led to dozens of exposed organizations. This strategy was network management acting without considering the finer points of IT governance (and security). Networks that were secure on-prem, behind dedicated firewalls, and limited by physical architecture were no longer secure when put on the cloud with open ports and misconfigurations. These configuration gaps and strategic misalignments would have been avoided if IT governance had been adequately implemented - the same with AI. Organizations putting AI into their systems without good data governance run the same risk as those that joined the cloud with poor network design.
The future of data security is not in choosing the right controls but in choosing the right data governance. Master the data, who owns it, how it should be protected, etc., and you will master your security risks, AI-powered or otherwise.
Subscribe
Stay up to date with cyber security trends and more