The Double Edged Sword of Gen AI in Data Security
The advent of generative AI (Gen AI) has ushered in a new era for businesses, offering both unprecedented opportunities and formidable challenges.
The surge in cyberattacks, and the growing sophistication of them due to AI augmentation, is one example of why the industry is in a position where it has to fight fire with fire. Thus, implementing AI as a way to enhance protection is gaining steam.
A 2024 report co-authored by Google Cloud and the Cloud Security Alliance revealed 55% of organisations plan to adopt Gen AI solutions within the year.
And it’s no wonder why: Gen AI's capabilities to detect anomalies with unparalleled precision, fortify access controls, and strengthen encryption protocols has the potential to significantly enhance such defences against malicious actors, keeping their data safe.
Its ability to reduce false positives also frees up cybersecurity professionals to pursue other endeavours, like implementing proactive security measures rather than just constantly mitigating attacks.
Moreover, its capacity to reinforce access controls by learning and adapting to evolving user behaviour patterns can lead to a staggering 40% decrease in successful unauthorised access attempts.
With so much good on offer, it may be hard to see what the, if any, downsides are. While not a drawback if addressed, two issues that could grow to become a concern: a novel risk that demands careful consideration and mitigation strategies when it comes to data.
“We can divide the challenges of AI integration into two camps: general data concerns and specific concerns,” says Colin Selfridge, Director Consulting Expert, Cyber Security, CGI UK & Australia. “General data concerns typically include data misuse and data loss (or theft), while specific concerns surround issues with the accuracy of AI tools.”
Distributing data
Public clouds are the most common type of cloud computing deployment, according to Microsoft. This is because they are a cheaper way to access the processing, flexibility and scalability offered by cloud computing.
This, therefore, makes them an attractive way to utilise the benefits of Gen AI, without the price tag of having to implement your own software and hardware. A 2023 study by software engineering company Binmile revealed 24% of Small and Medium Business (SMBs) were fully committed to a single public cloud platform for their business operations.
Here lies the beginning of the problems: “Adopting cloud technology and Gen AI has significantly reduced visibility into where data is stored, who can access it, and how it is protected,” says Martin Borrett Technical Director, IBM Security. “While Gen AI offers substantial value, it also introduces a new attack surface that requires protection.”
Utilising Gen AI models, organisations are distributing and decentralising their data across multiple systems and environments, which, especially if using a public AI model that learns from input data, make it harder to follow regulatory requirements and even keep it safe.
“Injecting hostile content into large Language models used by AI is a well-documented example. Indeed, with large language models, redundant code could present a possible future vulnerability, or result in a data leak,” Colin explains.
Plus, by using these third-party services, it creates new potential openings for data breaches, which you do not have full control over, expanding a given organisation’s attack surface.
“It’s worth considering hosting options, can it be installed on-premise or within company-controlled environments, rather than vendor multi-tenant hosting spaces?,” says Colin. “With the AI ‘writing home’ to ensure an efficient learning mechanism – does this represent an egress path for sensitive information?”
Some mitigations for things like data control can involve the use of a hybrid cloud, which utilises the public cloud for less security-dependent data, and a private, on-site cloud for secure data.
Plus enterprise Gen AI models, like OpenAI’s, which states it does not learn anything from such uses and does not store data. Yet, even with ChatGPT Enterprise encrypting data in transit and at rest, it is still another entity that is now handling an organisation’s data.
This distributed nature makes it challenging to maintain a centralised view of where all the data resides, who has access privileges, and what security controls are in place, essential in the age of regulations.
“GDPR still applies to data used in training AI models, meaning businesses need to ensure they adhere to the guidelines outlined within Article 5, and ensure any data use is transparent,” explains Colin. “Additionally, recent developments within the EU AI Act mean organisations need to be aware of the risk AI tools can pose, especially when looking at open-source and public solutions.”
Understanding the AI data pathway
As data becomes evermore distributed in the age of AI, where one business hosts the data of another, which is fed into a platform of another to produce solutions for said business, it is clear that cooperation by the different parties is becoming increasingly important.
“Collaborations can play a crucial role in securing data security as organisations adopt Gen AI tools,” explains Martin. “By partnering with AI and data security experts, businesses can leverage their knowledge and resources to develop robust security measures and best practices tailored to their specific needs.”
By keeping collaboration open, stakeholders can communicate their needs, alongside their regulatory obligations, to each other and find ways in which they can minimise issues.
“Expert data security consultants can be helpful when establishing and implementing security frameworks that are designed with Gen AI in mind,” concludes Colin. “Creating guidelines, standards and building protocols for data access controls, encryption, and sharing mechanisms.”
Although some issues may remain in terms of attack surface, Martin argues how data security and integrity can be kept in case of a breach when working with cloud and Gen AI.
Responsible usage, that organisations should only use Gen AI tools for legitimate purposes; data minimisation, that organisations should only feed it the essentials; secure data handling to ensure things like encrypted sending of the information, and regular audits and monitoring of these cloud and Gen AI services to ensure data integrity within them.
Gen AI undoubtedly offers powerful cybersecurity benefits, but its adoption comes at a cost - potential loss of data control. As organisations embrace public clouds and third-party AI platforms, proprietary data becomes scattered across external systems beyond their purview.
With such large amounts of data needed, organisations should not be swept up in the race for AI in an implementations at all cost approach.
“AI relies on large volumes of high-quality data to function effectively. Businesses should prioritise data governance to ensure that their data is accurate, secure, and accessible to the right people and systems,” explains Colin.
Yet, this decentralisation of data need not be an insurmountable hurdle. Through strategic collaborations with security experts and AI providers, businesses can develop robust frameworks to maintain data sovereignty whilst still utilising the benefits Gen AI can bring.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand