Security is one of the top concerns surrounding AI implementation. And it’s warranted; a recent survey of IT decision-makers revealed that 72% have experienced hacking attempts. With so many teams hung up on the challenges of moving AI out of the lab into production, security concerns are often lost in the shuffle when they need to be front and center. Adopting three mindsets of DevSecOps—confidentiality, integrity and availability—will help you focus on security and close the gap between the security our industry needs and the security your organization has.
More Cyberattacks are Coming
We can count on seeing more cyberattacks and there are two reasons for that. First, as AI becomes more ubiquitous and embedded in our everyday lives, it presents yet another threat surface hackers will seek to exploit to wreak havoc at scale. More AI, more attacks.
Second, the Silicon Valley “move fast and break things” model has meant that historically teams have pushed a lot of code into production without putting security guard rails in place. The same thing is now happening with AI. We’re so focused on getting novel capabilities into production—that we prioritize first-to-market movements over security, leaving the door open for exploitation.
Based upon predictions of the AI-addressable market for the next 10 years, and the amount of money being allocated for these projects, there’s an almost single-minded focus on getting AI launched. Even if a small percentage of those initiatives aren’t secure, then the sheer scale of vulnerable AI will lead to more attacks. I believe, however that it’s not just a small percentage of AI models that are at risk; it’s a huge number.
Putting Security Ahead of AI Implementation
The answer to AI security woes sounds simple: security needs to be built in from the start. To analyze where things stand for you, and therefore which solutions you need, consider your C-I-A, the guiding tenets of information security: confidentiality, integrity, and availability.
I don't want to give the impression that there’s a checklist that follows and if you do everything on it, you'll never have to worry about security again. There is no silver bullet, no panacea. Instead, I advocate that our industry needs to adopt philosophies and mindsets that lead to better security, beginning with this: it’s better to start with security—and start simple—than to have to go back and fix broken things.
Confidentiality
Confidentiality is the first consideration. It’s a principle that governs who has access to information or systems. You must protect your secrets, and that starts by simply controlling access to them.
Confidentiality has three facets: WHAT needs to be protected, WHERE you need protection, and WHO needs access. These are questions that require deliberate thought and purposeful action. As well as CI/CD tools with various levels of access.