Is your data safe anywhere?

In the past week, more victims have emerged from the attack on Microsoft’s SharePoint servers in which a Chinese hacking group called Storm-2603 exploited a vulnerability to deploy ransomware on clients running SharePoint from on-premise networks, rather than those hosted by the tech giant.

While many companies maintain on-premise networks and servers, believing that they are more secure than the cloud, increasingly sophisticated cyberattacks such as the SharePoint breach have introduced fresh doubts. The reality isn’t comforting: “No environment is safe. Not the cloud, nor on-prem, nor hybrid,” said Trevor Morgan, COO of OpenDrives.

“Given enough of an attack surface – and SharePoint has a massive attack surface – it is going to be attacked,” said Morgan.

Often, decisions around cloud and data storage strategies are made “too rapidly,” Morgan said, without considering the real needs of a business. Cloud and on-premise data and system storage strategies each have their risks and benefits, he added. “Neither one is a safer option.”

• Cloud comes with a scalability, ubiquity and ease of use that make it a popular option, said Morgan. Cloud can be costly, however, especially when considering data egress fees. Additionally, Morgan noted, “cloud is very porous.” One incorrect misconfiguration is all a hacker needs to expose your whole business to vulnerability.
• On-premise strategies, meanwhile, offer enterprises more control over what goes where. Along with being expensive in their own right, however, requiring expertise, cash and resources, the buck always stops with the enterprise, said Morgan. “The problem with on-premise is that it convinces people that the physical points of security take care of it.”

While a hybrid approach strikes a balance between the two, finding the best of both worlds still won’t offer your enterprise complete protection, said Morgan.

Hybrid solutions tend to involve the consistent movement of data from one place to another, which in and of itself can be “scary,” he said. “What’s protecting data in motion? It’s crossing switches and routers and all sorts of threat points. Sure, there’s encryption, but encryption can be cracked.”

In reality, the problem with any of the options usually isn’t the tech, he said. It’s an enterprise’s culture around security. A business is only as strong as its weakest link, he said, and that link tends to be human. It’s why adopting zero-trust strategies, or the idea that no one entity is innately trustworthy, is the best way to prevent pitfalls, he said.

“Why does everybody need to have access to (all) data?” Morgan said. “Zero trust is this notion that at every single stop along the way, the accessing person or group needs to be challenged. Hybrid needs to be coupled with some sort of philosophy … where we don’t just give blanket permissions.”

The White House’s stated goal was to smooth the path of progress.

Its AI Action Plan, a sweeping strategy document unveiled last week, includes more than 90 policy actions aimed at cutting regulations and red tape surrounding AI.

Along with simplifying federal rules governing data center development and chip exports, the order seeks to limit AI regulation inside states by cutting federal funding to those with “burdensome AI regulations.” It also orders the National Institute of Standards and Technology to excise any references to diversity, equity and inclusion, misinformation and climate change from its AI risk framework.

Additionally, the administration announced an executive order meant to prevent “woke AI” in the federal government. The order states that the government is obligated “not to procure models that sacrifice truthfulness and accuracy to ideological agendas.”

Targeting diversity, equity and inclusion, the order states that LLMs should be “truthful” in responding to user prompts, and developers “shall not intentionally encode partisan or ideological judgments into an LLM’s outputs unless those judgments are prompted by or otherwise readily accessible to the end user.”

While the executive order applies only to AI used in the federal government, plans like these can create more regulatory confusion for enterprises, both those creating AI and those using it, said Brenda Leong, director of the AI division at law firm ZwillGen. “Part of the challenge is that they fundamentally misunderstand how the technology works,” said Leong:

• There is no way to guarantee that a model will be completely accurate, she said, as they always run the risk of hallucination.
• “Even when you put some of the controls around them … They are still predicting. They’re just predicting within narrower confines,” she said. “There is no way ever to make one of these systems truthful, because there’s no step in the process that checks for some kind of verification or validation.”

For companies building AI, the policies may create a compliance headache, giving them different sets of laws in different countries that are “almost diametrically opposed,” she said. One option is that AI developers could create different versions of models, such as one that’s US government-compliant and another that’s European Union-compliant.

But even within such boundaries, there are potential pitfalls. Companies that want to consider diversity, equity and inclusion for reputational purposes may have to take self-governance further into consideration, she said. “It’s going to be harder for them to know if a system is creating those imbalances,” said Leong, and “to actually rely on these and to integrate them in the same way that they have been, or maybe they were intending to.”

Google is developing tools to keep its data straight.

The tech giant has applied to patent a system for “managing artificial intelligence and machine learning datasets in cloud storage” that properly organizes datasets for AI training.

Google’s patent essentially tackles data hygiene, or the concept of arranging data efficiently to avoid wasted storage space, security concerns and access-control problems.

“Copying data to a separate storage for each training iteration can cause increased latency, and redundant data duplication,” Google said in the filing. It also “increases privacy issues, which is especially troublesome when the dataset contains sensitive, personally identifiable information.”

Google’s remedy relies on “bookmarks,” or references linking to different pieces of data. Instead of copy and pasting data from one place to another, which can create a bunch of messy duplicates, the bookmarks create virtual groupings that reference the data used in training.

The bookmarking system allows datasets to be grouped, shared and managed for machine learning training without putting the underlying data itself at risk.

Cloud computing and AI are massive parts of Google’s business: In the most recent quarter, the company brought in $13 billion in cloud revenue, up 32% from the previous year’s quarter, beating Wall Street’s expectations. And earlier this month, OpenAI announced a partnership to use Google Cloud to host ChatGPT.

With the growing reliance on cloud platforms to build and develop AI, finding ways to properly manage the flow of data is critical. As Google continues to fight for cloud relevance with other hyperscalers like Amazon Web Services and Microsoft Azure, patents like this could help instill trust.