Artificial Intelligence (AI) and Cloud Security: New Challenges
Power to the DevOps
Thanks to the availability of cloud computing and especially Platform as a Service (Paas), it’s now easier than ever to set up and run applications taking advantage of AI. PaaS has democratized the infrastructure and made it accessible to the masses. Industrialization has reduced the learning curve for the installation, maintenance, and customization. Today, we are witnessing the industrialization of "AI cloud" services, such as AWS SageMaker for machine learning, Amazon Lex for chatbots, TensorFlow and Cloud Machine Learning Engine at Google Cloud or Azure Machine Learning Studio.
The AI race is feverish between the tech giants with huge investments. Each day, new services are becoming more powerful and easier to set up and use. Take the growth of Serverless architecture and FaaS (Function as a Service) such as AWS Lambda, Azure Functions, or Google Cloud Functions are helping companies to use powerful functions on demand, without investing in new infrastructure. Another example is AWS EMR (Elastic Map Reduce), a big data service that allows companies to process large amounts of data for AI tools (notably "machine-learning") without having to deploy a complex solution such as Hadoop.
Bots are coming to rescue security
Skill shortage is a well-known fact in the security industry. It is difficult to hire and find experienced security professionals, with 51 percent of organizations claiming they had a problematic shortage of cybersecurity skills in 2018. The mass of information, alerts and new technologies continue to increase, putting additional workload and pressure on security teams to learn and secure new technologies. A concrete example is the number of new vulnerabilities (CVEs) discovered in 2017, which more than doubled from 2016. Now in 2018, we are already seeing an increase of more than 47 new vulnerabilities per day.
The hunger to embrace AI by overwhelmed security professionals is understandable. By entirely or partially delegating the first level of anaysis to the ‘bots’, security teams will be better equipped with actionable insights and focus on solving critical security problems, hence improve the efficiency for threat identification and remediation:
- Sort alerts
- Identify the most important issues;
- Prioritize tasks according to the risk;
- Monitor attacks and techniques through Threat Intelligence;
- Detect malicious behavior.
Data security issues and solutions
Beyond the AI hype, the next challenge for companies is to understand what the security best practices are for each new AI service. As with any new technology, it comes with attack surfaces (and vulnerabilities) that hackers can exploit to recover data:
- The infrastructure: many companies are using AWS, Azure or GCP, but even if we trust our cloud providers, this does not exclude the need to control and apply best practices for cloud security posture management.
- Shadow Cloud: in infrastructures, it is essential to keep track of all assets, such as servers, networks, storage, containers (continuously updating inventories). You cannot protect what you don’t know without having full visibility
- Application, API and workloads security: often the most visible and accessible part that can be exploited with simple web attacks. They can even be publicly accessible!
- Communications security: the transmission of data must follow confidentiality and integrity policies.
- Storage: data stored must be protected with access control, confidentiality, integrity, and availability.
- Data protection during the execution: a subject more complex than the others, with recent advances in the area of homomorphic encryption.
Encryption is a solution for surfaces D and E. For example, we can keep control of access keys and use HSM (Hardware Security Modules) even if we are using a cloud provider. All cloud providers offer encryption mechanisms, so we can put in place adequate protections while keeping control of the keys. For attack surface F, new research in homomorphic encryptions by allowing complex data processing to be performed in encrypted data without compromising the encryption are expected to play an important role in cloud data services.
For the application, APIs, and workloads security part (surface C), this is a known domain with a variety of solutions that can be used during operations’ development and deployment for static (SAST), dynamic (DAST), interactive application security testing (IAST), and runtime analysis (RASP).
Unlike traditional infrastructures, any employee with a corporate credit card can spin up a new cloud services; one of the ways to regain control of shadow IT (B) is finance and budget audits. Even if the detection is sometimes delayed because it intervenes on the date of the invoice, the payment on demand helps discover new provisions and allows more accurate control of the assets used. A better practice of using the cloud would be set up more regular monitoring, even continuous, of the assets’ consumption. This makes it possible to detect anomalies and be more rigorous with the expenses. Again, this control is made possible by APIs that give us consumption information (and billing) automatically.
For the surface A, good starting points are the CIS Benchmarks. There is one for AWS and another for Azure with best security practices to implement. The "benchmarks" cover operational and automated controls. They can be complemented with more advanced controls like those drawn by the Cloud Security Alliance.