Meticulous use of Generative AI
Many enterprises and their employees are already using ChatGPT,
Google Bard, PaLM, Copilot, and other Generative AI (GenAI) or Large Language Models(LLMs) for streamlining communication, writing code, generating images, audio, and video, enhancing customer service, composing documents and producing initial research, and improving any number of other day-to- day activities.
However, as with any technology, the use of GenAI also poses a range of security risks, threats, and impacts that organizations must consider carefully. This article will provide information on risks and the related best practices that can be leveraged to use GenAI securely.
Enterprise Risks Associated with GenAI :-
Data Privacy and confidentiality :- Enterprise use of GenAI may result in access and processing of sensitive information, intellectual property, source code, trade secrets, and other data, through direct user input or the API, including customer or private information and confidential information. Sending confidential and private data outside of the organization’s own servers, much the same as with the cloud, can trigger legal and compliance exposure.
Enterprise, SaaS, and Third-party Security :- Today GenAI is widely adopted and is integrated with various third parties. This has led to raising concerns over data sharing as data would be shared with third parties at a much higher frequency than in the past. In this scenario, if the GenAI platform’s own systems and infrastructure are not secure, potential data breaches may occur and lead to the exposure of sensitive information such as customer data, financial information, and proprietary business information. Also, at present there are a limited number of available GenAI platforms and are effectively in use by the tech industry, they represent a high-value target for threat actors.
AI Behavioral Vulnerabilities :- AI behavior can be bypassed to perform unexpected jobs by using maliciously crafted inputs.This is sometimes known as “jailbreaking” and might be possible to perform in GenAI systems to adversely impact other organizations and stakeholders to encounter and receive maliciously crafted results without their knowledge. One common attack currently seen associated with this risk is where a customer support chatbot is targeted with injection attacks, and unauthorized access to enterprise systems could potentially be achieved by an attacker.
Insecure Code Generation : — Code generated by GenAI could potentially be used and deployed without a proper security audit or code review to find vulnerable or malicious components. Further, this can cause widespread deployment of vulnerable code as it is used in other organization systems and as “ground truth” in future model learning.
Legal and Regulatory Risk :- Using GenAI as part of enterprise processing of PII must be compliant with data privacy regulations such as GDPR (Europe), PIPEDA (Canada), or CCPA (California). For instance : — Italy’s data protection agency has now temporarily banned the use of ChatGPT specifically (not affecting other GenAI technologies, nor private instances of ChatGPT such as with Microsoft Office 365), due to similar concerns, and Germany is now considering the matter.
Copyright and Ownership :- GenAI models are trained on diverse data, which may include an unknown quantity of copyrighted and proprietary material, raising ownership and licensing questions between the enterprise, and other parties whose information was used to train the model. Using the output of GenAI could risk potential claims of copyright infringement, due to the training of some GenAI models on copyrighted content, without sufficient permission from dataset owners.
Safety Measures while using GenAI
1. Enterprises can take proactive measures to minimize the potential negative impact of GenAI usage and ensure that they are leveraging this powerful tool in a secure, compliant, and responsible manner.For example, organizations could decide that while data is being sent to a third-party GenAI SaaS platform, opting out of the user prompt information being used to train future models, and accepting the data retention policy of 30 days (as is in the case of OpenAI, for both), is secure enough for their needs and meets their risk appetite.
2. Selecting to opt-out of user prompt information being used to train future models, as it is currently an option under OpenAI’s policy.
3. Restricting the use of GenAI generated code to be limited to open source and software packages with permitting licenses.
4. Encouraging developers to carefully vet libraries by checking factors such as creation date, download count, comments and attached notes. Remaining cautious and skeptical of suspicious packages is also crucial in maintaining software security.
5. Reviewing all images and graphics that were generated from GenAI queries for copyright and trademark infringement.
6. Raising awareness among teams that incorporate external GenAI capabilities into their own software and performing threat modeling. Keeping oneself updated with any changes to the security measures or privacy policies for the GenAI that is currently in use and thus adjusting practices accordingly to ensure data privacy and security.
Reference:
