By Alan Hewitt
I worked for IBM for 30 years, and in that time I got used to the phrase “Trusted Source” when it applied to systems where there was a core repository of data which was then replicated more locally to the user to improve performance. When there was an issue or you wanted to verify the data you always went back to the central and core “Trusted Source” to make sure that you were working with the authentic version.
It got me thinking that we use many systems where we treat the contents as a “Trusted Source”, where we have confidence that the information there should be trusted. At Praxonomy we pride ourselves that our Boardlogic product holds our clients information/data securely, such that its users can rest assured that what they access there can be trusted and is protected, and we have chosen a data centre that conforms to that principal.
Increasingly though, data is being held in a “Cloud” which is run/operated by a few very large Cloud Service providers. This brought to mind two quite recent developments where data was being held in very large cloud based systems, raising two questions:
- Just how secure is my data, and how can I guarantee that it hasn’t been hacked (accessed by others) and more importantly changed in any way?
- As we are starting to hear that these large cloud based service providers are accessing our/your data to prime/train their LLM (Large Language Model) AI systems, should we be concerned?
I found the following article from Secureworld which highlighted a recent data breach (I would strongly recommend that you read the article in full as it gives a lot of very useful information and recommendations): https://www.secureworld.io/industry-news/hackers-leak-leidos-documents
In this case the supplier involved was Leidos Holdings Inc.:
“Although we don’t have details about the root cause of the breach of the service provider, we have seen a lot of failure to implement MFA and strong authentication recently,” said Jason Soroko, Senior Vice President of Product at Sectigo. “Anyone implementing an online service must ensure they are using the strongest authentication possible, and this is especially true in supply chain scenarios.”
The piece goes onto say:
Chad Graham, Manager of Cyber Incident Response Team (CIRT) at Critical Start, offered this comprehensive take on the incident.
“The breach of Leidos Holdings Inc. through Diligent Corp.’s system raises significant concerns due to the highly sensitive nature of the data potentially exposed,” Graham said. “Leidos handles critical national security and defense information, including classified documents, project plans, and communication records. The exposure of such information could have severe consequences, such as, jeopardizing national security operations; revealing strategic defense plans; and exposing confidential government communications.”
The article also refers to Microsegmentation as an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements. This is referring to how large scale cloud storage providers can segment their service to minimise the risk of unauthorised access. At Praxonomy we have chosen not to use a third party to hold our clients data securely as we have built our own system which has been developed to the highest levels of security and hack tested by a third party and verified.
On the second question above, I have seen in the media and on TV recently adverts from companies looking to put together a class action suit against the major cloud service providers where it would appear that they are using client/customer data to train their LLM AI systems.
This article by Computer Weekly outlines the actions that one law firm are taking against Microsoft and Google: https://www.computerweekly.com/news/366616407/Barings-Law-plans-to-sue-Microsoft-and-Google-over-AI-training-data
An extract from the article says:
A Manchester law firm has started on-boarding clients for a probable class action against Microsoft and Google, which it believes to be unlawfully collecting and using peoples’ personal data to train their artificial intelligence (AI) models.
Following a two-year-long investigation into the data practices of the tech giants, Barings Law believes the extensive information being collected about users – including voice data, demographic data, app usage information, metadata, payment details and a range of other personal details – is potentially being shared for the training and development of various AI large language models (LLMs).
Barings claims this is all happening without proper authorisation or consent from users, as while they may understand data is being collected, they may be unaware of the role this data plays in the training of AI LLMs.
If proven, this is a worrying trend, that your data, held in the Cloud could be accessed and used to train these companies AI systems and then, I assume, sold back to you in the form of AI based services.
So back to my opening comments on “Trusted Source”: how certain can you be when purchasing cloud based services from various suppliers which will hold your most critical and sensitive information? As a Board Portal supplier we recognise that we are entrusted with our clients most sensitive information and ensure that only our clients can access and see that data, and that it is kept in a highly-secure environment where we take protecting that information extremely seriously.
As we go forward, with the above in mind, maybe we should all be asking our suppliers, both current and future how they will adequately keep our data/information secure and “Trusted” and the fact that it won’t be used for any AI training purposes without our explicit permission.
Interesting times.
Learn more about our secure, user-friendly board portal, Boardlogic here
Or why not schedule a demo with us here
Alan Hewitt