AI Breaks Your Biggest Security Control

TL;DR: For decades, "friction" was our most effective (if unintentional) security control. As Cloud and GenAI eliminate that friction in the name of revenue and speed, security teams must stop relying on "slowing things down" for risk mitigation and start solving the data-identity problem at its root.

I’ve been around the block a few times when it comes to security and technology. Early in my career I installed 66 blocks (anyone still know what those are?) This took time. Running wires, punching them down, running down failed punches. So, I’ve seen a few changes in the landscape and technology stack over the years. I’ve seen it from the lens of a consultant, from an employee in a startup, and from a cog in the wheel of large corporations.

The Era of Physical Guardrails

Something I’ve seen over and over is that one of the biggest security and technology controls in place is friction. This was apparent when ‘cloud’ became a big topic, and I’m seeing it again as AI starts to make its way into the stack. Back in the days where the only way to deploy a server was to patch ports to the server rack, rack a new server, and wait by while a few CDs (or floppy disks if you want to go back further) installed the OS. Obviously, that matured to USB drives and then network based. But the point is the same. It took a few hours at best to setup a new server. Then came virtual servers, and depending upon your permissions, deployment was much faster. But there was still approvals that usually needed to happen, some network configs, and while a lot of this was scripted we were still talking hours at best. Take this to a large organization and the fact that it takes half a dozen teams after a couple of weeks of change control, and it realistically was 2-4 weeks for a standard server request.

Cloud and the Death of Friction

In came cloud - now the biggest factor (friction) that mitigated the risk of someone publishing a server directly to the internet is gone. A devops engineer, who is managing their stack end to end, has the ability to deploy a server in seconds, make it available to anyone that he or she wasn’t explicitly restricted from, and friction is no longer fall back control. Until this point, no matter how many security tools or technologies were deployed, the fall back was always time to catch a control failure.

So how did most organizations fix this, they introduced their old friend back into the mix, bureaucratic friction. Change requests, pull request approvals, code scanning, static code analysis, etc. They introduced steps to slow down the speed of development.

GenAI and Instantaneous Discovery

Now let’s introduce genAI. the landscape shifts a little because we’re mostly talking about data and discovery capabilities now rather than infrastructure and code. In the past, if you wanted access to something you first had to figure out where it was stored, then you had to request access that went through several approvals, and then your permissions had to be deployed. You had to have the right tech to access it, and in many cases, that may have required additional access approvals. Ultimately, friction was the primary control that prevented unnecessary data access. You never knew that there was actually a copy of it in another location that you already had access to, or that someone in another department had downloaded copies to a file share everyone had access to. You didn’t have a single place to search that had already indexed all the copies, whether you were supposed to have access or not.

The Cost of Speed

Now you do. If there are copies in the wrong places, if there is lack of restriction to certain storage locations, if someone has made copies that weren’t supposed to exist, the primary means to prevent unauthorized access is now gone. In the end most security and technology controls boil down to friction. As technology matures, and approaches equilibrium with the factor that is actually driving it forward (revenue generation) then we find that speed is necessary, speed is desired, and speed is what keeps businesses alive. How should security and technology teams respond when their primary control fails - friction.

The capability of our programs is more at stake now. If we keep attaching new capabilities to existing paradigms, then we are going to continue to feel the pain. If we don't solve the identity and data-location problem now, GenAI will solve it for us more painfully. What I mean is that we need to properly answer these questions “Where is the data?” “Who should have access to it?” and “How should it be protected?” before rolling out the discovery capabilities of genAI.