Sergey Tarasov – stock.adobe.com
Stopping attacks on systems is only one area of security. Data privacy is an arena where governments are becoming more and more involved in legislating. In addition, standards organizations have created data privacy and security rules companies can follow in order to let partners and customers know that data is being protected. Compliance policies to manage complex security and data issues are, no surprise, also complex. Just as we’ve discussed how network security can be aided by machine learning (ML), so too can the higher level issues of compliance management.
Security involves more than using software to detect and stop internet attacks. While the software is important, and more often being enhanced with artificial intelligence (AI), that is only a small component – even in the security of software systems. There’s an old joke that the biggest mechanical problem in an automobile is “a loose nut behind the wheel.” That’s true with many other risks, including in technology. It’s easier to hack into a system when somebody’s password is “ABC1234”. It’s easier to access an application if an employee’s device isn’t properly protected. Organizations need to plan for robust security, and that’s where standards arise.
There’s another old saying that standards are so important that everyone wants their own. HIPAA, SOC 2, and ISO27001 are just the start of the choices in standards. What’s important in all is that they contain a number of key features:
· Specifications of software security.
· Requirements to define formal business processes.
· Definitions for reporting requirements.
While many in the tech sector focus almost exclusively on the first, the other two are also important. So how can ML help?
MORE FOR YOU
We’ve already mentioned, and multiple articles have discussed in detail, how AI is used to enhance software security. A primary method to defend against network attacks, both direct and fraud, is using deep learning to identify anomalies. Rule based systems enhance security because known attacks can have specified and automatic responses.
What about the business processes? They can be very complex, and so they are often where compliance standards go to die. This is an area that can move out of pure AI into the fuzzier area of ML. Rules can be either in procedural code or in more flexible but ignored area of expert systems. Their heyday was the 1980s, but they had serious performance limitations, both because of hardware limitations the need to make all rules explicit. The growth of deep learning in this century has meant an almost total focus on those as being the only method of inference that should be used, but rule based systems are still far more efficient for known areas where, and this shouldn’t be a surprise, we understand the rules.
Using rule systems to codify what is needed to do in achieving compliance with security and privacy standards can significantly help people keep their content organized. This is an area where the misnamed robotic process automation (RPA) can be leveraged. In the same way, proving a company is compliant involves more than creating an internal plan, it includes reporting to the government that you are HIPAA compliant or proving to ISO that you have met the 27001 requirements and should be certified.
“There are many components required to build a system that can help with regulatory compliance,” said Chris Ford, VP Product, Threat Stack. “In the Threat Stack system, we’re combining core components of AI, machine learning, rules systems, and, most importantly, a clear understanding of what both compliance officers and regulators need to document, see, and know, into a solution that addresses cloud infrastructure compliance and security in all its facets.”
Organizations such as Threat Stack are working on security solutions within the area of compliance. Other firms are working on network management and performance, while still other companies are working on using ML to manage data centers. While it is still a few years off, what I see is companies beginning to combine all three and move past a focus on pure security and regulatory compliance into using ML techniques to manage service level agreements (SLAs). Showing cloud users that they have security and the performance they demand will both strengthen relations and add detail to SLAs that can only be met through AI.
Machine learning and artificial intelligence are still moving up the food chain. It’s good to see that the industry is moving past an important but still narrow focus on pure system security. Linking the tactics to compliance strategies is the next step in a more mature use of machine learning.