We have a new white paper on AI shadow data and a new blog on PCIv4 data security requirements.
View in browser
architecting-privacy-gremlins

Greetings,

 

Our point of view has been honed from years of defending infrastructure using (and building) perimeter defense technologies -- web application firewalls, intrusion prevention systems, etc.  But these technologies are deeply flawed.  They can stop common attacks from common tools, but they can be easily evaded.  And if it's easy for an admin to peek at data, then it's easy for someone who tricks or compromises that admin to peek at it, too.

 

This is how I came to be an advocate for application-layer encryption.  We can design and build systems that are resilient in the face of common problems and first-level breaches.  Without application-layer encryption, those first-level breaches are often game-over for the data.

 

We've been gratified over the past few years as application-layer encryption has become more mainstream and started to move into standards.  I wrote recently about PCIv4 and how it uses application-layer encryption as well as improves the security of account holder data including names.  There are additional requirements just for SaaS providers in there, too.

 

At the same time, while we're helping to drive better data protection, organizations have instead been duplicating it all over the place. It's like the movie Gremlins where any little thing you do causes them to duplicate and turn evil.  AI data are like Gremlins except instead of contacting water or eating after midnight, anything that AI touches reproduces into less protected environments.  We've talked about this before, but we have a new white paper focusing just on the "shadow data" problems with AI.  Please check it out.

 

That's it for this month, watch out for the AI gremlins...

Patrick Walsh CEO IronCore Labs

Patrick Walsh
CEO, IronCore 

Upcoming events:

  • Rocky Mountain Info Security Conf
    • May 28, 2025 in Denver, Colorado
    • Title: Illuminating the Dark Corners of AI: Exploiting Shadow Data in AI Models and Embeddings 
    • Abstract: A demonstration of how to extract confidential data and personally identifiable information from fine-tuned LLMs and vector embeddings. Shows how confidential data finds its way into your AI systems and presents attacks for identifying and extracting that sensitive data. This will highlight the problem of AI shadow data in RAG workflows and chat bots.  The data may be monitored and protected in its primary store but is vulnerable and overlooked in the corresponding AI systems.
ai-shadow-data-paper-newsletter

AI Shadow Data White Paper Download

 

There are three major areas of untracked and unprotected shadow data in AI systems where copies of sensitive data accrue. Learn about the areas of AI shadow data and how to manage them.

 

> Download the PDF

pci-v4-blog-newsletter

 

PCI v4 Now Mandates Application-layer Encryption

Understanding the Data Security Changes Since v3 

 

What's new in PCI v4 and what it means for protecting account holder data. Dives into the specific requirements and suggestions as well as the extra requirements directed at multi-tenant SaaS companies.

 

> Read the full blog

interview-arm-12-questions-newsletter

 

Important Questions to Ask Your Software Vendor

About the Security of their AI Features 

 

Before trusting your vendor's new AI feature, ask these 12 critical security questions to protect your data, prevent breaches, and ensure compliance.

 

> Read the full blog

LinkedIn
X
GitHub
Mastadon
YouTube

IronCore Labs, 1750 30th Street #500, Boulder, CO 80301, United States, 3032615067

Unsubscribe Manage preferences