May 18 2025

Why GenAI SaaS is insecure and how to secure it

Category: AI,Cloud computingdisc7 @ 8:54 am

Many believe that Generative AI Software-as-a-Service (SaaS) tools, such as ChatGPT, are insecure because they train on user inputs and can retain data indefinitely. While these concerns are valid, there are ways to mitigate the risks, such as opting out, using enterprise versions, or implementing zero data retention (ZDR) policies. Self-hosting models also has its own challenges, such as cloud misconfigurations that can lead to data breaches.

The key to addressing AI security concerns is to adopt a balanced, risk-based approach that considers security, compliance, privacy, and business needs. It is crucial to avoid overcompensating for SaaS risks by inadvertently turning your organization into a data center company.

Another common myth is that organizations should start their AI program with security tools. While tools can be helpful, they should be implemented after establishing a solid foundation, such as maintaining an asset inventory, classifying data, and managing vendors.

Some organizations believe that once they have an AI governance committee, their work is done. However, this is a misconception. Committees can be helpful if structured correctly, with clear decision authority, an established risk appetite, and hard limits on response times.

If an AI governance committee turns into a debating club and cannot make decisions, it can hinder innovation. To avoid this, consider assigning AI risk management (but not ownership) to a single business unit before establishing a committee.

It is essential to re-evaluate your beliefs about AI governance if they are not serving your organization effectively. Common mistakes companies make in this area will be discussed further in the future.

GenAI is insecure because it trains on user inputs and can retain data indefinitely, posing risks to data privacy and security. To secure GenAI, organizations should adopt a balanced, risk-based approach that incorporates security, compliance, privacy, and business needs (AIMS). This can be achieved through measures such as opting out of data retention, using enterprise versions with enhanced security features, implementing zero data retention policies, or self-hosting models with proper cloud security configurations.

Generative AI Security: Theories and Practices

Step-by-Step: Build an Agent on AWS Bedrock

From Oversight to Override: Enforcing AI Safety Through Infrastructure

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: GenAI, Generative AI Security, InsecureGenAI, saas


Nov 05 2024

How can ISO 27001 help SaaS companies?

Category: Information Security,ISO 27kdisc7 @ 12:13 pm

ISO 27001 certification is essential for SaaS companies to ensure data protection and strengthen customer trust by securing their cloud environments. As SaaS providers often handle sensitive customer data, ISO 27001 offers a structured approach to manage security risks, covering areas such as access control, encryption, and operational security. This certification not only boosts credibility but also aligns with regulatory standards, enhancing competitive advantage.

The implementation process involves defining an Information Security Management System (ISMS) tailored to the company’s operations, identifying risks, and applying suitable security controls. Although achieving certification can be challenging, particularly for smaller businesses, ISO 27001’s framework helps SaaS companies standardize security practices and demonstrate compliance.

To maintain certification, SaaS providers must continuously monitor, audit, and update their ISMS to address emerging threats. Regular internal and external audits assess compliance and ensure the ISMS’s effectiveness in a constantly evolving security landscape. By following ISO 27001’s guidance, SaaS companies gain a proactive approach to security and data privacy, making them more resilient against breaches and other cybersecurity risks.

Moreover, ISO 27001 certification can be a decisive factor for clients evaluating SaaS providers, as it shows commitment to security and regulatory compliance. For many SaaS businesses, certification can streamline client acquisition and retention by addressing data privacy concerns proactively.

Ultimately, ISO 27001 provides SaaS companies with a competitive edge, instilling confidence in clients and partners. This certification reflects a company’s dedication to safeguarding customer data, thereby contributing to long-term growth and stability in the competitive SaaS market. For more information, you can visit the full article here.

Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: iso 27001, saas


Apr 02 2009

Cloud computing and security

Category: Cloud computingDISC @ 5:55 pm
File:Cloud comp architettura.png

https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

“Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

Three categories of cloud computing technologies:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Possible risks involved in cloud computing
Complete data segregation
Complete mediation
Separation of duties
Regulatory compliance (SOX, HIPAA, NIST, PCI)
User Access
Physical Location of data
Availability of data
Recovery of data
Investigative & forensic support
Viability and longevity of the provider
Economy of mechanism

Continue reading “Cloud computing and security”




Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services