Why The Legacy Tool Landscape Falls Short For GenAI
Secure adoption of AI tools is an imperative. The legacy landscape is unfortunately not well suited for the challenge. In Part II of our AI Series, we break down the legacy options for protecting data and discuss their strengths and weaknesses.
For our introduction to the challenge, please see Part I.
DSPM
Examples: Cyera, Crowdstrike, Rubrik, Proofpoint
Strengths: Data Security Posture Management (DSPM) providers are excellent for classifying and tagging data at rest in cloud environments, including identifying different categories of PII.
Weakness: DSPM solutions fall short when data is actually put to work. They cannot identify or govern data in motion, for example, data being shared with ChatGPT or data being fed to an internal model. While a handful of tools with native integrations may be able to leverage the tags provided by DSPM, most will not be able to use this information.
CASB/SASE
Examples: Zscaler, Netskope, McAfee
Strengths: Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE) providers are powerful tools for managing network access and monitoring data leaving endpoints like laptops.
Weakness: CASB/SASE providers lack the ability to effectively protect data going to AI tools via cloud environments. Their agent-based solutions are poorly suited to environments where servers are constantly being spun up and spun down. They also do not have context as to what applications should or should not be able to access, minimizing their ability to implement effective data governance even via endpoints.
APIsec
Examples: Traceable, Salt, Akamai
Strengths: API Security (APIsec) tools are important for the protection of first party APIs, which can be vulnerable to attacks like DDos and code injections.
Weakness: APIsec tools are not built to monitor or protect the data being shared with third parties via API connections. In the case of almost all GenAI tools, the organization will be sharing data with a third party API. API security tools will also not be able to monitor any outbound traffic via other protocols like FTP/SFTP.
AppSec
Examples: Snyk, Veracod, Semgrep
Strengths: Application Security (AppSec) tools are highly useful for checking code for vulnerabilities. For example, they’ll point out if outdated or insecure libraries are being used.
Weakness: AppSec tools are not built to protect data at runtime. They do not have the ability to monitor (let alone protect) the data being shared with AI tools.
GRC
Examples: OneTrust, Archer, AuditBoard
Strengths: GRC (Governance, Risk and Compliance) tools are useful for managing documents and agreements. They also provide strong questionnaire management capabilities.
Weakness: GRC tools do not have the ability to monitor (or protect) what is actually being shared with AI tools or other third parties. They only provide a system for logging and organizing what third parties claim to be accessing and their associated policies.
The legacy tool landscape, while important, is not built to handle data in the age of GenAI. Stay tuned for Part III of our AI Series, in which we’ll explain how modern Data Flow Posture Management (DFPM) platforms provide the necessary security and governance for data in motion without slowing down AI adoption.