Recently, OWASP, an organization focused on web application security, released ten security risk tips for large language models, including prompt information injection, training data poisoning, supply chain vulnerabilities, sensitive information leakage, insecure plug-in design, and excessive authorization. Security risks such as these are worthy of vigilance for all AI users.
At the beginning of the AI wave represented by ChatGPT, there were endless discussions about AI being a double-edged sword. AI "can help both good people and bad people." While it brings benefits such as efficiency improvement and improved experience, it also introduces more security risks. Therefore, how to use AI and large models safely, compliantly, and responsibly has become a key issue. This is also the key topic discussed at the recently concluded Amazon Cloud Technology re:Inforce 2023 China station with the theme of "AI Era, Leading Intelligent Cloud Security".
In the era of large models, safety must still come first
IDC's survey shows that enterprise organizations have the greatest concern about network security during the process of digital transformation. Security is the biggest obstacle facing C-suite digital initiatives around the world. Therefore, security is also a key task for top management's technology investment. In particular, the rapid development of the cloud computing market around the world has greatly promoted customer demand for IT security software and services. 
Dai Wen, Director of Solution Architecture Department, Amazon Cloud Technology Greater China
As a responsible and responsible cloud service provider, Amazon Cloud Technology hopes to continuously improve its security compliance capabilities and standards based on high-standard security concepts. Dai Wen, director of the solution architecture department of Amazon Cloud Technology Greater China, said: "From the initial construction of AI applications, we must make security a core link in the development of enterprise AI strategies. But where to start? What kind of system should we rely on? What about the security framework? This requires us not just to focus on the AI application itself, but to rationally and comprehensively examine the security specifications, technical strategies and platform tools of applications, models, data, infrastructure, etc. from a full-stack perspective."
Generative AI applications are like the tip of an iceberg exposed above the sea, and if companies want to safely harness this new technology in their business, they must pay attention to the iceberg beneath the surface. For generative AI, we must not only pay attention to the security of data and models, because they are the key to building AI applications; at the same time, we must ensure application security, because it is the basis and prerequisite for realizing the value of AI; in addition, although global compliance is It’s a cliché, but it’s also an indispensable part of AI applications.
Ensure data security throughout the life cycle
Data runs through the entire life cycle of generative AI. Therefore, data protection should also be a closed loop with all-round and full coverage. Amazon Cloud Technology provides data governance throughout the entire cycle of generative AI, from the acquisition of data sources to the storage and query of data, to the transmission of data to the AI platform for model training, tuning, and inference, as well as the comprehensive implementation of data classification. and governance. Throughout the entire cycle, Amazon Cloud Technology provides a complete set of solutions, product services, and best practices, aiming to provide high-quality, highly reliable, and trustworthy data support for generative AI.
The first is data security in storage. Amazon Cloud Technology protects data in storage by implementing security key management, encrypting data at rest, enforcing access control, and using mechanisms to restrict data access. In order to ensure the high quality of data, Amazon Cloud Technology mainly focuses on two aspects: one is to prevent data leakage, and the other is to prevent data from being tampered with. To this end, Amazon Cloud Technology has launched a sensitive data protection solution to realize automated discovery of corporate sensitive data and manage data assets on a unified platform. The solution is characterized by allowing customers to create data catalogs, define sensitive data types using built-in or customized data identification rules, and automatically identify sensitive data using machine learning, pattern matching, etc., and provide visualization panels to help users more easily Protect and manage sensitive data.
Dai Wen specifically mentioned the Amazon KMS basic support service that has been widely used by enterprise users. It is based on a centralized key management strategy, integrated with more than 140 services on the cloud, and uses different encryption in different countries and regions. Algorithms to ensure compliance.
The second is data security during transmission. Amazon Cloud Technology effectively protects data in transit at multiple levels, including implementing security key and certificate management, performing encryption during transmission, automatically detecting unexpected data access, and authenticating network communications. According to Dai Wen, Amazon Cloud Technology has implemented encryption of the application layer on the entire infrastructure through data transmission between regions, transmission within and between VPCs, the process of migrating to the cloud, and TLS1.2+AES256. and transmission protection.
Finally, there is data security in use. Amazon Cloud Technology provides comprehensive protection for data in use through four aspects: identity authentication, isolation environment, multi-party collaboration, and data sharing.
What must be mentioned here is Amazon Nitro, the basic computing platform of Amazon Cloud Technology, whose security features have been deeply embedded in the entire virtualization platform. Amazon Nitro provides complete support for local storage instance encryption to bare metal and encrypted transfers between instances. This is also a microcosm of the success of hardware virtualization in the industry in improving performance and security in the past decade. Today, the security and performance of Amazon Nitro are spread across all Amazon Cloud Technology services.
Forging large models requires hard work
With the emergence of all kinds of large models, the security protection of models entering the production environment after training has become more important. Just a few months ago, Amazon Cloud Technology launched Amazon Bedrock and a variety of generative AI services and functions for large models, with the goal of helping customers build and expand their own generative AI applications.
Amazon Bedrock connects to the basic model and provides an API to facilitate users to use large models to accelerate generative AI application development without having to manage the underlying infrastructure. Amazon Bedrock also responsibly cooperates with selected partners such as AI21 Labs, Anthropic, Stability AI, etc. In addition, Cohere has also appeared on Amazon Bedrock’s latest partner list, making it easier for customers to find the most suitable and most capable basic model more quickly.
"Use the organization's internal data to train the large model, and at the same time make a private copy of the large model. It is only provided to customers and will not be shared with any other large models. Moreover, the training data only exists in the customer's account. Amazon Bedrock does not We will use any user's data to enhance our own models." Dai Wen said, "These measures can ensure that enterprises will no longer have to worry about data sovereignty and data protection when adopting large models."
In addition, Amazon Bedrock can also fully use the security functions provided by Amazon Cloud Technology, including Amazon KMS, Amazon IAM, etc., which can be integrated with Amazon Bedrock. After integration, encryption, permission control, and logs of all behaviors can be well managed. Amazon Bedrock itself also provides Amazon Titan large models for users to use. Amazon Titan includes two basic models: one is Titan Text, which can perform text-based tasks; the other is Titan Embeddings, which can perform personalized recommendation tasks.
Use AI responsibly
Application security is an important guarantee for realizing the value of AI. It includes two main links: first, safety in the development process, and second, safety in operation.
Let’s first look at security in the development process (DevSecOps). Based on its own experience, Amazon Cloud Technology applies AI protection to the entire life cycle of software development, making development more convenient and safer. To this end, Amazon Cloud Technology continues to enhance its AI development security capabilities and launches the Amazon CodeWhisperer service, an AI programming assistant that can use embedded basic models to generate code suggestions in real time according to developer instructions. Through built-in code security scanning functions, It can help developers find hard-to-detect vulnerabilities and make remediation recommendations; another new service is Amazon CodeGuru Security, which scans the code to find vulnerabilities in the code, and can also automatically detect vulnerabilities in CI/CD through artificial intelligence and machine learning. Reduce false alarm rate.
Let’s look at operational safety. Today, the zero trust mechanism has been generally recognized by users. Users need to manage permissions for applications that access the large model to ensure that only applications with specific permissions can access or call APIs in the large model. So, how does Amazon Cloud Technology help customers build their own zero-trust environment?
First, establish a trustworthy network channel. Amazon Verified Access can build a network verification system that does not require VPN, using Amazon IAM or the customer's own user authentication system to complete the authentication process. In addition to user authentication, Amazon Verified Access also supports setting rules by yourself. In addition, Amazon Cloud Technology’s latest Amazon Verified Permissions provides fine-grained authorization and permission management for user-built applications. Users can use this service to manage access control for roles and properties of their applications.
Second, better network control must be achieved. Zero trust and network control are not an either/or relationship. Only the combination of the two can achieve end-to-end application security, especially in the era of large models. For example, in terms of network protection, Amazon Shield is used to defend against DDos attacks, Amazon WAF provides firewall support, and Amazon Firewall Manager can easily manage firewall policies. In addition, in terms of threat identification, Amazon GuardDuty uses technology based on artificial intelligence and machine learning to reduce the false positive rate of security incidents by 50%. It can also achieve initial detection and continuous analysis, use machine learning technology to detect all threats, and provide intelligent recommendations for action.
“The emergence of big language models has accelerated the implementation of zero trust in enterprises.” Dai Wen said, “Amazon Cloud Technology’s zero trust system includes identity authentication, trusted network, high-granularity permission management and auditing. Zero trust and Network control is equally important, and in practice the two should be organically combined to ensure end-to-end application security for enterprises."
"We have always advocated the responsible use of AI." Dai Wen said, "Amazon Cloud Technology is committed to developing fair and accurate artificial intelligence and machine learning services, and providing enterprise customers with the tools to build artificial intelligence and machine learning applications responsibly. The tools and guidance we need. We remain committed to the responsible use of AI.”
"Compliance" prevails all over the world
With the full popularity of cloud computing, security compliance operations have become a basic prerequisite. According to incomplete statistics, more than 130 countries and regions have formulated and promulgated laws and regulations related to data protection and privacy security. With the rise of large models, the security challenges faced by enterprise businesses have become more severe. Under such circumstances, it is even more important to adhere to the bottom line of safe and compliant operations and not relax.
Amazon Cloud Technology has always attached great importance to compliance. It has obtained more than 140 security standards and compliance certifications around the world, and has applied AI technology to security and compliance services. It can provide security control for large-scale batch reviews while leveraging AI Provide consistency judgment and use AI/ML technology to realize automatic review, thereby comprehensively improving compliance efficiency. Statistics show that Amazon Cloud Technology has saved 53% of audit time by using AI technology in more than 500 of its own compliance audit control items.
Amazon Cloud Technology is not only strict with itself, but also forms a security synergy with its partners. For example, the Amazon Cloud Technology APN Partner Network provides hundreds of industry-leading security solutions that can protect customer applications and data security at multiple levels. Specifically, in terms of technology, Amazon Cloud Technology provides functions such as network security, host security, application security, identity authentication, threat detection and event analysis, data governance, and secure automated operation and maintenance; in terms of consulting, it provides rationalized solution suggestions. , compliance advice and comprehensive security consulting services and compliance services.
Sow and you will reap. In the "2023 China Public Cloud Hosting Security Service Capability Report" released by IDC, Amazon Cloud Technology is one of the vendors that received the most perfect scores, and it is the only vendor that received full scores in the "ecological construction" evaluation dimension.
There is no doubt that the implementation of large models requires a more secure and compliant environment. "Security has always been Amazon Cloud Technology's top priority, and it is also our top priority." Dai Wen said, "We are willing to join hands with partners and customers to build a safe and intelligent future.
past/issue/return/review
Cloud security, Amazon Cloud Technology “really knows how to do it”
Amazon Cloud Technology lowers the application threshold for Serverless
What Amazon Cloud Technology is doing today may be what you will do tomorrow