The proliferation of artificial intelligence (AI) in enterprise IT environments has created a security conundrum for many organizations putting proprietary and regulated data at risk of exposure as some programs gain access to sensitive data stores used for training models. One recent example involves the data contractor Mercor, which suffered a data breach that could have compromised trade secrets for Meta.
According to the technology journal Wired, “An attacker known as TeamPCP appears to have recently compromised two versions of the AI API tool LiteLLM. The breach exposed companies and services that incorporate LiteLLM and installed the tainted updates. There could be thousands of victims, including other major AI companies, but the breach at Mercor illustrates the sensitivity of the compromised data.”
LLMs and Information Supply Chain Security
LiteLLM is an open-source tool that enables users to access large language models (LLMs) by providers such as OpenAI and Anthropic. Those LLMs contain vast amounts of data used to train algorithms to perform certain tasks. Specialized algorithms may require specialized data sets and sometimes that data may include sensitive information. A data breach in an AI information supply chain could affect both the integrity of the data and the reliability of the results of an algorithm’s output.
As these risks become evident through the exploitation of emerging vulnerabilities, some organizations are considering going back to the future and joining the move toward protecting information through data repatriation. That means moving their most sensitive data and applications out of the cloud and into on-premises resources where they can only be accessed internally, and where such access is tightly controlled. We are seeing this happen with organizations that operate in industry segments like government, defense, financial services, and critical infrastructure where national security is at risk, but industries like healthcare and manufacturing are joining the movement to protect patient safety and privacy, and to safeguard intellectual property.
MFT Goes Back to the Future for AI Data Protection
I say this is a move back to the future because, in the era before hyperconnectivity, it was not unusual for organizations to operate under the Purdue Enterprise Reference Architecture (PERA) security model, commonly known as simply the Purdue Model. This approach allows for front office or administrative systems to be connected to the public internet while isolating/air-gapping critical operations, such as a networked manufacturing line, from any direct connection to endpoints outside the firewall.
The Purdue Model fell out of favor due to the cost and productivity efficiency gains achieved through automating processes such as operational analytics, inventory control, supply chain distribution, and maintenance. But as cyberattacks like ransomware became more sophisticated and profligate, the value of efficiency gains diminished. Now organizations are seeking ways to strike a balance, and they are finding that a good managed file transfer platform can be a part of that solution.
When organizations reconfigure their networks to isolate data from public-facing assets they require the means to securely and efficiently move data between resources. Diplomat MFT Enterprise is already being used for this purpose by several of our customers who deploy Diplomat MFT on one side of the gap in tandem with the Diplomat Remote Agent on the other side to transfer files between resources. Because Diplomat MFT can be configured to follow strict rules, including conditions that can trigger workflows, files can move efficiently between resources in compliance with the organization’s security policies.
The Problem with Shadow AI in Healthcare and Critical Infrastructure
Healthcare organizations, already struggling with managing security across complex information supply chains, are among those trying to strike a balance between AI integration and security. A recent Healthtech Security article outlined the challenges associated with the rising use of “shadow AI” in healthcare as autonomous AI-assisted tools grow in use, accessing protected health information (PHI) without proper governance. One security executive described a typical scenario where “employees may deploy open-source LLMs within enterprise cloud environments, use AI code assistants without oversight or upload confidential patient data to public generative AI platforms. These actions not only bypass security controls but also expose organizations to data leakage, model misuse and regulatory violations.”
As enterprises in healthcare, defense, financial services, and critical infrastructure wrestle with the urge to maximize the value of their data to spark innovation and improve outcomes, they are finding that an approach like the Purdue Model that still allows for accessing and training algorithms on sensitive data in a safe environment is possible without suffering prohibitive complexity. Diplomat MFT can do this because of its security-first architecture. In the same manner that data is transferred securely between the enterprise and its information supply chain partners, data can move securely between front-office resources and those isolated via the Purdue Model. The principles are the same, and our track record of rock-solid security—more than twenty years of breach-free operations—speaks for itself.
MFT and the Purdie Model for Security and Innovation
At a time when enterprises are seeking ways to explore the value of AI as a tool for achieving greater innovation, efficiency, and productivity, the Purdue Model is gaining popularity. Organizations that want to maximize the value of their proprietary data stores for training AI algorithms based on data that is unique to their operation without violating customer confidentiality, personal privacy, or other associated regulations must take care to keep that data separate from resources accessible via the public internet. Informed by incidents such as the Mercor breach, these organizations are moving their high-value data sets from the cloud and other public-facing resources into on-premises data centers and data warehouses where the AI algorithms can be accessed for training internally.
Managed file transfer solutions can play a role in making that data accessible while maintaining its integrity. Diplomat MFT is gaining traction for such applications because of the rich set of security, usability, and reporting features it boasts, including:
- Automated PGP encryption management
- Custom permissions synchronized via LDAP integration
- MFT process data capture for compliance audit reporting and troubleshooting
- Automated data capture and one-click reporting
- Data flow mapping and one-click reporting
- Authorized recipient/destination confirmation;
- Workflow testing validation in dry run mode prior to launch
- Threat intelligence
- Robust scheduler with virtually unlimited concurrent job capacity;
- Notifications to communication channels of choice (email, text, Slack, Teams, etc.)
- No-code OneDrive, SharePoint, and other cloud service transfer automation
- U.S. based customer and technical support from MFT experts
Closing AI Training Security Gaps with Managed File Transfer
If you’re currently using AI in your information supply chain, exploring ways to adopt artificial intelligence, and have concerns about closing security gaps like data leakage and keeping proprietary training data secure, you should talk to one of our managed file transfer experts. They can discuss how other customers are approaching challenges like data repatriation in tandem with the Purdue Enterprise Reference Architecture and explore whether this might be the approach you are looking for and how a secure managed file transfer solution can move your data securely and reliably between resources.
We believe Diplomat MFT from Coviant Software is an ideal choice in that role and encourage you to contact us with your questions, or to arrange a demonstration.
Related Categories