Written by Ian Swanson for Forbes
The adoption of DevSecOps has reshaped cybersecurity, but DevSecOps isn’t enough to keep all software safe. The addition of artificial intelligence (AI) and machine learning (ML), for example, has heaped new pressures on developers and enterprise cybersecurity teams.
Machine learning introduces new code, new data structures and different development practices than conventional software. The differences in the ML development lifecycle, coupled with the vast supply chain of foundational models and open-source ML components, introduce novel risks.
Building a safer AI-powered world starts with the acknowledgment that organizations must have complete visibility and auditability of their AI/ML to better secure it against threats.
By extending protections to MLOps practices, an enterprise can build better internal safeguards—and push these protections out to the supply chain. They can also better manage supply chain vulnerability assessments, ML system access controls, data usage and privacy, model security, model robustness testing and other critical tasks.
Indeed, MLSecOps combines the important aspects of DevSecOps and MLOps, and it also introduces ways to embed collaboration and control into the framework. To succeed with MLSecOps, it's crucial to connect AppSec with ML teams, establish consistent methodologies and policies with enforcement and support continuous integration and delivery across processes and workflows.
While it’s safe to say that MLSecOps is a cousin of DevSecOps, it also differs in important ways. MLSecOps application is inclusive of code, data, model artifacts and ML systems and tools. The goal is to inject security throughout the entire ML development lifecycle.
MLSecOps is comprised of five core domains, which together establish a highly effective risk framework.
AI applications rely on machine learning models, which are a new type of asset within your infrastructure. Much like a laptop, these models comprise distinct data, code and other file assets, each subject to specific policies and permissions for both the device and the user. This amalgamation of elements is commonly known as the model's "supply chain."
Similar to supply chains for regular software, AI applications can be susceptible to various exploits. These include data poisoning, extracting customers' personally identifiable information, executing malicious code and launching denial-of-service attacks on the infrastructure.
To bolster security, it is crucial to deploy model scanners, AI/ML threat feeds and purpose-built AI/ML security tools as part of your MLSecOps practices.
Transparency, accountability and trustworthiness aren’t buzzwords. The ability to identify the contents of a model, view its entire history and understand any and all changes—from development and deployment to public use—is essential.
A key piece of the puzzle is a Machine Learning Bill of Materials (MLBOM), which lists all materials and components residing in the system. An inability to identify the exact nature of a problem and fix it promptly could result in reputational damage, financial losses, fines and other penalties issued by regulators.
Data, algorithms and other ML content can wind up scattered across containers, clouds and other systems—without an organization realizing there’s a problem.
If any of the input used for an AI model involves personal data, the AI model and its applications are probably already directly subject to various government regulations like GDPR and the California Consumer Privacy Act. Therefore, it’s vital to ensure that the right data resides in the right place at the right time.
Furthermore, the EU AI Security Act, the Canadian AI and Data Act and, most recently, the White House Executive Order for AI safety, security and trustworthiness, mean there is an imminent and urgent need to manage regulatory risk in an organization's AI. It must evolve beyond a focus on conventional data management and establish methods for monitoring, testing and evaluating algorithms and entire ML models.
MLSecOps aids in spotting altered code and components, along with situations where the underlying integrity and compliance of an AI framework may come into question.
AI models should not operate as a black box. As responsible AI takes shape, systems must make equitable decisions without regard to race, gender, age and other personal characteristics. Models must also steer clear of ethical conflicts.
An MLBOM can help with this task. By knowing exactly what resides in a machine learning model, it’s possible to make AI explainable. MLSecOps can also ratchet up trust and transparency by linking various pieces of the ML framework: standards, training, security best practices and controls.
Understanding and defending against malicious attacks on machine learning models is also vital. These attacks can take many forms, such as manipulating input data to cause a model to make incorrect predictions or manipulating the model itself to reduce its accuracy or cause it to behave in unexpected ways.
Part of an MLSecOps framework is adversarial ML. The goal of adversarial ML is to develop techniques and strategies to detect and defend against these attacks and to improve the robustness and security of machine learning models and systems.
An organization that uses this approach can detect, mitigate and disarm attacks in real time. It can also tap generative models to create synthetic training data, incorporate adversarial examples in the training process and develop robust classifiers that handle noisy inputs.
As ML and AI gain momentum and emerge as must-have enterprise resources, MLSecOps is poised to reshape the way organizations approach the space. Like its predecessor, DevSecOps, it’s an incredibly powerful practice that enables enterprises to see, know and manage AI risk.