I had a chance to chat with Francis de Souza, COO of Google Cloud, at an event in Los Angeles. He shared some valuable insights about navigating security in the age of AI. He mentioned there is a transition phase ahead, leading us to a better future.
De Souza emphasized a crucial point: companies can’t treat security as an afterthought. As they dive into AI, they need to think about security from the start. “Security isn’t something you can just add later,” he stated. He also pointed out the issue of “shadow AI.” This happens when employees use consumer tools without proper oversight. Organizations must demand security, governance, and auditability from the beginning. “There’s no AI strategy without a data and security strategy,” he added.
Interestingly, he didn’t just focus on Google Cloud. He discussed the importance of a multicloud strategy. Many companies believe they are using a single cloud, but in reality, they often rely on various services and partners operating in different clouds. De Souza stressed the need for consistent security across these platforms.
The threat landscape has shifted dramatically. Research shows that the time between an initial breach and the next move in an attack has dropped from eight hours to just 22 seconds. Businesses must protect new elements like data pipelines and AI models. De Souza noted that old security measures can’t keep up. As AI agents navigate internal systems, they can uncover forgotten data repositories. “Organizations need to be vigilant about outdated server access that hasn’t been reviewed in years,” he warned.
To respond to these challenges, he proposes using AI-driven defense systems. Rather than relying solely on human-led security, organizations can now implement agents that oversee defense mechanisms. But this also means it’s a leadership issue, not just a tech problem—it requires board-level attention.
Unfortunately, there’s a skills gap in cybersecurity. Experts are in short supply, and the vulnerabilities AI brings are growing faster than teams can manage them. Lea Kissner, Chief Information Security Officer at LinkedIn, mentioned that we may not fully grasp AI security for years.
A few weeks ago, reports emerged about Google Cloud developers receiving unexpected, hefty bills due to unauthorized API use. Some developers were charged thousands of dollars after their API keys were compromised. Google temporarily refunded these charges but maintained its policy of automatic tier upgrades, prioritizing service over user-set budgets. This raises questions about user security and trust.
In a related finding, researchers discovered that even deleted API keys could still be used for up to 23 minutes after deletion. During this time, attackers can steal sensitive data. Google has newer credential formats that revoke more quickly, suggesting that this delay could be addressed.
While de Souza’s advice is sound, it’s important to recognize the gap between current security practices and the rapid evolution of threats and technologies. Businesses need to stay ahead of these changes to secure their operations effectively.
Source link
