At Cybersixgill, our highest priority is to protect the privacy and security of our customers' assets. Keeping our clients' sensitive data safe is one reason why we never share customer asset information with anyone, including OpenAI. Any generative AI processes that involve external services, such as OpenAI's GPT/ChatGPT, use various methods to protect the confidentiality of our customers. These methods include masking sensitive data and local processing, ensuring that your data is secure with us.
As we enter the new age of AI, we continue to implement our solutions with a security-first approach. We take legal and ethical implications seriously and are taking measures to ensure the privacy and security of our customers and their data are upheld.
How Cybersixgill leverages generative AI without compromising customer safety
Generative AI is a promising field with exciting potential for cybersecurity. However, it is still an emerging technology, and we have already seen some risks involved with relying on third-party vendors like OpenAI to handle sensitive customer information. Cybersixgill our customers’ data security, safety, and privacy top of mind, and we have implemented many measures to ensure your data security and privacy:
Most importantly, we do not share your assets with anyone, including OpenAI. IQ allows you to ask questions about threats to your organization, taking into account your assets, but all this is done using local processing and without being sent to external services. It's critical to emphasize that Cybersixgill does not send your private data, such as assets, to openAI/ChatGPT.
To enable AI-driven chat with organizational context while ensuring customer data safety, we have developed a mechanism that separates the prompt sent to openAI from the internal analysis of the organization's context. First, IQ queries OpenAI for a general answer to the question (e.g., "What are the MoveIT CVEs?") without including customer context (assets). Then, we run an internal Cybersixgill service on our servers to analyze and match IQ’s response with your assets (e.g. whether you have any of the MoveIT CVEs in your assets). All of this occurs within our local environment, maintaining the highest security standards.
We have further taken the following protective measures:
We have signed a Data Processing Addendum (DPA) with OpenAI to safeguard our data and intellectual property (IP).
Minimizing Data Transfer: As a principle, we only transfer the bare minimum of data needed. By employing efficient data reduction strategies and smartly using local resources, we ensure that only the most essential, non-sensitive information is shared.
Masking Sensitive Data: We use a data masking process before sharing data with OpenAI or any other third party. Utilizing this approach, we replace the actual data with randomized characters or other data ‘noise’ to ensure that the structure of the data remains intact for analysis. At the same time, the sensitive information in the data set is well-secured.
Sending Metadata Only: In some scenarios, we only send metadata to OpenAI. Metadata is the 'data about the data' – it doesn't include the actual content but contains details about it. An excellent example of this is our leaked credentials module: The module's data is stored in a “table”, and instead of sending all the data, we only send the column names (metadata) to OpenAI. We then receive code from OpenAI, which is run locally on our machines. This way, we can extract the necessary information without exposing sensitive credential information to the external party.
Using Differential Privacy: This is a technique where we publicly share information about a dataset by describing group patterns within the dataset while withholding individual-specific information. This way, individual privacy risk is mathematically bounded, even amidst external information.
Local Processing: We always prioritize local data processing to limit the amount of data transferred over the Internet. We may have to extract features from the data, convert it into lower-dimensional representations, or use local models to anonymize it before it's sent to OpenAI.
Developing Our Proprietary Models: To further tighten our data security measures, we build our own proprietary machine learning models. These models train on our sensitive data, but they do so on our secure servers. Using our own servers guarantees that we maintain control and ownership of the data and the insights we derive from it.
The protection of sensitive customer data is a paramount objective at Cybersixgill. The measures we've put in place not only safeguard the privacy and security of our data but also ensure the responsible and efficient use of AI technology.
Last Updated: October, 2023