Skip to content

Latest commit

 

History

History
15 lines (12 loc) · 5.48 KB

ml-secpol-platform-security-guidelines.md

File metadata and controls

15 lines (12 loc) · 5.48 KB

Security Guidelines for Platform Requirements of ML Security Policy

For context, please refer to the earlier page before proceeding with this content.

ID TECHNIQUE GUIDELINES
PS1 Vulnerability scanning 1. Regular Scanning: Schedule regular vulnerability scans of the entire AI/ML infrastructure using tools like Nessus, OpenVAS, or commercial solutions. Scan for vulnerabilities in operating systems, applications, and network configurations.
2. Penetration Testing: Conduct periodic penetration testing to simulate real-world attacks and identify potential security weaknesses. Engage with third-party security experts to perform thorough assessments.
3. Remediation: Prioritize and address identified vulnerabilities based on their severity. Develop and implement a remediation plan to mitigate risks promptly.
4. Reporting: Maintain detailed reports of all scans and tests, documenting findings, remediation actions, and verification of fixes. Use these reports to improve the security posture continuously.
PS2 Patch management 1. Inventory Management: Maintain an inventory of all software and firmware components within the AI/ML infrastructure, including dependencies and third-party libraries.
2. Patch Identification: Subscribe to security bulletins and vulnerability databases (e.g., CVE, NVD) to stay informed about new patches and updates.
3. Patch Deployment: Establish a process for testing and deploying patches promptly. Use automated tools like WSUS, SCCM, or cloud-native services to streamline patch management.
4. Verification: After applying patches, verify their successful implementation and ensure that systems operate as expected without introducing new issues.
PS3 Access controls 1. User Authentication: Implement strong user authentication mechanisms, such as password policies, multi-factor authentication (MFA), and single sign-on (SSO) solutions.
2. Role-Based Access Control (RBAC): Define and enforce RBAC policies to ensure that users have access only to the resources necessary for their roles. Use IAM tools to manage roles and permissions.
3. Least Privilege Principle: Apply the principle of least privilege to minimize access rights for users and processes. Regularly review and update access permissions.
4. Access Monitoring: Continuously monitor and log access to the infrastructure. Use tools like SIEM (Security Information and Event Management) systems to detect and respond to unauthorized access attempts.
PS4 Encryption 1. Encryption in Transit: Use TLS to encrypt data transmitted over networks. Ensure all communication channels, including APIs, web interfaces, and internal services, use secure protocols.
2. Encryption at Rest: Implement full-disk encryption for storage devices and databases. Use encryption tools and libraries that comply with industry standards (e.g., AES-256).
3. Key Management: Use robust key management solutions to handle encryption keys securely. Implement key rotation policies and protect keys using hardware security modules (HSMs) or cloud key management services.
Reference: OWASP ASVS V9 Communication
PS5 Network hardening 1. Firewalls: Deploy firewalls to filter incoming and outgoing traffic based on predefined security rules. Use both perimeter and host-based firewalls to protect the infrastructure.
2. Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS to detect and prevent malicious activities. Regularly update IDS/IPS signatures and monitor alerts.
3. Network Segmentation: Segment the network to isolate critical components and limit the lateral movement of attackers. Use VLANs, subnets, and access control lists (ACLs) to enforce segmentation.
4. Regular Audits: Conduct regular network security audits to ensure that security configurations are effective and up to date.
PS6 Hardware security 1. Physical Security: Implement physical security measures such as secure access controls to data centers, surveillance systems, and tamper-evident seals on hardware.
2. Firmware Security: Ensure that firmware on hardware components, such as GPUs and TPUs, is up to date and sourced from trusted vendors. Apply firmware updates promptly to mitigate vulnerabilities.
3. Hardware Attestation: Use hardware attestation techniques to verify the integrity of hardware components. Leverage Trusted Platform Modules (TPMs) to enhance security.
4. Regular Inspections: Conduct regular inspections and audits of hardware to detect and respond to signs of tampering or physical attacks.
PS7 Secure Configuration 1. Configuration Management: Implement configuration management tools like Ansible, Puppet, or Chef to enforce secure configurations consistently across all systems.
2. Hardening Guides: Follow industry best practices and guidelines for system hardening, such as CIS benchmarks and NIST guidelines, to configure network, systems, and applications securely.
3. Cloud Security: For cloud deployments, use cloud provider security services and follow best practices for secure configuration. Regularly review and update security groups, IAM policies, and other cloud security settings.
4. Continuous Compliance: Implement continuous compliance monitoring to ensure that systems remain securely configured. Use automated tools to detect and remediate configuration drifts.

Use ML security tools as applicable.