How to Secure AI Infrastructure & Data in JD Edwards – Complete Guide

Transcript:
[...0.2s]A lot of people overlook you. We talked about data retention. [...1.2s] If you've got really old data, this out there, whatever it is, [...0.5s] and [...1.1s] it it become, it can become a liability, [...0.8s] um, to your enterprise.So [...0.6s] if you don't need to have it, it's great to archive, find a solution to archive. You can keep it in your real time, but you don't need it as, as part of your life data set. Are you concerned about how securely your sensitive data is managed, especially when leveraging AI?Wondering if your business is truly protected against vulnerabilities and cyber threats [...0.5s] in today's critical episode. I'm joined by Brian Connor from ERP Suites, so outline essential strategies for encryption, security assessments and protecting your AI infrastructure against malicious attacks.Tune in. This episode will equip you with practical security measures to safeguard your business effectively. [...4.8s]Welcome to not your Grandpa's JD Edwards, the podcast dedicated to empowering your business with innovation and security in the digital age. I'm Nate Bushfield and today we're diving into the critical topic of securing sensitive data and protecting your AI infrastructure.Joining us is Brian Connor, [...0.6s] director of JDN Security [...1.1s] ERP Suites. How you doing, Brian? I am absolutely fantastic today, absolutely beautiful day out and [...0.9s] us to the weekend.Yeah, I know we got blast with this. It was raining all week and [...0.5s] luckily it's finally clear skies. I know myself I'm gonna get out and golf a little bit, [...0.7s] just a hobby of mine, maybe an expensive hobby some said, but [...0.6s] we'll get there.But can you tell our listeners a little bit about your background and what LED you into data security?Absolutely. So my background is in JD Edwards. I've been working with the [...0.8s] enterprise one, one world product for just about 30 years now the last 15 years of that I've been focused on the security and compliance side of it and that naturally leads into data security and compliance with cloud base security.So [...1.3s] going from the technical side into security and then it just a natural transition into cloud and data security with that [...0.9s] awesome, actually been in this space longer than I've been alive. So that's a great stat to start off of it, [...0.5s] right?Well, you know, you say not your grandpa's GDE, but, you know, [...0.9s] you have a lot of grandpa's on the podcast, so [...1.9s] it's a great way to look at it really.Yep, but all right, [...0.6s] enough joking around, let's get into it why everyone's here. So let's start off with why should businesses be concerned about data security when using AI? [...1.1s] Um, well, Nate, honestly, data is a life flood of your company.Without data, you don't have anything to sell or you don't have anybody to sell to. It's the primary target for cybercriminals, um, and their attempt to steal or encrypt or keep you from using it.So [...0.7s] really data security is one of your primary focuses or should be your primary focus [...0.6s] not just in the cloud and AI but with everything in your enterprise. [...1.7s]Yeah I mean, it's one of the funniest things that like when you're talking about a company, it all comes down to the data. It doesn't matter if they're, uh, retail shop, if they're an actual technology, technology shop, or if somewhere in between.It comes down to the data. How reliable is that? What can they make from there? But what risk are they potentially exposed to without a robust security measure?I think all the standard concerns are there, although they're somewhat lessened strictly speaking from a data perspective when you're using OCI [...1.2s] as your platform, because with OCI, what Oracle's done is data encryption is on by default. You can't turn it off.So that's a [...0.5s] wonderful thing [...1.3s] to have. That being said, if the criminals can't get your data, they'll go after identities and policies and try to compromise you that way.So [...2.3s] everything around your cloud environment needs to be secured [...1.1s] in order to make sure that you can stay in business and protect your reputation.Yeah, exactly. If, obviously, if you're looking at a company and their data is out there in the world, you might question, all right, is that safe for me to share my data with, or [...0.7s] are we gonna have issues down the road [...0.9s] by somewhat, like yeah, and at the end of the day, [...0.8s] normal person like me or even a company working with a company that [...0.5s] doesn't have reliable security.There's so many questions that come into place there of, can I trust you is the No.1 thing, and without trust in this business, what do you really have? Um, but [...1.0s] talking about those organizations, how can organizations recognize vulnerabilities or even security gaps in their current data in AI practices? [...1.1s] Um, I think there's always a concern for companies.You think you've done everything right, and then you find out too late that there were gaps.So to your, to your point, Nate, is how do you find them? Well, to avoid being caught out, you really wanna have continuous or regular security assessments being performed on your environments. You also need to set up guardrails, uh, around your implementation.This helps make sure that what you configured as security begin your AI journey is still secure six months or, or two years down the road. So [...0.5s] it it, it's a two pronged approach, which is [...0.7s] assess what you have, look for those gaps.The, the threat actors are constantly evolving, so you wanna make sure you understand what any potential vulnerabilities are, but you also wanna make sure that you're not shooting yourself in the foot by changing something inadvertently. [...1.5s]Very true, and I know we are peacefully, we have a security assessment that honestly, I've heard nothing but good reviews about. And [...0.5s] it's something as simple as that, as having maybe someone on the outside, maybe someone on the inside look at your data.Make sure that you know where your gaps are and where your most vulnerable. And then you can actually set up infrastructure to make sure you either fix those vulnerabilities or you can have someone to watch it [...0.6s] both ways.I mean yeah, that's the main thing, that's all you can really do, [...0.5s] but what are some of the implications for a company if like sensitive data is compromised? [...1.9s] You kind of touched on that earlier.Great question. We can, we can look at some of the high profile cases from the last few years. Target, [...0.6s] United Healthcare. You brought up the issue of trust if [...0.5s] data gets out encrypted, released out into the wild, out on the dark web, [...0.6s] do you trust that particular vendor, uh, with your information?Are you going to, you know, from the point of target, maybe you're not gonna do any more online shopping with them because you can't trust that your credit card information is secure with United Healthcare. Is your [...0.8s] medical information secure?Um you know, you have the immediate implications or the cost of remediation, recovery, reputational damage, longer term. You have client or patient data that's been exposed and can be used to compromise them directly or you through them.So lot of implications, uh, for sensitive data getting out there in the wild, [...0.6s] exactly.And it really does come down to the trust, and if your consumers aren't trusting you, they're probably not gonna stay with you. They might buy once, but it's a, [...0.5s] it's a great to quote, [...1.0s] to quote the great J Cole, fool me once, shame on you, fool me twice, can't put the blame on you.So most people, they don't, they don't get fooled twice. [...1.1s] So anyways, [...0.6s] anyways, enough, enough quoting J Cole, I don't even know if you know who J Cole is, but [...1.2s] I don't, and the quote a little different from what I remember, but it's the ideas, the same, the ideas [...0.6s] very much is [...0.5s] I'll send you, I'll send you what song I'm talking about later.But, [...0.8s] but anyways, [...0.5s] once vulnerabilities are identified, what are the first steps organizations should take to protect their AI infrastructure and even their sensitive data? [...1.2s] Um, I'm not sure who this quote is from, but, you know, the best defense is a good offense.So you wanna automate your detection and response of your vulnerabilities along with notifications to your security staff so they can follow up on it.Who we mentioned earlier, some of the assessments, [...0.6s] you've got logs in your cloud environment. You need to look at them, or you need to have the alerts and notification set up for some of those critical items to come directly to your security staff.But even more important than that is automating the response, having those, uh, detector recipes.Like OCI has to [...0.9s] automate some of those critical things [...0.6s] at the, at the speed of the machine versus waiting for an alert to be set to some staff that they can read it, recognize what it is, and figure out what to do. It's already been fixed, you know, within milliseconds of it happening. So, um, a good offense is, is the best way to, to keep yourself protected. [...1.1s]Yeah, and, I mean, I think it, I'm not sure he was the first one to say it, but Mike Didka will definitely comes to mind.Big Bears coach back in the day, and the only time they've ever really been good is when they have a good defense spoken from a true Bears fan over here. I can definitely understand why that would be very important.They [...1.0s] are my language, but they, they have a, I saw a tweet the other day of they [...0.5s] got a pope before they had a QB throw over 4,000 yards in the season.So well, I I, I don't think not to offend anybody from Chicago. I spent three years living in the Chicago area. [...1.1s] Don't hold your breath, wait for that 4,000 yard season. [...1.4s] Ouch, hey, Caleb Williams, he's got something. I don't know what it is, but he has something.Yeah uh, but [...1.3s] could you break down the rules and responsibilities between vendors and customers in maintaining effective data encryption?Absolutely, um, really, what it comes down to is the vendors are responsible for the encryption of the data, so making sure that that, that it's not readable, uh, in transit or rest were responsible for your secure communications.So all of that TLS 1, dot 2 or higher communication between endpoints within [...0.6s] the cloud environment and making sure that [...0.5s] the key management is done securely. Customers are responsible for data classification. So what is the data, what sensitive, what's not sensitive?Your data retention policies, [...0.5s] uh, various industries and various jurisdictions have different regulations around how long you have to keep your data, [...0.5s] um, your data compliance, so GDPR, Hippo or anything like that, you're responsible for making sure you comply with that information. Uh, also your audits and reviews of the data itself. [...1.1s]Yeah, and, yeah, obviously, like when you're talking about customers, when you're talking about the actual people that are going to be handling this data or set up the security or anything like that, it comes down to the one principle of [...1.4s] where's your infrastructure, are you set up for this? Are you ready for this? And you have to do your due diligence.If it is going through, then adhering to what the government is saying in terms of certain laws, certain practices that you should have in place.Or if it's just industry standard of [...0.5s] you should have this in place, you should have this, and [...0.6s] end of the day, [...0.5s] you have to protect your data, especially if it's sensitive.That's the main thing that we want everyone to get out of this. You got, and I think a lot of people overlook you. We talked about data retention. [...1.2s] If you've got really old data, this out there, whatever it is, [...0.5s] and [...1.1s] it it become, it can become a liability, [...0.5s] um, to your enterprise.So [...0.6s] if you don't need to have it, it's great to archive a, find a solution to archive. You can keep it in your real time, but you don't need it as, as part of your life data set.So, [...0.6s] yeah, but there's a lot outside of the encryption and Protection of the data that clients need to make sure they stay on top of and have [...0.7s] procedures and policies in place to control that. [...1.1s]Yeah, definitely. So [...0.5s] stick on the train a little bit. Why is boundary Protection and malicious code Protection critical for businesses leveraging AI technologies? [...1.5s] Um, [...0.8s] well, you know, back in the day [...0.7s] boundary Protection was a lot easier. You were on prem, you had a data center located in your building, you had firewalls.Everything came in through a single [...0.6s] point, um, into the building and then was distributed there. Nowadays, your boundary is very fluid.It's not necessarily, uh, contained within your building. You've got people [...0.5s] out there using cloud resources, uh, cloud based AI, all sorts of other things that are out there.So [...0.7s] it's becoming a lot more difficult to prove to one, to define the boundaries and to, to protect the boundaries to with a shift to new technology [...0.6s] and even with, you know, shadow I t, you know, there may be folks in your company that are using cloud based AI services or, or something that it doesn't know anything about. So your boundary kind of tends to shift a little bit with that. So obviously protecting that boundary becomes very critical.So how do you do that if you don't know where the boundary is? So [...0.6s] you really, you have to define the policies and the controls around how you access some of these things. So your identity and access management, your [...0.7s] security list, network security groups, those types of things.So it really doesn't matter [...0.9s] where [...0.7s] the users are trying to go. You've already set the policies and restrictions in place to make sure that they aren't able to do things that they shouldn't.But on the flip side, you're making sure that they can do what they need to do and do it efficiently and, and at speed. Yeah, and we actually had stew on to one of these podcasts a little bit ago, and we were talking about different cloud practices and what would be the best choice.Well, not really the best choice, but [...0.7s] given a little bit of examples of private versus public and maybe even a hybrid situation, and you're right, it really has changed [...1.1s] your thing and it's only gonna keep changing [...0.6s] even more and more as [...0.9s] the needs of the businesses change.Your people have ideas and they want implement them yesterday, so the cloud providers are working to [...0.6s] facilitate that and it teams, well, we have to keep up.Yeah, and it's a, it is a race, let me tell you, it's, it's a very interesting idea of how far the cloud has really come since even 10 years ago.I mean, the cloud practices weren't what they were at this point, and there's so many options and opportunities, [...0.5s] um, just gotta find the right one. That's really gonna keep your data protected. [...1.2s] But okay, let's talk a little bit more of examples, real world, uh, that type of thing.So can you share practical examples of how businesses have successfully implemented robust encryption and infrastructure security for AI, [...1.4s] ah, apps?Absolutely, so, [...0.9s] and again I, I, kind of lean more, more heavily towards OCI. We're an Oracle partner, so, uh, we work a lot with OCI, [...0.6s] um, and with that, it's actually pretty easy.So any instance of OCI [...0.5s] that has data, as we said at the beginning of podcast, the date is already encrypted, and you can't unencrypt it. So by default, [...0.7s] everything's already protected from your threat actors.When we implement AI for customers, we use concept that, that [...0.5s] is relatively common out there.Different vendors have different names for it be called landings of, so these are [...0.8s] pre defined [...0.5s] CIS certified secure deployments of the entire OCI Insta. So we basically, it's push button that we can create an instance in OCI that has everything you need for your JDE AI deployment.Um, [...1.0s] and we've already gotten to the granular level everywhere that is needed with the identity and access management with the Virtual Cloud network, with the network security groups, with the Cloud Guard, all of those things [...0.7s] are pre defined out of the box certified as being secure.So [...0.6s] how do you, how do you successfully implement, uh, encryption and infrastructure? Well, landing zones and, and using a vendor that has practice with doing that for customers? [...1.3s]Yeah, exactly. Um, but [...0.7s] how do, [...1.7s] let me think how I wanna phrase this. How, how do vulnerability scans and security assessments contribute to the ongoing Protection of an organization's data? [...1.9s] Well, vulnerabilities are changing every day, um, as we've mentioned in the AI Week.Yo, you look at what's known form of vulnerability or malware perspective and what you know today is not gonna be the same six hours from now, let alone tomorrow or next week. So [...0.6s] you want to have vulnerability scanning not just on, you know, [...0.8s] virus signature, but on [...0.6s] activity.So we do that on a continuous basis within the OCI instance, looking for any anomalous behavior, anomalous activity, [...0.6s] things that shouldn't be happening, uh, that may be trying to happen, uh, privilege escalation, any of those types of things.So that's the vulnerability scanning that's on a day to day [...0.5s] constant, uh, presence, always looking for something that shouldn't be there.And then your security assessments and the logging that goes with it to [...1.0s] look at, at any attempts that, that have happened and trying to identify, uh, patterns that you can then work through other configuration options to prevent from happening in the future. So [...0.9s] vulnerability is that constant day in, day out.And then the regular security assessments as we had mentioned, to look at [...1.2s] anything else that's going on and identify any risks [...0.7s] and make sure you mitigate them [...0.5s] exactly.And, [...0.8s] you know, sometimes there are businesses out there that people are a little bit too close to the data. Maybe [...1.0s] they don't under not that they don't understand, but maybe they're a little bit blinded by the fact that they do have some vulnerabilities here and there.That's where a security assessment can really step in from an outside source. They will look at it with a completely different point of view than somebody that's working with the data every single day. So it's definitely important to have, it's definitely important to have, I mean, why not?You know, day is very important. And as you said earlier today or earlier in this meeting, [...0.5s] and it's not just the data, it's the entire thing. You know, we talked about during AI Week, um, the denial service.So if they can't get to your data, they're gonna try to find some other way to leverage technology to get you to pay or pay money to them to release access to your system.So, [...0.8s] yeah, it's not just that theft of data, it's theft of reputation and theft of access to all of that for not just you but for your customers as well. Exactly can be very expensive not only on the bottom line, but in terms of [...0.7s] perception and your space in your industry.But could you elaborate on identity and Access Management Essentials and how they secure AI access, access, [...0.6s] you bet, so everything that we've talked about up to this point [...0.6s] depends on a very strong identity and access management implementation.So it's the foundation for everything in your cloud environment. If you get this wrong, you're just making ease, potentially making easier for the bad guys to compromise your instance.So you wanna use things like federated access control, so you're automatically [...0.7s] creating those accounts based on your Active Directory, whether it's Microsoft Active Directory Enter or some other solution for that. So you're not manually creating.So if somebody gets access to the instance, they're not gonna be able to manually create an identity in there to gain access to [...0.7s] things that they wanna have access to.You have granular security list, you have the policies, you have the network security groups everything around that, [...0.6s] that segregates the level of access. So as a security person, I would never have access to [...0.7s] the virtual cloud network. I can't do anything with that.I don't have access to create compute instances. I don't have access to create buckets or change of configuration of the buckets. Infrastructure team doesn't have access to come in and change policies on [...0.6s] who can do what in the identity [...0.7s] space within the instance as well.So [...0.5s] identity and access management really is foundational. And having that segregated with different profiles and different policies [...1.2s] is going to help keep you secure and help ensure that what you've defined as your controls stay your controls, [...0.9s] exactly. And obviously you want to be in control when it comes to your data.See bottom line. I know it is kind of funny to say because who doesn't want to be in control of their data, but it's something that maybe we take for granted in this new day and age of [...0.5s] like specifically for myself, do I worry about every single day where my data is?No, I don't. But I'm glad that I'm with companies that protect my data. And if they do use it, they haven't told me yet.So we'll find out. You'll find out. But once you find out if there's been a compromise, [...0.6s] I think the natural tendency isn't to reevaluate as you talked about earlier. Do I want my data to be there?Can I purge my data from their systems easily or is it become a very difficult [...0.5s] endeavor to go and remove my data from those services? So, you know, that comes down to data classification, everything associated with that. And, [...0.7s] yeah, we trust that our vendors are doing the right thing up front.Um, and if we find out that they aren't, you know, there's a lot of reevaluation that will go on. And, and some customers may stick with you, but you're likely going to have customers move on if [...1.3s] you don't treat them, um, the way they need to be treated with regards to their data and access [...0.7s] exactly.All right, if today's discussion has raised your awareness and your eager to strengthen your organization's security posture, reach out to ERP Suites.Connect with Brian Connor to schedule a security assessment and begin safeguarding your sensitive data effectively. Visit ERP suites. Com to learn more and take the first steps towards robust Protection. [...1.1s] But that's all for today's critical episode of not your Grandpa JD Edwards.A huge shout out to you, Brian. Thank you for sharing your insights. It's been incredible to have you on, especially since [...0.7s] for myself, I don't think about security every day, but it's always great to sit down with you and think a little bit more into that bind of yours.But if you found this episode valuable, please subscribe, leave us a review, share with your colleagues who are serious about protecting their sensitive data. But until next time, stay secure, stay vigilant, and keep improving. Catch you later. [...4.0s]