Caleb Sima: [00:00:00] I just love how the people who work on this thing are like I've never heard of that, but this is what I think of. Yeah. And now it's gonna be a thing, right?

Vijay Bolina: I think the complexity in that question is, What is the foundation model? And I think, depending on who you ask, That may be a different answer.

Ashish Rajan: We're still doing the same security that we were doing before, But we don't have the, how relaxed we were about data in the past, and how relaxed we have been about data all these years. People have data classification models, But never applied it. You can't do that with AI

Caleb Sima: functional model. My prediction is that will still not change.

Ashish Rajan: Do you know a company named Google DeepMind? They have been working on building functional models on which Google Gemini and all the other products that are being created in Google for AI, a lot of them are created on the functional models that are being created by DeepMind we had Vijay Bolina from DeepMind who came and spoke about the security challenges, what they do in the product side, how they support the product side, what can enterprise look at when they're trying to secure their own functional models, or things that they're building themselves, because we are at that stage where a lot of organizations in the private sector Have also started [00:01:00] considering making their own functional model.

If you're also thinking, what is AI Native Security, then you may find your answer in this episode as well. All that, and a lot more in this episode with Vijay Bolina on the AI Cybersecurity Podcast. If you know any enterprise that's working on functional model or wants to know the security around functional model for AI.

This is definitely the episode with them. Please do share this with them as well. And if you're here for the second or third time, I would really appreciate if you're watching this on YouTube and LinkedIn, definitely give a subscribe and follow, but if you are listening to some iTunes or Spotify, please give us a five star rating.

It definitely helps spread the word that AI Cybersecurity Podcast is here providing value to other cybersecurity leaders and CISOs on how to tackle cybersecurity in this AI world. I hope you enjoyed this episode with Vijay and I'll talk to you soon. Peace. Welcome to AI Cybersecurity Podcast.

Maybe to start off with, if you can tell us a bit about yourself, what your current role is, and we can start from there.

Vijay Bolina: I am the Chief Information Security Officer at Google DeepMind which is a bit of a misnomer. Internally, my title is the Director of AI Security and Head of Cybersecurity Research.

The role is interesting. It's not like your traditional CISO role. I partner very closely with the broader Google [00:02:00] security team which is very capable across more traditional aspects of enterprise security platform and infrastructure security and these types of things. And so the nuance about this role is that everything that we do is on Google technical infrastructure and in Google data centers.

And so I get the luxury of benefiting for world class security in many ways. And so what I spend a lot of my time doing is optimizing for security and privacy aspects of the machine learning systems that we are building at Google DeepMind. And so a lot of research that is specific to the limitations that these models may have and then reasoning about the types of mitigations and controls that we should be building to ensure that they're quite robust and the many deployment settings that we see these models getting deployed across the organization.

On the cybersecurity part, I also spent quite a bit of time working with some of the world's best experts in security across Google to figure out how we can [00:03:00] leverage the state of the art technology that we're building to help solve hard problems in cybersecurity. So that's pretty exciting. Everybody's trying to do this right now.

And Google historically actually has been investing in machine learning and has been applying machine learning methods across various security problems for the last 10 plus years, actually, with this new class of technology generative AI, there's a lot of interest on what these models can do natively.

And maybe the types of things that we could expect them to do in the near future as we develop certain capabilities on top of what we have right now.

Caleb Sima: How closely associated is DeepMind with Gemini and all of the things that we see as consumers?

Vijay Bolina: DeepMind is the group that is building the Gemini class for family and models.

Caleb Sima: Yeah.

Vijay Bolina: So we have a very large group that is focused explicitly on developing AI models. And so we wrap that under the banner of GemIIni.

Caleb Sima: I've always wondered obviously the way, at least my understanding of these models are is, you're [00:04:00] creating this, One large model or, even some sort of mixture of experts, kinds of models.

But generally speaking, you have some base set of training data that gets created with these models. But you guys have like a pretty interesting challenge, which is you've got massive amounts of personal data that as consumers or customers, even enterprises, we want to be able to use with things like Gemini.

So then how do you do this effectively in a way that works? Do you have to train models specifically for each enterprise or each account? Is it just using things like vector database? How does that sort of work for the customer?

Vijay Bolina: You're right. Google is a very diverse business.

There's an assortment of product areas as we call them that are all seeking to leverage Gemini or already are. Google DeepMind focuses on building the foundation models while the downstream PAs are reasoning about the types of data that they may want to fine tune on as example to optimize for [00:05:00] their specific domain.

So whether it's maps or search or chat. Or YouTube and assortment of these things what data makes sense for that specific domain varies, right? And the appropriate data mixture that is required to be optimal for any one of those product areas varies as well Google DeepMind provides those foundation models and we partner with these product areas closely to ensure that If there is an optimal setting where we can include certain data into pre-training to be then included in the foundational model, we will do that do some experimentation and determine if that's the right setting or if that makes sense. There's no perfect formula depending on the deployment setting, it can vary, right? So it really just depends on the deployment setting and the types of features or capabilities the product area may want to surface to the consumers that are using those product areas.

Caleb Sima: you're like, Hey, you focus on creating the base image and whatever these guys decide to do with that base [00:06:00] images is up to them at the end of the day. Like a container. I'm in charge of the base container image. You guys can apply whatever libraries you want.

But at the end of the day this is what I am focused on.

Vijay Bolina: Yeah, we try to optimize against a pretty standard set of benchmarks that are being used across industry to reason about and measure how good, a foundation model may be in any one specific area. And and then it's really up to, the product areas to figure out what makes sense for their respective set of users.

Ashish Rajan: Now that I understand that you're primarily, you focus on the foundational model. I'm also curious obviously I started the conversation by talking about AI Native Security and what your thoughts are, but I'm also curious in terms of maybe starting off with what do you think is AI Native Security?

And then we can go into a bit more about what are concerns people have with foundational model security. Is it right that foundational models are only being made by CSPs? Like you can't imagine like a bank or. mining company, or even if they have the largest budget in the world, would they be able to create a foundational model at this present time?

Vijay Bolina: I think the complexity in that [00:07:00] question is what is the foundation model? And I think depending on who you ask, that may be a different answer. The ability to train large capable models, let's say is quite accessible. Of course there's constraints around compute and things like this and quality data and access to quality data and m aybe nuances around the architecture as well. So I think the democratization of this class of technology is aggressively being pursued by large and small organizations, public and private sector, and across the world, which is a great thing, right. Depending on, again, where the technology will be applied, there's some ways to do certain things better.

And so I do think that it's beyond just cloud service providers it's the job of CSPs to really ensure that the broad customer base that they may be servicing has access to the relevant model for the relevant problem. Or the services to [00:08:00] build on top of the relevant models that may be appropriate for their business use case as well too.

Which may not be done by foundational models that are private, could be open source models too. It could be bring your own model type of setting as well. Other question was?

Ashish Rajan: AI Native Security

Vijay Bolina: AI Native Security. It could be the algorithmic protections that a model may natively have or be built with to be robust against, some adversarial setting.

The other way to maybe look at it is potentially in the applied side of the model. What are the capabilities that this model may have from a security standpoint that can be useful right out of the box? Those are the kind of the two big buckets and it's actually a lot of what I focus on is more the security and privacy limitations of this model and the current architectures and the ones that we're exploring And how do we develop robust methods to ensure that when deployed they'll be able to handle certain adversarial settings and others and what are the base capabilities that we want to explore that can be useful for folks in [00:09:00] cybersecurity as an example, maybe.

Ashish Rajan: So in my mind, it's not like when cloud started, people were talking about what is truly cloud native and cloud security.

I feel like we're at that point in asking questions about what is AI native security from that perspective. I don't think anyone really has a definite answer. Yeah. It's like our versions of it.

Caleb Sima: And I just think we just need more buzzwords and phrases.

Ashish Rajan: Yeah

Caleb Sima: No, but talking about buzzwords, like, how would you what does come to you?

I just learned how the people who work on this thing are like, I've never heard of that, but this is what I think of. Yeah. And now it's gonna be a thing, right? Like now it's gonna be a something.

Ashish Rajan: I think that's gonna be a clip that's cut out and be like, what is,

Caleb Sima: what we're gonna do is we're gonna walk around RSA and someone who've heard it like last, we're gonna see like banners that say AI Native Security change the slide, change the slide.

Like how do you what comes to your mind?

I'm very much with Vijay. The first thing that I thought of actually was, there's two buckets. There's like security built into the model itself. Yeah. And what does that look like? So for example. When he was saying the things that come to my mind is, okay, when you're training a model and you're fine tuning these [00:10:00] models, you're using things like RLHF and things to put in safety, put in these kinds of aspects.

You're gearing the model towards some protective methods, right? The first thing I thought of is it's safety, trust and safety, privacy, right? Where if I take a model that is, untrained from that, it can talk about how to make nuclear warheads or, do all sorts of things that are like versus AI Native Security around that, can be that. The second thing I thought it was also, Oh, these are things like, Oh, your cloud provider who hosts your model or, anthropics, Google's opening eyes are going to have a set of safety security mechanisms already built into the way that they deliver and service that model, right?

That's the other thing I thought of.

Vijay Bolina: I think there's a lot of attention on the privacy aspects of these models and AI Native Security kind of bleeds into the privacy space. A lot of the excitement around this current class of technology is the usefulness that they will have at an individual [00:11:00] level being able to reason about your schedule, your messaging, your calendars, your email, where you go, where you sit. Waiting on Google to provide this.

I think a lot of organizations are thinking about this, right? There's a lot of energy that we spent at Google DeepMind in the privacy research space where it looked like these models have a propensity to memorize certain information and there are certain types of attacks that will be able to expose that private information.

And so what are some safeguards or privacy enhancing technologies that will preserve that private information in a robust way where an adversary would not be able to retrieve it in the event that they had access to the model, in a white box or black box setting. A really important problem is if we continue to go down the path where we're gonna optimise these models to be useful for us at a personal level, which I think is where everything is going beyond the enterprise.

There is a massive amount of disruption on the consumer side that I think will be had that we're just starting to see now, but privacy, [00:12:00] preserving technologies are going to be quite important for us to kind of reason about. And it's one of the main things that we try to focus on.

Ashish Rajan: AI Native Security. Yeah. I was also the way I'm leading with this is that when I heard that, I have similar thoughts to what you guys had, but I think the follow up to that to me was, wait, does that mean that as functional models are expected to have larger token, people to be able to handle large token and be able to process a lot more quickly, does that mean the expectation for the rate of change for how quickly we address a trust and safety or trust and privacy thing?

Would the expectation will be a lot quicker. Like I'm not going to wait for say Amazon to wait for six months or one year before they may, Oh, actually even I'll use a GitHub example. They made 2FA default for everyone across the board. And that took them, I don't know, six, seven, eight years or whatever.

Like you would not be able to do that for a functional model. Oh, I was a little bit of exposure. Let's wait for six months before we actually kick it off. I don't think they can. There would not be an opportunity for that because of that. it can [00:13:00] remember everything.

Vijay Bolina: Sure.

Ashish Rajan: It's been fed.

Do you guys think there would be like an expectation that people who are building the functional model would almost have to, the response time for these things would have to be, like, we're not talking about response time for it. At the moment we're talking about, hey, let's build the foundation on trust and safety so people feel safe to use it.

But then there's the other aspect of, if something does happen have we also considered that in our conversations yet?

Caleb Sima: I think that you're right where I don't think that changes much. Like I feel he's going to be the expert on this, but if you have these foundational models, they're going to continue to build these models.

They're going to build the trust and safety functions at which they deem is right for them and their organization and their perspective on it. And that may or may not meet your customized expectation of it. And so what you're going to have to do is either at some point, I'm taking predicting the future, there's going to be some way in which you can either apply, quote unquote, fine tune that kind of thing into your model, or what I think is more likely is what people are doing today, which is they [00:14:00] just take other smaller open models, and they do things, and they basically say, I'm going to take this model, have it look for the things that I care about, and then proxy the traffic and check it.

Basically okay, inbound traffic coming in, I'm going to take this model, which I can tune to the things that I find are my trust and safety issues and determine whether it matches. This is basically like a firewall. Yes or no. If it is passed on to the model, continue doing my output coming from the model.

Filter it is just look right to you. Yes, it does. No, it doesn't. Okay, let it go back. Like I think that's probably always going to be some case. I haven't seen anything in technology where I feel like these providers can keep up with the customized needs for everybody. But I don't know, what do you think?

Vijay Bolina: Yeah, I think in a consumer setting where Google has a large footprint we've always provided the users of all of our products to really have control of what information they share. And how it's being used across services, if at all. And I [00:15:00] think even with this class of technology, we're exploring different ways on what that experience should look like.

Should it just be a toggle switch in your Google account setting? Should you be able to communicate with the model and tell it to forget something that you just prompted it for? Unlearn certain information under certain contexts? Are there certain class of information that you should never expect the model to learn?

The natural language aspect of it. This class of technology will really kind of, change the expectations of this kind of toggle, accept, consent or providing consent type of approach that we had in the consumer space for such a long time to something that is a little bit more natural and that we engage with, other individuals in our lives, where we share a certain private information under certain settings in a world of Generative AI assistance as an example. What are those privacy preferences and what are those settings and what are the types of bits of information that you expect to be native [00:16:00] to the service that is providing this, interactive assistant that could have access to, a multitude of information.

And I think every consumer, everyone will have a different threshold, right? There's certain people who want to share all their search history. Because it helps optimize the algorithms to then show them the next best video. But some don't, right? And I think it's going to be interesting to see where the preference modeling and contextual privacy types of fields go with this class of technology, especially in the consumer and private setting.

Caleb Sima: I would love to know, some of the challenges that you have is you are protecting these models and types of protections that you need in order to do this because you're treating these models as your crown jewels, right? And I think we're really early in enterprises today around this.

Like people are still trying to figure out even how to implement these things. But when we think forward to the next, two to three years where, Hey, enterprises may are maybe building their own models that become their level of crown [00:17:00] jewels. Similarly, they're going to have to protect their foundational models.

What are the kinds of things that you're doing today that are would be interesting to start for these, enterprise security teams to start thinking about listen, today we hear the standards of the prompt injection things the, obviously filter clean your data pipeline, all those, we were talking yesterday a little bit about, Hey, some of the thought process on the models running an inference read only models.

I'd love to hear a little bit more of some of that, those thought on how you guys are thinking about it,

Vijay Bolina: I think generally at a high level at Google, we've been thinking about user data protection for many years. And a lot of the controls that we built over the past decade plus around protecting the world's user information translate quite nicely when it's other data that you need to protect, like models and or data sets and things that may be important or quote unquote crown jewels.

And so the nicety about the environment that I'm in is that we extend a lot of those controls and to the foundational [00:18:00] aspects of protecting our model weights as they are being, there's a lot that we consider, right? Google has always has thought deeply about user data protection for quite some time.

And there's a multitude of controls that we employ internally to protect very sensitive information. And we've started to extend those controls to our models and associated artifacts that we deem as crown jewels. Google historically has been spearheading the zero trust approach and everything that we do at Google uses those founding principles around zero trust and assuming there is no trusted internal user and the way that they may operate within that operating environment and the types of actions that they may take.

And but beyond that, beyond traditional and maybe zero trust architectures because that's what is often referenced, there's maybe even deeper controls on how to reason about where certain types of data can even reside within a data center, right? And maybe there's certain clusters where certain information cannot be transferred to.

And we have very [00:19:00] low level controls that will prevent certain types of I. O. operations that could happen with certain types of class or certain types of data. And we have methods to be able to trace as an example where certain types of data could be copied to or could be accessed. On the serving and or training infrastructure side, compute is scarce.

So it's hard to say that we can, it's not impossible, but It wouldn't make too much sense right now with the current state of compute limitations on being able to say that only certain regions can access certain types of models because of maybe very specific types of control requirements that you may have depending on the customers and or the data that may be associated with the models as an example.

But we think about it from the chip to the model. Google develops its own chips for training. And so we are thinking a lot about what are the types of hardware controls that we want to employ to. be better about protecting certain classes [00:20:00] of information. And the types of data that they may need to access or operate on.

And this kind of bleeds into like broader conversations around trusted computing and confidential computing and what is optimal for large scale training, right? Because this is not a single CPU on a single machine doing a thing. This is, several thousand chips. Operating in concert to do a thing over long periods of time where reliability and performance is a super important.

And so we have to, balance these tradeoffs and it's not just our internal training and serving that we're thinking about, but it's also those of our cloud customers as well, which have shared infrastructure. And so there's a lot of considerations around how we think about protecting workloads, protecting our compute allocation the underlying models and weights and how they're being accessed and how they're being constrained for serving in certain settings.

Ashish Rajan: Would you say shared responsibility that was used in the I guess to your point about what can [00:21:00] enterprise be doing today, going back to the old AI native security for what's available in the functional model? What it needs to put on top of what you're putting into the functional model. The shared responsibility, quote unquote, as people have used in the cloud world for a long time, that, hey, Amazon.

Or

Vijay Bolina: shared fate.

Ashish Rajan: Or shared

Caleb Sima: fate. I love that one. I'm gonna take that. Yeah, the problem is the cloud provider doesn't take Any of the actual fate. The actual customer breach that happens is

Ashish Rajan: the customer. I'm going with this. Cause I think that the shared fate for maybe we should do that for AI security can use the shared fate model.

And if we were to use that, then the enterprise still has to do what they've done in the past before, which is like understand that boundary between, if I'm using a model from Google, Amazon, whatever, Versus if I'm going to decide to make my own versus Hey, what am I putting in here that I'm okay to put in here?

Because I think for a long time, people were even scared to put their PII into cloud as well. [00:22:00] And I imagine that would be, there will be a transition period for that in AI as well.

Vijay Bolina: The same problem, just different dimension where if you wanted to put consumer data, private information, protected health information into a cloud application natively, yeah.

To service your business, you have to reason about the compliance requirements and the risks associated with doing so. So it's not any different with building a model that is going to be served on some CSP platform. But, there are nuances around how that data can be used when it comes to this class of technology.

And there's a lot of kind of movement in the regulatory space about deciding, what makes sense and what doesn't make sense and how, how you should Navigate that is going to be quite different depending on the setting, right? And what the compliance regime looks like for your respective business and associated data.

And the nuances of just, the right to forget is a hard problem when it comes to, building a model, right? That has been trained maybe over some time scale or [00:23:00] epoch to learn the preferences of some users. And if someone wants to just, remove their personal data from that model, that's a hard problem, right?

And so there is a lot of considerations just by the nature of the way that this technology is being deployed built and deployed that make it a little nuanced as well too. Yeah.

Ashish Rajan: But my final thoughts on this, I definitely feel there's a almost like the, what we did you GitHub GitLab version control thing.

I feel like to what you were saying earlier in terms of a toggle for a functional model should be able to forget, or is there a toggle for it to forget, go back to version 1 with the version you had PII a model. We've seen that with GitHub and other places where it's a SaaS service, functional model probably won't get to that point as well at some point.

Vijay Bolina: I think that's a good point. I think foundationally what a lot of organizations should make sure they have in place is, to be very concretely able to say what types of data went into my model [00:24:00] at what points, right? Because there will be scrutiny, there will be, certain scenarios where you're going to be able to you're going to want to be able to explain what type of information the model comprises of and what it was trained on, whether in pre training or otherwise, right?

Having some semblance of provenance and being able to reason about the types of data Changes, a model went through and the types of data that went into it, who made those changes and at what time, they made those changes and having a quick and very verbose set of audit logs and visibility to, what built this model is going to be extremely important to and

Caleb Sima: on that point, just as a point to enterprises who are just now deploying this thing.

I've asked a lot of people, what do they think? What happened when you push a model out to deployment and it starts quote unquote misbehaving? What do you do? And actually the answers are very vague and varied and I just asked them and this is so Simplistic would go but goes back to your point about versioning I just asked well, don't you just [00:25:00] keep backup and then you just restore your backup model and actually 50 to 60 percent of the people are like, Oh yeah, that's probably a good idea.

We don't do that, right? And so it's interesting. Not a lot of people, even these basics that it's not even, it's not like a new thing. Yeah. It's Oh yeah, I think people are just like, they're not thinking

Vijay Bolina: blue grain deployments, like similar constructs that are being explored or what makes sense when it comes to serving a model.

Just as we have been thinking about with immutable instances and redeploying and doing A B testing or blue green deployments and then routing things appropriately. And I think, people are figuring out the quality is massively important, right? If you have a model that is, not meeting the quality mark or just completely, degraded in performance for whatever reason, it's important to be able to route and, direct your customers in the right way.

Ashish Rajan: So in a lot of ways, we're still doing the same security that we were doing before, but we don't have the, how relaxed [00:26:00] we were about data in the past, and how relaxed we have been about data all these years. People have data classification models, but never applied it. You can't do that with AI functional models.

That's how I feel. That's the conclusion of it.

Caleb Sima: My prediction is that will still not change. But, yeah. I have a very pessimistic final thought.

Vijay Bolina: I'm aligned with that comment as well, too, I think, generally speaking, I think. There's a lot to still figure out. I think this year is going to be exciting.

I think this year is going to be the adoption. At the enterprise and at the consumer level, there's a lot of exciting things that are happening in the space and especially at the frontier. Yeah. I think it's really important for our security community to embrace the technology in all of its glory and really firmly tinker and explore with it.

And, be part of the positive change that this technology is going to bring and support and build the trust, right? It's really our responsibility to make sure that we are instilling the trust around this new class of technology because that's what, historically, the security folk have been responsible for, [00:27:00] right?

That's my guidance for everybody.

Ashish Rajan: thank you so much for sharing. Thanks a lot, Vijay. Yeah, no problem.

Vijay Bolina: Thanks guys. Thanks for having me.

Ashish Rajan: Thank you so much for listening to that episode of AI Cybersecurity Podcast. If you are wondering why aren't we covering all topics, because maybe the field is evolving too much. Too quickly, so we may not even know some of the topics we have not covered. If you know of a topic that we should cover on AI cybersecurity podcast or someone we should bring as a guest, definitely email us on info@cloudsecuritypodcast.tv, which reminds me, we have a sister podcast called cloud security podcast, where we talk about everything cloud security with leaders.

Similar to the AI cybersecurity conversation, we focus on cloud security specifically in the public cloud environment at cloudsecuritypodcast. tv, which if you find helpful, definitely check out www. cloudsecuritypodcast. tv. Otherwise, I will look forward to seeing you on the next episode of AI cybersecurity podcast.

Have a great one. Peace.

‍