Ensuring Data Integrity in the Age of AI: How State and Local Governments Can Protect Their Data

Varonis Field CTO Brian Vecci chats about enhancing digital integrity for state and local governments in the age of AI.
Brian Vecci
4 min read
Last updated April 11, 2024
shield of data integrity

Varonis Field CTO Brian Vecci sat down with StateTech to chat about enhancing digital integrity for state and local governments. Read the summary below or view the entire interview here

Suppose you were to rank the components of the CIA triad — confidentiality, availability, and integrity.  

The first component has traditionally been confidentiality, followed by availability. If you don’t get those two right, you’re at risk of ransomware; somebody gets access to something they're not supposed to, denies access, and requires payment to give it back.  

Integrity has typically been at the bottom of this list because the thought process is if you achieve confidentiality and availability, you don’t need to worry so much about integrity. 

Generative AI and large language models (LLMs) are changing that. Suddenly, even if everything’s 100% locked down (spoiler alert: nothing is) and even if you're monitoring everything well (spoiler alert: nobody is), the potential exists for a threat actor to get in and toy with the integrity of data. 

As integrity becomes more of a priority, state and local government entities must know what data they have and where it’s located. They need to know how it's being used and why, where and how it's exposed, and ensure the best detective, preventive, and corrective controls are in place.  

Data is always the target. 

Twenty years ago, every government or organization had a couple of file servers inside a building offsite somewhere. But we don't live in that world anymore — everyone has data on-premises now. They have data in the cloud and file systems with databases everywhere. SaaS applications store data in public, private, and hybrid environments.  

But no matter the location, the target for threat actors is always data.  

You don't know how bad actors are going to get in. Maybe they'll phish one of your users, give somebody a USB key in the parking lot, break into your supply chain, or identify a vulnerability you haven't patched yet.  

And while you don't know how someone's getting in, you know where they're going. Nobody breaks into a bank to steal the pens — they're after the money. If somebody gets access to an environment — either your data center, a cloud environment, or a combination — they're going after your data. 

Because tools, processes, and applications are deeply interconnected these days, what data you have and where it is becomes a big question you must answer. When you're worried about data integrity, just finding what data you have is a challenge.  

Let's say you identify where all the critical information is. Now, you're also worried about confidentiality and availability because that's how you're going to protect integrity. You need to discover data and you need to discover all of it.  

Facing the unknown 

Discovery and inventory are critical. We ask CISOs, “What are your priorities? What are your biggest challenges?” and we hear the same answer.  

It’s not that they’re worried about ransomware, insider threats, or nation-state actors. They're concerned about what they don't know — the unknown unknowns. So, when discussing data integrity, you must ask yourself, “What data do I need to be worried about?” 

Unfortunately, state and local governments often lag behind private enterprises because there is a different level of investment in security and privacy due to budget restrictions; these are big problems that require investments to solve. So often, government entities face a lot more of these unknown unknowns.  

The relationship between data quality and integrity 

Traditionally, data integrity and quality were applied to enterprise application databases, and nobody worried about data integrity for file systems. In those days, enterprise data, ERP system data, and HR data did not live in file systems. But these days, data is everywhere. 

And without data integrity, you can't have data quality.  

Data quality standards are related to specific factors of accuracy and completeness. You may collect a data set, and from an integrity standpoint, the data you have is what you collected — no one has altered it, but it might not be complete. It might not be valid or it might not have anything to do with what you need. It might not be consistent, it might not be timely, and it might be stale. All these qualitative factors make up data quality. 

However, if a threat actor has manipulated your data, it still might meet your data quality standards, but the data integrity is no longer there. If your data integrity is affected, that might affect your data quality. Your integrity might be intact, but your quality might not be, and vice versa. 

Automation is a necessity. 

Some agencies still try to mitigate risk by relying on team members alone. But these problems are impossible to solve manually.  

We need technology to address big technology, or rather, modern problems require modern solutions. No enterprise can hire enough people to solve these problems on their own. These problems require automated solutions — automation is key.  

All of this relates to data governance. Today, governance is about building automation on top of all the visibility we’ve discussed.  

If you don't know what you've got and where it's exposed, you can't govern it. If you're not monitoring how it's used, you can't govern it because you can't automate anything. Automation has become a critical part of governance in ways never seen before. 

More data, more problems 

When it comes to gen AI, every organization is at the beginning of its journey; there are a lot of unknowns. Although we haven’t yet seen data integrity attacks that take advantage of organizations leveraging LLMs and generative AI on big data sets, the potential is certainly there. 

Thanks to generative AI and LLMs, we live in a different world than we did a year ago. Looking back even further, we have so much more data than we used to. These problems are bigger and harder to solve than they've ever been. Every security issue, whether it's integrity, confidentiality, or availability, is related to data. 

Varonis continuously discovers and classifies critical data, removes exposures, and detects threats with AI-powered automation. Only Varonis performs data-centric UEBA to detect and stop threats with minimal false positives and provides you with an incident response analyst to proactively watch your data and resolve alerts on your behalf. 

Ready to see how Varonis can help secure your agency’s sensitive data? Get started with a free 30-minute demo.  

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

is-your-org-ready-for-microsoft-copilot?
Is Your Org Ready for Microsoft Copilot?
Enjoy this step-by-step guide showing you how to deploy generative AI tools safely with Varonis.
what-is-the-cia-triad?
What is the CIA Triad?
Learn how the CIA triad can be used to classify, secure, and protect your data.
salesforce-agentforce:-boosting-productivity-with-a-focus-on-security
Salesforce Agentforce: Boosting Productivity With a Focus on Security
AI tools like Salesforce Agentforce, formerly known as Einstien Copilot, can improve efficiency but also expose you to risk without proper security controls.
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.