Lasso security sets a new standard in LLM security

To scale large language models (LLMs) to support long-term AI strategies, companies rely on Retrieval Augmented Generation (RAG) frameworks that require stronger contextual security to meet the sky-high demands for integration.

Protecting RAGs requires contextual intelligence

However, traditional RAG access control techniques are not designed to provide contextual control. RAG’s lack of native access control poses a significant security risk to businesses as it could allow unauthorized users to access sensitive information.

Role-Based Access Control (RBAC) lacks the flexibility to adapt to contextual requests, and Attribute-Based Access Control (ABAC) is known for limited scalability and higher maintenance costs. What is needed is a more contextually intelligent approach to protecting RAG frameworks that doesn’t hinder speed and scale.

Lasso security began recognizing these limitations early on in LLMs and developed Context-Based Access Control (CBAC) in response to the challenges of improving contextual access. Lasso Security’s CBAC stands out for its innovative approach to dynamically evaluating the context of all access requests to an LLM. The company told VentureBeat that the CBAC evaluates access, response, interaction, behavior, and data modification requests to ensure comprehensive security, prevent unauthorized access, and maintain high security standards in LLM and RAG frameworks. The goal is to ensure that only authorized users have access to specific information.

Contextual intelligence ensures that chatbots do not reveal sensitive information from LLMs, where sensitive information is at risk of being exposed.

“We try to base our solutions on context. The place where role-based access or attribute-based access fails is that it’s really looking at something very static, something that’s inherited from somewhere else, and something that’s not managed by design,” said Ophir Dror, co-founder and CPO at Lasso Security, VentureBeat told in a recent interview.

“By focusing on the level of knowledge rather than patterns or attributes, CBAC ensures that only the right information reaches the right users, providing a level of precision and security that traditional methods cannot match,” says Dror. “This innovative approach allows organizations to leverage the full power of RAG while maintaining strict access controls, revolutionizing the way we manage and protect data,” he continued.

What is Retrieval-Augmented Generation (RAG)?

In 2020, researchers from Facebook AI Research, University College London and New York University wrote the article titled Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks, where Retrieval-Augmented Generation (RAG) is defined as: “We provision pre-trained, parametric memory generation models with non-parametric memory via a general fine-tuning approach we call retrieval-augmented generation (RAG). We build RAG models where the parametric memory is a pre-trained seq2seq transformer, and the non-parametric memory is a dense vector index from Wikipedia, accessed with a pre-trained neural retriever.”

“Retrieval-augmented generation (RAG) is a practical way to overcome the limitations of general-purpose large language models (LLMs) by making enterprise data and information available for LLM processing,” Gartner writes in their recent report, Getting started with Retrieval-Augmented Generation. The following image from Gartner explains how a RAG works:

How Lasso Security designed CBAC with RAG

“We built CBAC to work standalone or connected to our products. It can be integrated with Active Directory or used independently with minimal installation. This flexibility ensures that organizations can adopt CBAC without extensive changes to their LLM infrastructure,” said Dror.

While designed as a standalone solution, Lasso Security has also designed it to integrate with its gen AI security suitethat provides protection for employee use of generation AI-based chatbots, applications, agents, dead assistants, and integrated models in production environments. Regardless of how you deploy LLMs, Lasso Security monitors every interaction involving data transfer to or from the LLM. It also quickly identifies any deviations or violations of organizational policies, ensuring a safe and compliant environment at all times.

Dror explained that CBAC is designed to continuously monitor and evaluate a wide variety of contextual signals to determine access control policies so that only authorized users have access rights to specific information, even in documents and reports that are currently relevant and out of scope . facts.

“There are many different heuristics that we use to determine whether it is an anomaly or a legitimate request. And also the reaction, we will look at both sides. But if you think about it, it really all comes down to whether this person should be asking this question and whether this person should be getting an answer to this question based on the variety of data this model is connected to.

At the core of CBAC is a set of supervised machine learning (ML) algorithms that continuously learn and adapt based on the contextual insights gained from user behavior patterns and historical data. “The core of our approach is context. Who is the person? What is their role? Should they ask this question? Should they get this answer? By evaluating these factors, we prevent unauthorized access and ensure data security in LLM environments,” Dror told VentureBeat.

CBAC tackles security challenges

“We’re now seeing a lot of companies that have already gone a step further and built a RAG, including designing a RAG chatbot, and they’re now faced with the issues of who can ask what, who can see what, who can do what get,” says Dror. said.

Dror says the rapid adoption of RAG also makes the limitations of LLMs and the problems they cause more pressing. Hallucinations and the difficulty of training LLMs with new data have also been exposed, further illustrating how challenging it is to solve RAG’s consent problem. CBAC was invented to address these challenges and provide the necessary contextual insights so that a more dynamic approach to access control could be achieved.

With RAG being the cornerstone of organizations’ current and future LLM and broader AI strategies, contextual intelligence will prove to be a game-changer in how they are protected and scaled without impacting performance.