Security

This section is the umbrella for the platform's security architecture — the defense-in-depth model that runs across cloud platforms (AWS, Snowflake, Databricks), network perimeters (firewalls, fail2ban, WAF), and AI/ML inference paths (prompt-injection defense, confidential compute, audit-log integrity). Security here is treated as a system-design constraint, not a checklist: classification drives routing, identity gates every call, and every action is recorded in an append-only log that can be replayed during a compliance review.

The diagram below shows the seven layers of the model. Each layer is a control surface with its own primitives — the cloud-specific names appear inside each layer box. The subsections that follow link out to the per-platform deep dives and the two cross-cutting reference pages (OWASP Top 10 for LLMs and Zero-Trust AI Architecture) that span all platforms.

1. Defense-in-Depth Layered Model

Seven layers, top to bottom. Every inbound request crosses every layer; every outbound response carries audit evidence back through them. Misses at one layer should be caught at the next — that is the defense-in-depth invariant.

┌──────────────────────────────────────────────────────────────────────────────┐
│           1. EXTERNAL BOUNDARY  (Internet, Threats, Supply Chain)            │
│  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌────────────┐              │
│  │  Public    │  │  Threat    │  │   Model    │  │   OSS /    │              │
│  │  Internet  │  │  Actors    │  │  Providers │  │  Vendors   │              │
│  └────────────┘  └────────────┘  └────────────┘  └────────────┘              │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                2. NETWORK LAYER  (Perimeter & Edge Controls)                 │
│  ┌─────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────┐             │
│  │   WAF   │  │  Shield  │  │PrivateLnk│  │   VPC    │  │ fail │             │
│  │  /CDN   │  │ (DDoS)   │  │   /VPCe  │  │  /Subnet │  │ 2ban │             │
│  └─────────┘  └──────────┘  └──────────┘  └──────────┘  └──────┘             │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                  3. IDENTITY & ACCESS  (Who & What May Act)                  │
│  ┌────────┐  ┌────────┐  ┌────────┐  ┌────────┐  ┌──────────┐                │
│  │  IAM   │  │  SSO   │  │  MFA   │  │ RBAC / │  │ Service  │                │
│  │ Roles  │  │ /OIDC  │  │/WebAuth│  │  ABAC  │  │Principals│                │
│  └────────┘  └────────┘  └────────┘  └────────┘  └──────────┘                │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│              4. DATA PROTECTION  (At Rest, In Transit, In Use)               │
│  ┌──────────┐  ┌─────────┐  ┌──────────┐  ┌──────────┐  ┌─────┐              │
│  │  KMS /   │  │ TLS 1.3 │  │  Tokeniz │  │  Masking │  │ FPE │              │
│  │  CMK     │  │  mTLS   │  │   /Pseud │  │ /Redact  │  │ FF1 │              │
│  └──────────┘  └─────────┘  └──────────┘  └──────────┘  └─────┘              │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│              5. INFERENCE / TRUST BOUNDARY  (Model & Tool Use)               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌─────────────┐                   │
│  │  Prompt  │  │  Output  │  │  Tool    │  │ Confidential│                   │
│  │ Injectn  │  │  Filter  │  │ Allowlist│  │   Compute   │                   │
│  │ Defense  │  │ /Canary  │  │ /Sandbox │  │ (TDX/SEV)   │                   │
│  └──────────┘  └──────────┘  └──────────┘  └─────────────┘                   │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                6. DETECTION & AUDIT  (Telemetry & Forensics)                 │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌─────────┐  ┌────┐               │
│  │CloudTrail│  │GuardDuty │  │ Hash-    │  │  SIEM   │  │ DLP│               │
│  │ /Audit   │  │/Detective│  │ Chained  │  │ /Splunk │  │    │               │
│  │  Logs    │  │  /WAF    │  │   Logs   │  │ /Sumo   │  │    │               │
│  └──────────┘  └──────────┘  └──────────┘  └─────────┘  └────┘               │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│          7. GOVERNANCE & LIFECYCLE  (Policy, Compliance, Rotation)           │
│  ┌──────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────┐                │
│  │  Class.  │  │Residency│  │ Right-  │  │   Key   │  │ SBOM│                │
│  │  & Tier  │  │ Routing │  │  to-    │  │Rotation │  │ Sup │                │
│  │ Tagging  │  │ EU/US   │  │ Erasure │  │ /Rewrap │  │Chain│                │
│  └──────────┘  └─────────┘  └─────────┘  └─────────┘  └─────┘                │
└──────────────────────────────────────────────────────────────────────────────┘

How to read this diagram: each layer is an enforcement point that can stop a bad request on its own; the arrows represent the legitimate request path. A prompt-injection attempt that bypasses the network layer should still be caught at the inference / trust boundary. A leaked secret that bypasses identity should still be caught by anomaly detection in the audit layer.

2. AI / ML Security

Controls specific to LLM/RAG/document-intelligence workloads — the inference and trust-boundary layers from the diagram. See the dedicated landing page at Security / AI & ML.

• PII & Privileged-Content Redaction — ingest-time masking before any model sees the text.
• Prompt-Injection Defense for RAG — two-prompt pattern, fencing, tool allowlists.
• Confidential Computing for On-Prem Inference — TDX, SEV-SNP, attestation.
• Audit Log Integrity — hash-chained, append-only, externally notarized.
• Supply-Chain Security for Model Artifacts — SBOMs, cosign, runtime enforcement.

3. AWS Security

Cloud-platform controls for accounts running on AWS — identity, key management, audit, and detection.

• IAM — Identity & Access Management — roles, policies, permission boundaries, AssumeRole patterns.
• KMS — Key Management Service — CMKs, envelope encryption, grants, rotation.
• Secrets Manager — rotation, cross-account access, application integration.
• CloudTrail — account-wide API audit logging.
• AWS Config & Inspector — configuration drift and vulnerability scanning.

4. Snowflake Security

Snowflake-native controls — network policies, RBAC, dynamic masking, row-access policies, tag-based governance.

• Security / Snowflake — landing page for Snowflake-specific topics.

5. Databricks Security

Databricks-native controls — Unity Catalog, cluster policies, secret scopes, table ACLs, customer-managed keys.

• Security / Databricks — landing page for Databricks-specific topics.

6. Network & Firewall

Perimeter and edge controls — the network layer of the model. Brute-force mitigation, IP allowlists, intrusion prevention.

• Security / Firewall — landing page for network-layer controls.
• fail2ban — jail-based ban-on-fail for SSH, web, mail.

7. Cross-Cutting References

Two reference pages that span every cloud platform and apply across the entire defense-in-depth stack.

• OWASP Top 10 for LLM Applications — the canonical taxonomy of LLM-specific risks (LLM01 through LLM10), with attack scenarios, defenses, and a RAG-architecture map showing where each risk lives.
• Zero-Trust AI Architecture — zero-trust tenets (verify explicitly, least privilege, assume breach) applied to AI/ML systems: identity, network, data, workload, and continuous-verification planes.