When the cost of failure is high, when lives could be at stake along with massive investment, how does one calculate verifiable outcomes? Artificial intelligence (AI) is all very well when dealing with probabilities, but sometimes only certainties are good enough.
This was the daily challenge facing a research scientist, Neha Rungta, when she worked at Nasa as a research scientist during the last decade. The solution was a discipline of AI called automated reasoning, which uses logic to generate proofs automatically from a set of known facts. Rungta holds a PhD in the subject.
When she joined Amazon Web Services (AWS) as principal software engineer in 2017, she realised that automated reasoning had a wide range of applications across cybersecurity, to detect vulnerabilities and prevent attacks, and software verification.
Having risen through the ranks since then to become director of applied science at the AWS Identity division, she intends to harness the power of automated reasoning and make it accessible to businesses of all sizes and technical backgrounds.
“It’s a technology that had traditionally been applied in aerospace industries and embedded systems,” she told us during the recent AWS Re:inforce cybersecurity conference in Los Angeles. “But it hadn’t ever been applied at the scale of web services, which is a running, breathing, organic thing.
“The difference is this: what you’d call generative AI or machine learning builds a model based on observations of past behaviours, and then makes a prediction. In contrast, automated reasoning relies on a specialised fact model. It produces verifiable outcomes without probabilities, offering an explainable and demonstrable approach to security.”
Rungta has developed innovative solutions, such as Amazon’s IAM Access Analyzer, where the goal was to turn access security into a one-click solution. This would make an advanced technical solution accessible to any business user.
“You don’t have to be an automated reasoning expert. You don’t need to be an AWS expert. You don’t even need to be a security expert to get all the benefits the product gives you with that underlying technology.”
Automated reasoning excels in identity management, the policies and technologies that ensure the right users have the appropriate access to resources in a business.
“It’s not just that someone should have access because he’s in the network. Today, businesses must consider multiple factors such as roles, devices, locations, and contextual information to ensure the right level of access.
“This has evolved. In the past, if you weren’t in your corporate network, that was enough protection against you; that was sufficient network perimeter. But Covid changed how companies work. They have an increasingly hybrid workforce, and it’s not just ‘he should have access because he’s in the network’. Now, if he needs to access an application, there has to be more information about who he is, what his role is in the company and, given his role, is there a need to access this application?”
And then, when those parameters change, the system employs automated reasoning to make a new decision.
“So you got access but, maybe three days later, you’re coming from an unknown location, from an untrusted IP address, so the system decides: ‘Let’s not give access to him.’ You’re not a static person anymore. Automated reasoning takes into account this dynamic nature of identity.”
This, she said, was the essence of the much touted “zero trust” concept in security, which dictates that users and devices should not be trusted by default.
“The key is how to get it correct across environments. It has to be through an open ecosystem, where you have a common authorization: an authentication standard where things can flow between different services and partners.”
That is a complex ask, but automated reasoning will help to answer it.
* Arthur Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter on @art2gee