Starburst CISO Outlines Strategy for Securing AI Agents in Federated Query Environments
Starburst CISO Paras Malhotra discusses treating AI agents as service accounts to enhance security in federated query systems, focusing on layered access controls and robust audit trails.
Starburst CISO Paras Malhotra has detailed the company's approach to securing federated query environments, emphasizing the critical need to treat AI agents with the same rigor as service accounts. In an interview with Help Net Security, Malhotra explained how Starburst implements layered access controls that operate above native source permissions, ensuring that security policies are consistently enforced across diverse data systems.
This layered strategy is crucial for federated query engines, which must reconcile Starburst's own Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) with the unique access models of each underlying data source, such as S3, Snowflake, and various relational databases. By enforcing policies at the query engine layer before any query reaches a source system, Starburst ensures that even if a source system has permissive settings, a query must still pass Starburst's evaluation. Conversely, a query blocked by Starburst's policies never even reaches the source, effectively creating a robust, unified security perimeter.
Malhotra also addressed the challenge of managing vendor risk, particularly with over 200 partners and connectors. Starburst employs a tiered approach, subjecting high-risk vendors with deep integration or data processing capabilities to thorough reviews including SOC 2 Type II reports, penetration test results, and Data Processing Agreement (DPA) analysis. Lower-risk vendors undergo a lighter assessment and annual recertification, a pragmatic strategy to manage a sprawling ecosystem of dependencies.
Security for connectors, which are essentially code executing within the query path, receives specialized attention. Starburst focuses on scanning connector code for vulnerabilities, ensuring secure credential handling, configuring appropriate access controls, and verifying data encryption in transit. This proactive stance aims to mitigate risks inherent in code that can access multiple data systems simultaneously.
A significant focus of the discussion was on building reliable audit trails for autonomous AI agents, a complex challenge in attributing actions when multiple entities are involved. Starburst logs every query generated by its AI system, AIDA, at the query engine layer. This log includes the original natural language prompt, the generated SQL, the user identity, the data scope, and the execution outcome, creating an independent forensic trail.
To combat prompt injection, a primary threat vector for AI agents, Starburst employs a multi-layered defense strategy. Crucially, AIDA's generated SQL is always subject to the query engine's access control, meaning the AI model itself cannot grant permissions. Furthermore, AIDA's context is restricted to the specific data products a user is already authorized to access, limiting the potential attack surface. Input and output guardrails, including prompt injection detection and topic restrictions, add further layers of defense.
Malhotra highlighted that the AI model is deliberately kept separate from the authorization layer, a key architectural decision to maintain control. By enforcing access at the query engine, scoping the AI's context, and implementing robust guardrails, Starburst aims to manage the inherent risks associated with AI agents querying sensitive data environments.