Preskočiť na obsah
Allianz Strategic Brief
08 · ALLIANZ STRATEGIC BRIEF

Bezpečnosť a riziká

Threat model (STRIDE), hub-spoke network topology, identity & access surface (vrátane brokerov), cache + PII strategy, AI-specific security (prompt injection, OWASP Top 10 LLMs), audit trail a 11-položkový risk register.

8 min čítania

SECURITY POSTURE

Defense-in-depth od identity cez network po AI guardrails

Phase 1 produkt operuje v Allianz Technology landing zone — hub-spoke network, central egress firewall, central observability. Naša bezpečnostná nadstavba pridáva AI-specific layer (prompt injection guardrails, hallucination detection) a customer PII handling (cache TTL, toggle-off mode).

Risk register položiek
11
tracked s likelihood + impact
AT-managed kontroly
8+
identity, network, secrets, SIEM, …
AI guardrail layers
4
input · prompt · output · audit
THREAT MODEL · STRIDE

Šesť kategórií hrozieb v Phase 1 scope

STRIDE framework (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) aplikovaný na 4 trust boundaries — agent → web tier, web → API, API → MCP server tier, MCP → external sources (Allianz APIs, Anthropic).

S

Spoofing

Brokerova federated identita potenciálne poskytuje attack surface (OQ-3). Mitigácia: conditional access policies, MFA mandatory, just-in-time access pre brokerov.

T

Tampering

MCP tool calls od Claude sa validujú server-side; žiadne client-side trust. Request signing medzi web a API tier-om. Idempotency keys pre write operations.

R

Repudiation

Každá AI inference logged do audit log v našej Postgres DB s user ID, timestamp, prompt, response, model version, MCP tool calls. Immutable audit trail.

I

Information disclosure

Customer PII v Redis cache len short TTL (5–15 min) + toggle-off mode. Žiadny customer data context do Anthropic ZDR contract dependency. SIEM detection.

D

Denial of service

Rate limiting na API tier, AI worker tier separate scaling, central Front Door / API Management ingress, žiadne public IPs na app tier.

E

Elevation of privilege

Workload identity (no static credentials), Azure Key Vault pre secrets, RBAC scoped per service, principle of least privilege. AT-managed Key Vault.

ThreatExamplesControls
SSpoofing
  • Stolen Azure AD credentials
  • Compromised service principal
  • MFA + conditional access
  • Workload identity (no static secrets)
TTampering
  • Modified MCP tool definitions
  • Tampered AI-generated code
  • Signed manifests
  • PR review + SAST
RRepudiation
  • Denying AI inference attribution
  • Audit log every inference (sec 6)
IInformation Disclosure
  • PII leak in LLM prompts
  • Cache exfiltration
  • Anthropic ZDR
  • Redis encryption + TTL
DDenial of Service
  • Token quota exhaustion
  • MCP server overload
  • Rate limiting
  • Circuit breakers
EElevation of Privilege
  • Prompt injection escalation
  • Broker accessing other agent's data
  • RBAC strict
  • Tool permission scoping

STRIDE threat model — application threats and corresponding controls

NETWORK TOPOLOGY

Hub-spoke v AT-managed landing zone — žiadne public IPs

Naša aplikácia žije v spoke VNet v rámci Allianz Technology hub-spoke architektúry. Ingress výlučne cez central Front Door / API Management, egress cez central firewall s FQDN-pinned allowlist (Anthropic, Azure OpenAI). Toto je v súlade s AT štandardmi od Day 1.

Ingress

  • Central Azure Front Door (AT-managed)
  • API Management gateway pre B2B brokers
  • Web Application Firewall (WAF) — OWASP Top 10
  • DDoS Protection Standard
  • Žiadne public IPs na app tier
  • Private endpoints pre Postgres + Redis + Storage

Egress

  • Central egress firewall (AT-managed)
  • FQDN-pinned allowlist: Anthropic API endpoints
  • FQDN-pinned allowlist: Azure OpenAI endpoints
  • FQDN-pinned allowlist: Microsoft Graph API
  • Žiadny direct internet egress z worker tier
  • 🔴 OQ-4 — AT Security Architecture Council approval timeline

Network topology — hub-spoke from Allianz Technology with central ingress and egress firewall

IDENTITY & ACCESS

Azure AD SSO + brokerova threat surface

Internal obchodníci sa autentifikujú cez Allianz Azure AD SSO (OIDC, conditional access). Brokerova identita je hlavná open question — pravdepodobne B2B guest accounts alebo federated, čo dramaticky zvyšuje threat surface.

Internal obchodníci

  • Allianz Azure AD SSO (OIDC)
  • Conditional access policies (geo, device compliance)
  • MFA mandatory
  • Workload identity pre service-to-service
  • RBAC scoped per role (agent, manager, admin)
  • Session timeout + idle lock

Brokers (vyššia threat surface)

  • 🔴 OQ-3 — federation pattern TBD
  • Pravdepodobne B2B guest accounts
  • Stricter conditional access
  • Just-in-time access cez Privileged Identity Management
  • Restricted scope — len ich vlastné portfólio
  • Enhanced audit logging na broker actions
CACHE + PII STRATEGY

Krátky TTL + toggle-off ako fallback pre DPO

Customer PII v Redis cache je AT red-team objection #5. Naša odpoveď: krátky TTL (5–15 min), AT-managed Key Vault keys, in-tenant only, plus toggle-off mode ako fallback ak DPO odmietne caching customer PII vôbec.

Default mode (cache on)

Hot-path customer profile cache, TTL 5–15 min, encryption at rest s AT-managed keys. Žiadne PII out-of-tenant.

Toggle-off mode

Konfigurovateľný runtime flag — všetky customer reads idú priamo cez Allianz API Management, žiadny cache hit. Performance trade-off, žiadne ďalšie kópie PII.

Anthropic context

ZDR clauses (Allianz Group contract), žiadne opt-in to training, EU residency. Customer PII ide do prompt context len keď je explicitne potrebný, na shortest possible duration.

AI-SPECIFIC SECURITY

Prompt injection · OWASP Top 10 LLMs · hallucination

AI security je nový pillar, ktorý reference architecture ešte plne nepokrýva. Naše guardrails: input validation (sanitize agent input pred prompt), output validation (structured outputs, source attribution), hallucination detection (citation requirement) a 4-vrstvový audit trail.

Prompt injection mitigations

  • Input sanitization pred prompt construction
  • Strict separation system prompt / user input
  • MCP tool args validated server-side
  • Output structure enforcement (JSON schemas)
  • Confidence threshold pre destructive actions
  • Mandatory human review pre high-impact suggestions

Hallucination handling

  • Source attribution mandatory pre VPP odpovede
  • Citation v RAG output (vector store doc IDs)
  • Confidence indicators v UI
  • Disclaimer pre AI-generated content
  • User feedback loop (thumbs up/down → eval set)
  • Weekly eval review s precision/recall metrics
AUDIT & TRACEABILITY

Každá AI inference je auditovateľná end-to-end

Compliance s EU AI Act + GDPR right to explanation vyžaduje, aby každé AI rozhodnutie bolo reproducible a auditable. Naša Postgres DB má dedicated audit log table pre AI inferences. Plus central observability cez Azure Monitor + Microsoft Sentinel pre security events.

Layer 1

Application audit log

Postgres DB — user ID, timestamp, prompt, response, model version, MCP tools called

Layer 2

Application Insights

Distributed tracing across web → API → AI worker → MCP servers

Layer 3

Azure Monitor + Log Analytics

Central AT workspace — infra logs, network flows, identity events

Layer 4

Microsoft Sentinel SIEM

Security event correlation, alerting, threat hunting; AT-managed

RISK REGISTER

11 trackovaných rizík s mitigation plánom

Každé riziko má dokumentovaný likelihood, impact a mitigation. Top 3 (AT review block, brokerova threat surface, posAm vendor conflict) majú dedicated sekcie inde v dokumente.

RiskLikelihoodImpactMitigation
AT review block (cold pitch)Medium-HighCatastrophicPre-emptive red-team v každej sekcii; AT engagement strategy v sekcii 6.3
OneTrust block on customer PII + AIMediumHighCache-off mode toggle; ZDR; DPIA early
AI Community block on Anthropic for customer-facingMediumHighExisting Group contract leverage; gradual rollout; existing precedent (pricing actuaries)
posAm vendor conflict v Phase 2-3HighMediumDokumentovaný explicitne ako risk; Phase 1 nedotýka posAm features
Anthropic deployment topology adds unexpected complexity (e.g., Bedrock = AWS surface)MediumMediumTwo deployment options designed; decision gated on OQ-2
ADP-SK never materializesLow-MediumLowAdapter pattern shielded; Oracle remains viable indefinitely
Phase 1 timeline slip due to compliance gatesHighMediumRealistic 4-6 mes. compliance baked into roadmap; parallel gates execution
Brokers identity threat surfaceMediumHighThreat model dedicated section; conditional access strict; just-in-time access
Multi-runtime (TS+Python) operational complexityLowLowClear separation per workload; AT runs both stacks today
Cost overrun on AI tokens v Phase 3MediumMediumPrompt caching + model tiering + batch inference; budget alerting; monthly review
Allianz brand misuse claimLowMediumBrand Manual compliance; pre-approval s Allianz Marketing
OPEN QUESTIONS

Brokerova identita = top security OQ

Brokerova identity story je single biggest unknown v security poste. Ich threat surface je výrazne väčší ako internal obchodníkov a chýba nám confirm o ich existing auth pattern v posAm CRM.

Security posture stavia na AT-managed primitives (identity, network, secrets, SIEM) a pridáva AI-specific vrstvu (guardrails, audit, hallucination handling). Top 3 risks majú jasné mitigation paths. Brokerova identity je single biggest open question — top sponsor ask pre IT + posAm.

← Predchádzajúca Compliance & governance Nasledujúca → Delivery & Upskilling