CCC Generative AI Platform
Generative AI Platform consist of set of tools provided by the cloud service providers that use large language models (LLMs) and deep learning frameworks to understand, generate, and manipulate natural language, images, code, or audio to create new content, and insights base on patterns and data.
Release Details
Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build
Contributors
DT
Development Team
Change Log
- Development build - no formal changelog available
Capabilities
| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.GenAI.F01 | Text-Based Model Selection | Ability to select a foundation model that excels at natural language understanding and generation tasks such as summarization, translation, text generation, question answering, and sentiment analysis. | 1 |
| CCC.GenAI.F02 | Code-Based Model Selection | Ability to select a foundation model that focuses on code understanding, generation, and transformation tasks. | 1 |
| CCC.GenAI.F03 | Embedding Model Selection | Ability to select a foundation model used for tasks like semantic search, clustering, and document similarity by converting text into vector embeddings. | 3 |
| CCC.GenAI.F04 | Image-Based Model Selection | Ability to select a foundation model that focuses on tasks related to vision, such as image generation, editing, and manipulation. | 1 |
| CCC.GenAI.F05 | Multimodal Model Selection | Ability to select a foundation model that supports more than one modality, such as combining text and image. | 0 |
| CCC.GenAI.F06 | Customizable Model Selection | Provide users the ability to fine-tune models with their own data. | 2 |
| CCC.GenAI.F07 | Parameter Tuning - Temperature | Ability to control the randomness and creativity of the response. | 1 |
| CCC.GenAI.F08 | Parameter Tuning - Max Token | Ability to limit the length of the response. | 1 |
| CCC.GenAI.F09 | Parameter Tuning - Top P (Nucleus Sampling) | Ability to adjust the number of likely next tokens to consider based on cumulative probability. | 1 |
| CCC.GenAI.F10 | Parameter Tuning - Top K | Ability to limit the number of token choices for the next word. | 1 |
| CCC.GenAI.F11 | Parameter Tuning - Stop Sequences | Ability to halt generation when a predefined sequence is encountered. | 1 |
| CCC.GenAI.F12 | Parameter Tuning - Frequency Penalty | Ability to penalize words that have been used frequently, reducing their likelihood of being repeated. | 1 |
| CCC.GenAI.F13 | Parameter Tuning - Presence Penalty | Ability to penalize tokens that have already been used, encouraging the model to introduce new tokens. | 1 |
| CCC.GenAI.F14 | Parameter Tuning - Context Length | Ability to control how much prior conversation or input the model will use for generating coherent responses. | 1 |
| CCC.GenAI.F15 | Text-Based Prompts | Ability to input prompts in plain text. | 1 |
| CCC.GenAI.F16 | Structured Prompts | Ability to provide structured input such as JSON as prompts. | 1 |
| CCC.GenAI.F17 | Contextual Prompts | Ability to provide context or background information within the prompt to guide the response. | 1 |
| CCC.GenAI.F18 | Interactive Prompts | Ability to use conversational prompts to create interactive dialogues. | 1 |
| CCC.GenAI.F19 | Image-Based Prompts | Ability to input an image as a prompt to generate a response. | 1 |
| CCC.GenAI.F20 | Custom Template Prompts | Ability to define custom templates or structures for prompts to standardize interactions with the models. | 1 |
| CCC.GenAI.F21 | Generate Content | Ability to generate a response given a foundation model, parameter values, and a prompt. | 6 |
| CCC.GenAI.F22 | Data Control | Ensures prompts, model outputs, embeddings, and training data fed by customers are not used to train foundation models. | 2 |
| CCC.GenAI.F23 | Data Storage | Ability to retrieve previously generated outputs and prompts for the given session. | 0 |
| CCC.GenAI.F24 | Content Moderation | Ensure the service detects and filters abusive, harmful, and sensitive information to ensure responsible and safe use of the service. | 2 |
| CCC.GenAI.F25 | Plugin Integrations | Ability for the model to use tools to complete a model interaction. For example web search, python code execution or external maths engine. | 2 |
| CCC.Core.F01 | Encryption in Transit Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface. | 0 |
| CCC.Core.F02 | Encryption at Rest Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium. | 2 |
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. | 3 |
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. | 3 |
| CCC.Core.F09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. | 3 |
| CCC.Core.F10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. | 2 |
| CCC.Core.F14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. | 2 |
| CCC.Core.F15 | Cost Management | The service monitors data published by child or networked resources to infer usage patterns and generate cost reports for the service. | 1 |
| CCC.Core.F16 | Budgeting | The service may be configured to take a user-specified action when a spending threshold is met or exceeded on a child or networked resource. | 1 |
| CCC.Core.F18 | Resource Versioning | The service automatically assigns versions to child resources which can be used to preserve, retrieve, and restore past iterations. | 3 |
| CCC.Core.F19 | Resource Scaling | The service may be configured to scale child resources automatically or on-demand. | 1 |
| CCC.Core.F20 | Resource Tagging | The service provides users with the ability to tag a child resource with metadata that can be reviewed or queried. | 1 |
| CCC.Core.F22 | Location Lock-In | The service may be configured to restrict the deployment of child resources to specific geographic locations. | 1 |
Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.GenAI.TH01 | Prompt Injection | Prompt injection may occur when crafted input is used to manipulate the GenAI model's behaviour, resulting in the generation of harmful or unintended outputs. Prompt injection can be either direct (performed via direct interaction with the model) or indirect (performed via external sources ingested by the model). Both text-based and multi-modal prompt injection is possible. | 4 | 1 | 3 |
| CCC.GenAI.TH02 | Data Poisoning | Data poisoning occurs when training, fine-tuning or embedding data is tampered with in order to modify the model's behaviour, for example steering it towards specific outputs, degrading performance or introducing backdoors. | 4 | 1 | 3 |
| CCC.GenAI.TH03 | Sensitive Information Disclosure | Sensitive data can be memorised by the model from user interaction or training and may then be leaked to unintended and unauthorised parties by querying the model, for example through crafted prompts. | 4 | 1 | 4 |
| CCC.GenAI.TH04 | Insecure / Unreliable Model Output | A GenAI model may generate content that is incorrect, misleading or harmful, such as convincing misinformation (hallucinations) or vulnerable or malicious code, due to its reliance on statistical patterns rather than factual understanding. Directly using this flawed output without validation can lead to system compromises, poor decision-making, and legal or reputational damage. | 4 | 1 | 3 |
| CCC.GenAI.TH05 | Model Overreliance | Model overreliance and misplaced implicit trust in the output of a GenAI model may lead to the acceptance of inaccurate, biased or insecure outputs without proper validation or oversight, potentially resulting in operational failueres, compliance breaches and flawed decision making. | 4 | 1 | 1 |
| CCC.GenAI.TH06 | Unintended Action by a Model-Based Agent | A model-based agent, given the authority to execute tools or interact with APIs, may perform an action that is harmful, incorrect, or not aligned with the user's true intent in response to a prompt. This can be caused by the model misinterpreting an ambiguous prompt or being manipulated by an adversary into misusing its delegated authority. | 4 | 1 | 2 |
| CCC.GenAI.TH07 | Insecure Plugin | A plugin integrated with a GenAI model may contain vulnerabilities such as poor input validation or improper access control. An adversary may exploit these flaws by crafting a prompt that causes the model to pass a malicious payload to the plugin, potentially leading to system compromise, data exfiltration or privilege escalation. | 3 | 1 | 1 |
| CCC.GenAI.TH08 | Model Tampering | Supply chain risks, including tampering with a model's core components at any stage of its lifecycle—from its source code and training data to the final deployable artifact—may result in embedding backdoors or adversarial triggers altering model behaviour under certain conditions. | 4 | 1 | 1 |
| CCC.GenAI.TH09 | Lack of Explainability | The "black box" nature of GenAI models makes it difficult or impossible to understand the specific reasoning behind a given output. This opacity makes it challenging to diagnose failures, detect hidden biases, and meet regulatory requirements for decision transparency. | 2 | 1 | 1 |
| CCC.GenAI.TH10 | Model Version Drift | An update to a managed GenAI model may cause unpredictable and breaking changes in its outputs, alignment, and performance. Systems built and tested against the previous version's specific behavior can suddenly fail or become insecure, as their functional and safety assumptions are no longer valid. | 1 | 1 | 2 |
| CCC.Core.TH01 | Access is Granted to Unauthorized Users | Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data. | 1 | 1 | 4 |
| CCC.Core.TH02 | Data is Intercepted in Transit | Data transmitted by the service is susceptible to collection by any entity with access to any part of the transmission path. Packet observations can be used to support the planning of attacks by profiling origin points, destinations, and usage patterns. The data may also be vulnerable to interception or modification in transit if not properly encrypted, impacting the confidentiality or integrity of the transmitted data. | 1 | 1 | 1 |
| CCC.Core.TH03 | Deployment Region Network is Untrusted | Systems are susceptible to unauthorized access or interception by actors with social or physical control over the network in which they are deployed. If the geopolitical status of the deployment network is untrusted, unstable, or insecure, this could result in a loss of confidentiality, integrity, or availability of the service and its data. | 1 | 1 | 1 |
| CCC.Core.TH06 | Data is Lost or Corrupted | Services that rely on accurate data are susceptible to disruption in the event of data loss or corruption. Any actions that lead to the unintended deletion, alteration, or limited access to data can impact the availability of the service and the system it is part of. | 1 | 1 | 1 |
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. | 1 | 1 | 1 |
| CCC.Core.TH08 | Runtime Metrics are Manipulated | Manipulation of runtime metrics can lead to inaccurate representations of system performance and resource utilization. This compromised data integrity may also impact system availability through misinformed scaling decisions, budget exhaustion, financial losses, and hindered incident detection. | 1 | 1 | 0 |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. | 1 | 1 | 1 |
| CCC.Core.TH10 | State-change Events are Read by Unauthorized Entities | Unauthorized access to state-change events can reveal information about the system's design and usage patterns. This opens the system up to attacks of opportunity and support the planning of attacks on the service, system, or network. | 1 | 1 | 0 |
| CCC.Core.TH12 | Resource Constraints are Exhausted | Exceeding the resource constraints through excessive consumption, resource-intensive operations, or lowering of rate-limit thresholds can impact the availability of elements such as memory, CPU, or storage. This may disrupt availability of the service or child resources by denying the associated functionality to users. If the impacted system is not designed to expect such a failure, the effect could also cascade to other services and resources. | 1 | 1 | 0 |
| CCC.Core.TH13 | Resource Tags are Manipulated | When resource tags are altered, it can lead to misclassification or mismanagement of resources. This can reduce the efficacy of organizational policies, billing rules, or network access rules. Such changes could cause compromised confidentiality, integrity, or availability of the system and its data. | 1 | 1 | 0 |
| CCC.Core.TH14 | Older Resource Versions are Used | Running older versions of child resources can expose the system to known vulnerabilities that have been addressed in more recent versions. If the version identifier is detected by an attacker, it may be possible to exploit these vulnerabilities to compromise the confidentiality, integrity, or availability of the system and its data. | 1 | 1 | 0 |
| CCC.Core.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Automated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources. | 1 | 1 | 1 |
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. | 1 | 1 | 1 |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.GenAI.C01 | Model Input Filtering and Sanitisation | Inspect and validate input before it is passed to a GenAI model in order to filter or sanitise adversarial queries and prevent sensitive data leakage. | Data | 2 | 8 | 2 |
| CCC.GenAI.C02 | Model Output Filtering and Sanitisation | Inspect and validate GenAI model output before passing it to users, applications or plugins in order to filter or sanitise insecure or unreliable output and prevent sensitive data leakage. | Data | 5 | 7 | 2 |
| CCC.GenAI.C03 | Data Provenance and Source Vetting | Ensure that all data for training, fine-tuning or RAG comes from trusted, approved sources and is authorised for the intended purposes in order to prevent the initial introduction of malicious content or leaked sensitive data. | Data | 2 | 3 | 2 |
| CCC.GenAI.C04 | Sanitisation of Ingested Data | Validate and sanitise all data ingested by GenAI systems from extenal sources or internal knowledge bases, whether for training, conversion to vector embeddings, or real-time retireval, in order to remove or redact poisoned or sensitive data before further processing. | Data | 2 | 3 | 2 |
| CCC.GenAI.C05 | Citations and Source Traceability | Require the GenAI system to provide citations or direct links back to the source documents used to generate a response, in to enhance the transparency, trustworthiness, and verifiability of AI-generated content. | Data | 2 | 1 | 1 |
| CCC.Core.C01 | Encrypt Data for Transmission | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data | 1 | 8 | 5 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.Core.C06 | Restrict Deployments to Trust Perimeter | Ensure that the service and its child resources are only deployed on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data | 1 | 4 | 2 |
| CCC.Core.C08 | Replicate Data to Multiple Locations | Ensure that data is replicated across multiple physical locations to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data | 1 | 6 | 2 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |
| CCC.Core.C11 | Protect Encryption Keys | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Data | 1 | 7 | 6 |
| CCC.GenAI.C06 | Least Privilege for Plugins | Restricts the permissions of any external tools the GenAI system can call to limit the potential damage if an agent is coerced to perform unintended actions or vulnerabilities in the tools are exploited. | Identity and Access Management | 2 | 1 | 1 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.GenAI.C07 | Model Version Pinning | Mandate that applications are locked ("pinned") to a specific, tested version of a foundational model to prevent unexpected behaviour changes introduced by provider-side updates. | Configuration Management | 1 | 1 | 1 |
| CCC.GenAI.C08 | Quality Control and Red Teaming | Establish a formal program for quality evaluation and adversarial testing (red teaming) to ensure GenAI system meet all business, quality, security and compliance requirements before getting deployed into production environments. | Model Assurance and Evaluation | 5 | 5 | 2 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |
| CCC.Core.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring | 1 | 4 | 2 |