JPMorgan Chase’s call to stay skeptical on the cloud and AI should resonate with everyone

COMMENTARY: JPMorgan Chase's recent open letter to the industry to stay skeptical of all the AI and cloud computing pitches they will hear at the RSA Conference this week serves as a stark reminder to all of us of the interconnected and increasingly vulnerable digital ecosystem we all operate in.

In a world where digital partnerships are the lifeblood of innovation and efficiency, the lines of responsibility for cybersecurity and operational resilience are becoming increasingly blurred. The communication on the eve of RSA by JP MorganChase CISO Patrick Opet underscores a fundamental truth: the security of any organization has become inextricably linked to the security posture of its entire supply chain.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

As Opet’s letter rightly points out, the era of directly targeting a primary organization has evolved. Today, malicious actors are increasingly adept at identifying softer targets – SaaS vendors – as a strategic entry point to a vast network of downstream victims. This lateral movement potential makes trust in our supply chain not just a preference, but a critical necessity for survival.

Hackers understand that compromising a single SaaS provider can unlock access to hundreds, even thousands, of interconnected entities, making it a far more efficient and lucrative attack vector than attempting to breach heavily fortified mainframes. This reality places immense pressure on CISOs who must grapple with the challenge of trusting external partners with sensitive data and critical operations.

This heightened risk environment has fundamentally altered the procurement process. What once might have been a relatively straightforward acquisition of a service now involves rigorous security vetting, comprehensive due diligence, and ongoing monitoring. CISOs are now tasked with the unenviable challenge of ensuring that every vendor entrusted with their data – and by extension, their customers' data – adheres to stringent security and privacy standards. The ability to quickly respond to a vendor breach, as Opet’s letter emphasizes, hinges on this very visibility and proactive assessment. Gone are the days of simple purchase orders: now, intricate security questionnaires, penetration testing results, and continuous monitoring protocols are becoming the norm, adding layers of complexity to even the most basic vendor relationships.

The SaaS model, while offering immense benefits in terms of agility and scalability, has also blurred the traditional boundaries of data ownership and control. The flow of information between customer and vendor is often bidirectional, creating a potentially risky scenario where a vulnerability on either side can have cascading consequences. Unlike traditional software deployments where data resided firmly within an organization's perimeter, cloud-based services inherently involve entrusting sensitive information to third parties. This interconnectedness demands a shared responsibility for security, moving beyond a purely transactional relationship to a true partnership built on trust and transparency. The boundaries of "our data" and "their system" are no longer clearly defined, requiring a new level of vigilance and collaboration.

Taking this a step further, the increasing adoption of Model Context Protocols (MCPs) amplifies this challenge in a unique way. While MCPs aim to streamline and standardize data access and exchange across diverse systems within an organization, they can inadvertently create a highly interconnected data landscape. The ease with which various applications and services can access and share data through these protocols, while boosting efficiency, also presents a potentially significant single point of failure with incredibly broad visibility.

If an attacker were to compromise an important component or gain privileged access within an MCP environment, the potential for widespread data breaches and lateral movement across numerous systems becomes dramatically elevated. This centralized connectivity, while offering immense benefits for data utilization, demands exceptionally robust security controls and granular access management to mitigate the inherent risks associated with such pervasive data accessibility.

The reality: organizations cannot retreat from today’s interconnected landscape. Developers will inevitably find ways to innovate and connect systems, often creating shadow IT and AI risks that are even harder to manage. The focus must shift towards enabling secure integrations, offering developers the tools and frameworks to build and connect applications in a safe and compliant manner. We need to bake security tools into the development lifecycle, not bolted on as an afterthought.

Ultimately, JPMorganChase's message is crucial for both vendors and customers. As vendors, we bear the responsibility of building secure products and delivering secure channels for data exchange. This includes robust security features and also transparent communication and proactive vulnerability management. As users, we must operate under the assumption that we are all potential targets and that any third party we rely on could be vulnerable. This requires rigorous due diligence, continuous monitoring, and a proactive approach to incident response planning.

Moving forward, a collaborative and proactive approach, built on transparency, robust security practices, and a shared understanding of the threat landscape as AI evolves, is the only way to navigate this complex web of interconnected risk. The call to action from JPMorganChase should serve as a rallying cry for all stakeholders to prioritize security and build a more resilient future: together.

Shira Shamban, vice president of cloud, CYE

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.