27 KiB
27 KiB
ADR-018: AI Boundary Policy (AI Isolation)
Status: Accepted Date: 2026-03-27 Version: 1.8.2 (Aligned with ADR-020) Review Cycle: Core ADR (Review every 6 months or Major Version upgrade) Decision Makers: Security Team, System Architect, AI Integration Lead Gap Resolution: Addresses AI security risks (data exposure, unauthorized modification, privilege escalation) and compliance requirements (ISO 27001, PDPA) from Security Requirements (Section 3.1) and Risk Assessment (Section 4.2) Version Dependency:
- Effective From: v1.8.2
- Applies To: v1.8.2+ (All AI implementations)
- Backward Compatible: v1.8.0+ (Security policy enforcement)
- Required For: v1.9.0+ (Mandatory for all AI features)
Related Documents:
- ADR-020: AI Intelligence Integration Architecture — Overall AI Architecture & RFA-First Strategy
- ADR-017: Ollama Data Migration Architecture
- ADR-017B: AI Document Classification
- ADR-016: Security & Authentication
- ADR-019: Hybrid Identifier Strategy
- n8n Migration Setup Guide
- RAG Architecture
หมายเหตุ: ADR-018 เป็น Security Policy หลักที่ควบคุมการทำงานของ AI Components ทั้งหมดในระบบ LCBP3-DMS ทุก Use Case ที่ใช้ AI (Migration, RAG, Smart Categorization) ต้องปฏิบัติตาม Policy นี้ และเป็นส่วนหนึ่งของ ADR-020 (Unified AI Architecture).
Context and Problem Statement
ปัญหาที่ต้องการแก้ไข
การนำ AI (Ollama, OpenRAG, หรือ LLM อื่นๆ) เข้ามาใช้งานในระบบ DMS ที่มีเอกสารสำคัญและข้อมูล Confidential ของโครงการท่าเรือ Laem Chabang Phase 3 มีความเสี่ยงด้าน Security หลัก 4 ประการ:
- Data Exposure Risk: หาก AI มีสิทธิ์เข้าถึง Database โดยตรง อาจมีการรั่วไหลของข้อมูลทางการค้า / การก่อสร้าง
- Unauthorized Data Modification: AI อาจทำการแก้ไขข้อมูลโดยไม่มีการตรวจสอบจาก Human
- Privilege Escalation: หาก AI ถูก compromise อาจใช้สิทธิ์ Database Access เพื่อโจมตีระบบอื่น
- Compliance Violation: ไม่สอดคล้องกับมาตรฐาน ISO 27001 และ PDPA สำหรับข้อมูลส่วนบุคคล
ข้อจำกัดด้าน Infrastructure
- QNAP NAS: เป็น Production Server ที่ไม่ควรรัน AI Workload (Resource contention + Security boundary)
- Admin Desktop (Desk-5439): เครื่องสำหรับ Admin มี GPU (RTX 2060 Super 8GB) เหมาะสำหรับ AI Inference
- Network Segmentation: ต้องแยก Zone ระหว่าง AI Processing (Untrusted) กับ Database (Trusted)
Decision Drivers
- Zero Trust Architecture: AI ถือเป็น Untrusted Component เสมอ ไม่ว่าเป็น On-Premise หรือไม่
- Defense in Depth: หลายชั้นของการควบคุม (Physical → Network → API → Data)
- Auditability: ทุกการสื่อสารกับ AI ต้อง Log ได้
- Human-in-the-Loop: ข้อมูลจาก AI ต้องผ่าน Human Validation ก่อน Commit ลง Database
- Minimal Privilege: AI ได้รับสิทธิ์น้อยที่สุด (Principle of Least Privilege)
Considered Options
Option 1: AI รันบน QNAP NAS (Same Host กับ Database)
Pros:
- ✅ ติดตั้งง่าย ไม่ต้องดูแลหลายเครื่อง
- ✅ Network Latency ต่ำ (localhost)
Cons:
- ❌ Security Risk สูง: AI มี Direct Access ถึง Database หากถูก compromise
- ❌ Resource Contention: AI Inference กิน RAM/CPU สูง กระทบ Production Services
- ❌ No Isolation: ไม่มี Security Boundary ระหว่าง AI กับ Core Application
Option 2: AI บน Cloud AI Provider (OpenAI, Google, Azure)
Pros:
- ✅ AI ฉลาดสูง แม่นยำมาก
- ✅ ไม่ต้องดูแล Hardware
Cons:
- ❌ ผิดนโยบาย Data Privacy: เอกสารก่อสร้างท่าเรือเป็นความลับ ห้ามส่งข้อมูลขึ้น Cloud
- ❌ Cost สูง: Pay-per-use ไม่เหมาะกับงานประมวลผลจำนวนมาก
- ❌ No Control: ไม่สามารถควบคุม Data Retention หรือ Audit ได้
Option 3: Physical Isolation + API-only Communication ⭐ (Selected)
Pros:
- ✅ Security Boundary ชัดเจน: AI รันบน Desktop แยกต่างหาก ไม่เข้าถึง DB โดยตรง
- ✅ Zero Trust: AI ถือเป็น Untrusted Component สื่อสารผ่าน API เท่านั้น
- ✅ Audit Trail: ทุก Request/Response ผ่าน Backend ซึ่งมี Audit Log ครบถ้วน
- ✅ Human-in-the-Loop: Backend ตรวจสอบข้อมูลก่อน Write ลง Database
- ✅ Resource Isolation: AI Workload ไม่กระทบ Production Services บน QNAP
- ✅ Compliance: สอดคล้องกับ ISO 27001 และ PDPA
Cons:
- ❌ ต้องดูแลเครื่อง Desktop เพิ่ม (GPU Temperature, Uptime)
- ❌ Network Latency เพิ่มขึ้นเล็กน้อย (LAN traffic)
- ❌ ต้องออกแบบ API Contract ให้รัดกุม
Decision Outcome
Chosen Option: Option 3 — Physical Isolation + API-only Communication
Rationale:
การแยก AI ไปรันบน Admin Desktop (Desk-5439) และบังคับให้สื่อสารผ่าน DMS Backend API เท่านั้น เป็นแนวทางที่ Balance ระหว่าง Security, Privacy, และ Operational Feasibility ดีที่สุด ทำให้ AI ถูกมองว่าเป็น Untrusted External Component เสมอ แม้จะรันในเครือข่ายเดียวกัน
Impact Analysis
Affected Components
| Component | Impact Level | Description |
|---|---|---|
| AI Infrastructure | High | Physical isolation on Admin Desktop, network segmentation |
| Security Architecture | High | New AI authentication, audit logging, validation layers |
| API Design | Medium | AI-specific endpoints, authentication scopes, rate limiting |
| Network Configuration | Medium | IP whitelisting, firewall rules, zone segmentation |
| Monitoring & Logging | Medium | AI service health checks, audit trail expansion |
| Development Workflow | Low | AI development guidelines, compliance checks |
| Documentation | Low | Security policies, AI integration guides |
Required Changes
| Change Category | Specific Changes | Priority |
|---|---|---|
| Infrastructure |
|
Critical |
| Security |
|
Critical |
| API Layer |
|
Critical |
| Network |
|
High |
| Monitoring |
|
High |
| Documentation |
|
Medium |
| Testing |
|
Medium |
Cross-Component Dependencies
| Dependency | Source | Target | Impact |
|---|---|---|---|
| AI Services → Backend API | Ollama/OpenRAG requests | DMS Backend validation layer | Security enforcement |
| Authentication → AI Services | JWT token validation | AI service access control | Access management |
| Network → AI Infrastructure | Firewall rules | Admin Desktop isolation | Network security |
| Audit → AI Interactions | Logging service | AI request/response tracking | Compliance monitoring |
| Monitoring → AI Health | Health checks | AI service availability | Operational stability |
| Documentation → Development | Security guidelines | AI integration patterns | Developer compliance |
AI Isolation Architecture
Infrastructure Layout
| Component | Host | Zone | Network Access | Database Access |
|---|---|---|---|---|
| Ollama / OpenRAG | Admin Desktop (Desk-5439) | Untrusted (AI Zone) | LAN only (QNAP NAS mount) | ❌ ไม่มี |
| DMS Backend | QNAP NAS (Docker) | Trusted (App Zone) | LAN + Frontend | ✅ Full Access |
| MariaDB | QNAP NAS | Trusted (DB Zone) | Localhost only | — |
| n8n | QNAP NAS (Docker) | Trusted (Orchestrator) | LAN + DB | ✅ Via API only |
Communication Flow
┌─────────────────────────────────────────────────────────────────┐
│ Untrusted Zone (AI Zone) │
│ Admin Desktop (Desk-5439) — RTX 2060 Super 8GB │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Ollama (LLM) │ │ OpenRAG │ │
│ │ Port: 11434 │ │ (Docling) │ │
│ └────────┬────────┘ └────────┬────────┘ │
└───────────┼─────────────────────┼───────────────────────────────┘
│ │
│ HTTP API │ Write JSON
│ │
┌───────────┼─────────────────────┼───────────────────────────────┐
│ ▼ ▼ │
│ Trusted Zone (App Zone) │
│ QNAP NAS (Docker) │
│ ┌─────────────────┐ ┌─────────────────┐ ┌────────────┐ │
│ │ DMS Backend │◀───│ n8n │ │ MariaDB │ │
│ │ (NestJS) │ │ (Poll JSON) │ │ (Auth DB) │ │
│ │ Port: 3001 │ └─────────────────┘ └────────────┘ │
│ └────────┬────────┘ │
│ │ │
│ │ Validation + Audit Log │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Database │ │
│ │ (MariaDB) │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
⚠️ ข้อห้าม: Ollama/OpenRAG ห้าม อยู่บน QNAP NAS และ ห้าม มี Database Connection String
Security Rules (Non-Negotiable)
Rule 1: Physical Isolation
| ข้อกำหนด | รายละเอียด |
|---|---|
| AI Host | Admin Desktop (Desk-5439) เท่านั้น |
| Forbidden Hosts | QNAP NAS, Production Servers, Cloud VM |
| Hardware | i7-9700K / 32GB RAM / RTX 2060 Super 8GB |
| Network | LAN (192.168.x.x) — No Public IP |
Rule 2: No Direct Database Access
// ❌ FORBIDDEN — AI ห้ามเชื่อมต่อ Database โดยตรง
const connection = await mysql.createConnection({
host: '192.168.1.100',
user: 'ai_service', // NEVER!
password: '***',
database: 'lcbp3_dms'
});
// ✅ CORRECT — AI สื่อสารผ่าน DMS Backend API เท่านั้น
const response = await fetch('http://192.168.1.100:3001/api/ai/analyze', {
method: 'POST',
headers: { 'Authorization': 'Bearer ' + ai_token },
body: JSON.stringify({ text: extractedText })
});
Rule 3: No Direct Storage Access
# ❌ FORBIDDEN — AI ห้ามเข้าถึง File System โดยตรง
mv /data/dms/uploads/TCC-COR-0001.pdf /final/path/
cp /staging_ai/*.pdf /processed/
# ✅ CORRECT — ใช้ StorageService ผ่าน API เท่านั้น
POST /api/storage/upload
POST /api/migration/commit_batch
Rule 4: Validation Layer
// Backend ตรวจสอบ AI Output ทุกครั้งก่อน Write
@Injectable()
export class AiValidationService {
validateAiOutput(output: AiOutputDto): ValidationResult {
// 1. Schema Validation (Zod/class-validator)
const schemaCheck = this.validateSchema(output);
// 2. Confidence Threshold (≥ 0.85 auto-approve, 0.60–0.84 review, < 0.60 reject)
const confidenceCheck = this.checkConfidence(output.confidence);
// 3. Enum Enforcement (Category must be from System Enum)
const enumCheck = this.validateCategoryEnum(output.suggested_category);
// 4. Audit Log Recording
this.auditLog.record({
action: 'AI_VALIDATION',
source: 'AI_SERVICE',
confidence: output.confidence,
result: schemaCheck && confidenceCheck && enumCheck
});
return { isValid: schemaCheck && confidenceCheck && enumCheck };
}
}
Rule 5: Audit Logging
| Event | Log Level | Fields |
|---|---|---|
| AI Request | INFO | timestamp, source_ip, model, prompt_hash |
| AI Response | INFO | timestamp, confidence, processing_time, response_hash |
| Validation Pass | INFO | record_id, confidence, validator |
| Validation Fail | WARN | record_id, reason, raw_response |
| Unauthorized Access | ERROR | source_ip, attempted_action, blocked_by |
AI Communication Contract
API Endpoint Design
// AI เรียก Backend (ผ่าน n8n หรือตรง)
POST /api/ai/analyze-document
Headers:
- Authorization: Bearer {ai_service_token}
- Idempotency-Key: {document_hash}
- X-AI-Source: ollama | openrag
Body:
{
"extracted_text": "ข้อความจาก OCR...",
"document_type_hint": "pdf",
"source_file": "TCC-COR-2024-001.pdf"
}
Response:
{
"is_valid": true,
"confidence": 0.92,
"suggested_category": "Correspondence",
"extracted_metadata": { ... },
"audit_log_id": "0195..."
}
Authentication for AI Services
| Service | Auth Method | Token Lifetime | Scope |
|---|---|---|---|
| Ollama | mTLS / IP Whitelist | Session-based | ai:invoke |
| n8n → Backend | JWT (Service Account) | 1 hour | migration:write, ai:read |
| OpenRAG | File-based (Shared NAS) | N/A | Write to rag-output/ only |
Data Flow Compliance
Flow 1: Migration (ADR-017)
[Scanned PDF] → [OCR on Desktop] → [Ollama AI] → [JSON Output]
│
▼
[DMS Backend API] → [Validation Layer] → [Audit Log]
│
▼
[Staging Table: migration_review_queue]
│
▼
[Human Review] → [Commit via Frontend] → [Permanent DB + Storage]
Flow 2: RAG (OpenRAG)
[PDF Folder] → [OpenRAG on Desktop] → [JSON to rag-output/]
│
▼
[n8n Poll JSON] → [DMS Backend API] → [Validation + Audit]
│
▼
[Elasticsearch Index + MariaDB Metadata]
Flow 3: Smart Categorization (ADR-017B)
[User Upload PDF] → [Temporary Storage]
│
▼
[Queue Job] → [Ollama AI via API]
│
▼
[Validation Layer] → [Suggestion to User]
│
▼
[User Confirm] → [Final Category Assignment]
Compliance Matrix
| Requirement | Implementation | Evidence |
|---|---|---|
| ISO 27001 A.9.4.1 | JWT + mTLS for AI Auth | Token logs in audit_logs |
| ISO 27001 A.12.3.1 | IP Whitelist for AI Host | 192.168.x.x only |
| PDPA Data Minimization | AI ไม่เก็บข้อมูลระยะยาว | Temporary processing only |
| PDPA Security | Physical Isolation + Encryption | TLS 1.3 for all API calls |
| OWASP BOLA | UUID for all identifiers | ADR-019 Compliance |
| Zero Trust | API-only communication | No direct DB/Storage access |
Consequences
Positive Consequences
- ✅ Security Hardened: AI treated as untrusted component — all outputs validated
- ✅ Audit Trail Complete: Every AI interaction logged with hash + timestamp
- ✅ Compliance Ready: ISO 27001 + PDPA requirements met
- ✅ Operational Safety: AI failures don't compromise Production Database
- ✅ Scalability: Can add more AI services without security redesign
Negative Consequences
- ❌ Complexity: Need to maintain separate AI host + API contracts
- ❌ Latency: Network round-trip between AI and Backend (LAN only, acceptable)
- ❌ Monitoring Overhead: Need to monitor both QNAP and Desktop systems
- ❌ Token Management: Service accounts for AI need rotation policy
Mitigation Strategies
- Health Check: Ollama
/api/tags+ Backend/healthmonitoring every 60 seconds - Auto-Failover: Switch to fallback model (mistral:7b) if primary model fails
- Token Rotation: Service account JWT rotated every 7 days
- Network Redundancy: อุปกรณ์สำรองสำหรับ Admin Desktop (เตรียมสำรอง)
Security Checklist (Pre-Deployment)
🔴 Critical (Must Pass)
| Check | Command/Method | Expected Result |
|---|---|---|
| AI Host Isolation | ping 192.168.1.100 from AI Host |
Success (LAN only) |
| No DB Access from AI | mysql -h qnap_ip -u root from Desktop |
Connection Refused |
| API Auth Required | curl http://qnap:3001/api/ai/analyze |
401 Unauthorized |
| Valid Token Works | curl -H "Authorization: Bearer {valid}" ... |
200 OK |
| Audit Log Written | SELECT * FROM audit_logs WHERE source='AI_SERVICE' |
Records found |
🟡 Important (Should Pass)
| Check | Method | Expected Result |
|---|---|---|
| TLS Enabled | curl -v https://... |
TLS 1.3 handshake |
| IP Whitelist Active | Try from unauthorized IP | Blocked by Firewall |
| Token Expiration | Use expired JWT | 401 Token Expired |
| Idempotency Key | Replay same request | 200 OK (no duplicate write) |
Related Documents
- ADR-017: Ollama Data Migration Architecture — Migration implementation following ADR-018
- ADR-017B: AI Document Classification — AI document classification use case
- ADR-016: Security & Authentication — General security strategy
- ADR-019: Hybrid Identifier Strategy — UUID strategy for API security
- 03-07-OpenRAG.md — RAG architecture under ADR-018
- 03-05-n8n-migration-setup-guide.md — n8n setup with AI isolation
ADR Review Cycle
Review Classification
Core ADR Status: This ADR is classified as a Core Security Policy due to its fundamental impact on system security, compliance, and AI governance.
Review Schedule
| Review Type | Frequency | Trigger | Scope |
|---|---|---|---|
| Regular Review | Every 6 months | Calendar-based | Security effectiveness, compliance status |
| Major Version Review | Every major version (v2.0.0, v3.0.0) | Version planning | Architecture relevance, new AI technologies |
| Security Review | Quarterly | Security audit | Threat model updates, vulnerability assessment |
| Compliance Review | Annually | Compliance audit | ISO 27001, PDPA requirements verification |
Review Process
Phase 1: Preparation (1 week before review)
-
Security Metrics Collection
- AI service access logs and anomaly detection
- Authentication and authorization audit results
- Network segmentation and firewall rule effectiveness
- Audit log completeness and integrity verification
- Compliance framework updates (ISO 27001, PDPA)
-
Stakeholder Notification
- Security Team
- System Architect
- AI Integration Lead
- Compliance Officer
- DevOps Team
Phase 2: Review Meeting (2-hour session)
-
Security Assessment
- Review AI isolation effectiveness and any breach attempts
- Assess authentication and authorization mechanisms
- Evaluate audit logging completeness and accuracy
- Review network segmentation and firewall configurations
-
Compliance Evaluation
- Verify ISO 27001 and PDPA compliance status
- Review regulatory changes and impact requirements
- Assess audit trail completeness for compliance reporting
- Evaluate data privacy and retention policies
-
Technology Assessment
- Review AI technology stack currency and security patches
- Assess new AI security threats and mitigation strategies
- Evaluate monitoring and alerting effectiveness
- Review incident response procedures for AI security events
Phase 3: Decision & Documentation (1 week after review)
-
Review Outcomes
- No Change: Security policy remains effective and compliant
- Update Required: Adjust security controls or procedures
- Enhancement: Add new security measures for emerging threats
- Urgent: Immediate security updates required
-
Documentation Updates
- Update security controls and procedures
- Revise compliance documentation
- Update incident response playbooks
- Modify security guidelines and training materials
Review Criteria
| Criterion | Question | Pass/Fail Threshold |
|---|---|---|
| Security Effectiveness | Are AI isolation controls preventing unauthorized access? | Pass: 0 incidents, Fail: Any breach |
| Compliance Status | Are all ISO 27001 and PDPA requirements met? | Pass: 100% compliant, Fail: Any gaps |
| Audit Trail Completeness | Are all AI interactions logged and traceable? | Pass: 100% coverage, Fail: <100% |
| Authentication Integrity | Are AI service authentication mechanisms robust? | Pass: No unauthorized access, Fail: Any incidents |
| Network Isolation | Are AI services properly segmented from production? | Pass: No lateral movement, Fail: Any cross-zone access |
| Monitoring Effectiveness | Are AI security events detected and alerted promptly? | Pass: <5min detection, Fail: >5min |
Review History Template
## Review Cycle [YYYY-MM-DD]
**Review Type:** [Regular/Major Version/Security/Compliance]
**Reviewers:** [Names and roles]
**Duration:** [Meeting date]
### Findings
- [Key findings from security and compliance assessment]
### Issues Identified
- [Security gaps, compliance issues, or vulnerabilities discovered]
### Recommendations
- [Security enhancements, compliance improvements, or procedural changes]
### Outcome
- [No Change/Update Required/Enhancement/Urgent]
### Next Review Date
- [YYYY-MM-DD]
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.8.1 | 2026-03-27 | Security Lead | Initial ADR — AI Boundary Policy (Physical Isolation) |
| 1.8.2 | 2026-04-03 | Tech Lead | Updated — Aligned AI Model spec with ADR-017/017B |
| 1.8.3 | 2026-04-04 | System Architect | Enhanced — Added Impact Analysis template, ADR Review Cycle process, Gap Linking to requirements, and Version Dependency tracking |
Last Updated: 2026-04-04 Status: Accepted Next Review: 2026-06-01 (Quarterly security review) Next 6-Month Review: 2026-10-04 (regular review cycle)