Netskope Global Technical Success (GTS)
App Instance Awareness: How to Restrict Public Access for Generative AI Apps
Netskope Cloud Version - 122
Objective
This document provides step-by-step instructions to help our customers block public app instances for different Generative AI apps.
Details
When configuring app instances for cloud applications, ensure that Netskope supports app instance awareness, as it does not support instance awareness for all Gen AI applications.
Steps to Configure
Please follow the instructions for each step to better understand the implementation.
Step 1: Need to Create App Instance
Step 2: Verify App Instance Awareness
Step 3: Create App Instance
- Create App Instance (Manually)
- Create App Instance (Automatically)
Step 4: Block Public App Instance
Step 5: Allow Corporate/Specific App Instances
Step 6: Result
Step 1: Need to Create App Instance
To meet the requirement of controlling access to generative AI applications, you need to create an app instance in Netskope and configure specific access policies. The goal is to block all public instance IDs, such as Gmail.com, Yahoo.com, Outlook.com, Hotmail.com, and iCloud.com, which are associated with widely accessible generative AI tools. This ensures that users cannot interact with these external, potentially unsecured applications. Instead, you will allow only corporate-approved instance IDs, eg:- netskope.com, to be accessible. This can be done by setting up an app instance for the corporate instance in the Netskope platform and applying security policies to block traffic to the public instances
Step 2: Verify App Instance Awareness
-
Select category “Generative AI” to view all the supported Gen AI applications.
Path: Netskope UI Home >>> CCI >>> Cloud Apps >>> Category Generative AI] >>> “Search”
You will find the List of generative AI Applications.
Or, simply search for the app name you are looking for eg - ChatGPT, Google Gemini etc.
-
Select the appropriate app - In our example we will take Google Gemini, ChatGPT & OpenAI
Search for the above app and confirm the app instance support by viewing the details.
In our example - All the three Applications (Google Gemini, ChatGPT & OpenAI) support App Instance Awareness.
Step 3: Create App Instance
-
Create a new custom app instance
Path: Netskope UI Home >>> Policies >>> Profiles >>> App Instance
Netskope offers two options to create an app instance:
- New App Instance - Manually
- From Skope IT - Automatically
Create App Instance (Manually)
Select “New App Instance”, you will need to provide the following information:
- Application
- Instance ID
- Instance Name
- Instance Tag
Create App Instance (Automatically)
Select “From SkopeIT” a screen prompt will be show: “TAKE ME TO APP EVENTS”
This will take you to the Application events where you can filter the traffic for an application to find the corporate instance.
Example: Google Gemini application which shows is being accessed from “netskope.com” which is a corporate instance ID.
Viewing the details for this event will show you an option to create an instance automatically after detection.
After selecting the “New App Instance”
You only need to provide the following information (the rest will auto-populate):
- Instance Name
- Instance Tag
Your corporate instance for Google Gemini has been successfully created. Similarly, you can review application events for other applications and create new app instances as needed.
Step 4: Block Public App Instance
To restrict the access for the public app instance you will need to create a block policy for the Gen AI applications:-
Navigate:
Path: Netskope UI Home >>> Policies >>> Real Time Protection >>> New Policy >>> Cloud App Access
Select all the cloud applications you wish to restrict and map the associated activities.
Note: You can expand "View Activity Support" by clicking, to get clarity on which activities are supported by each selected application when multiple applications are chosen.
Set Action to “Block”
Step 5: Allow Corporate/Specific App Instances
To allow access through a specific app instance to the blocked Gen AI applications, you will need to create a new policy above the block policy created in the previous step.
Navigate:
Path: Netskope UI Home >>> Policies >>> Real Time Protection >>> New Policy >>> Cloud App Access
Destination:
- Select App Instance
- Add App Instances created in previous steps.
- Select the desired activities.
Action:
- Set to “Allow”
The Generative AI Allow policy - Which allow only specific App instances and activities.
Results
We can notice that access is restricted in such a way that only a specific, pre-defined app instance is permitted to function. All other app instances that are not defined (i.e., random or public instances) are blocked, ensuring that only authorized and controlled instances are allowed access to Gen AI Applications. This helps secure the environment by limiting potential risks from unknown or untrusted sources.
ChatGPT
Google Gemini
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
- You can follow the same approach to create instances for other applications and manage access restrictions.