Netskope Global Technical Success (GTS)

How to Craft Effective Generative AI Policies: A Walkthrough

Netskope Cloud Version - 120

Objective

In this article, we explore essential strategies for managing generative AI applications in the workplace. You’ll discover how to categorize AI tools, monitor their usage, and implement data protection measures. 

Prerequisite

Netskope CASB Inline/SWG license

Netskope Advanced Analytics license

Context

In today’s fast-paced digital landscape, the adoption of generative AI applications is rapidly increasing within organizations. As tools like ChatGPT and Google Bard gain popularity, it's essential to manage their use effectively to protect sensitive data and ensure compliance with security policies. This document aims to provide a comprehensive guide on developing effective generative AI policies. It covers key strategies for monitoring application usage, categorizing AI tools, implementing data protection measures, and establishing access controls.

Do You Know?

Generative AI is experiencing explosive growth, with enterprise usage increasing by 25% each month. This trend highlights the need for organizations to implement effective policies to manage this technology safely.

On average, 1 in 100 enterprise employees uses generative AI tools like ChatGPT daily, submitting around 8 prompts each. This widespread usage emphasizes the importance of monitoring and securing interactions with these applications.

Procedure

We will evaluate, configure, and explore the following points to craft an effective generative AI policy.

• Usage Monitoring and Detection: Implement procedures for monitoring and detecting Gen AI usage across various departments using tools like Netskope Advanced Analytics. This will help you understand how Gen AI is being used within your organization and identify potential risks.
• Categorization of Gen AI Applications: Define and categorize different types of Gen AI applications (e.g., Sanctioned , Coding Development ) that may be used within your organization. This will help in creating targeted policies for specific use cases.
• Data Protection Measures: Implement Data Loss Prevention (DLP) policies for specific Gen AI applications, such as: Allowing or alerting on uploading and downloading of sensitive data (e.g., source code) for authorized users
• Access Control Policies: Develop Real-Time Policies for both SaaS and web access to Gen AI applications. This includes: User alerts when accessing Gen AI applications, Allow and deny lists for specific Gen AI URLs , Custom categories for Gen AI applications

Usage Monitoring and Detection: 

Netskope offers a dashboard called "AI Usage" in its library, providing valuable insights into several key aspects of AI utilization including,

1. User Engagement: Understand how many users are actively using AI applications.
2. Popular AI Applications: Identify the top AI apps and sites being accessed.
3. Activity Monitoring: View the activities being detected within AI applications.
4. Usage Control: Gain insights into how AI usage is being managed and controlled.

A detailed overview of this dashboard is available here , Demo video here

Path : Netskope tenant UI >>> Advanced Analytics >>> Netskope Library

While exploring the dashboard, I discovered that 22% of users in my test tenant are utilizing generative AI applications, with ChatGPT ranking at the top of the list. The report provides details on the applications and the activities associated with them. My focus is on the green bar in the 'Action Taken on AI App Usage' section, which highlights the default allowed policy.

When you scroll down, you'll find a section that shows the policies applied to each activity and what is allowed by default. To focus on this, I filtered the application to “ChatGPT” for an exclusive view.

The visualization indicates that 'Login Attempt' and 'Download' activities are allowed by default.I will now take a closer look at the 'Login Activity'.

The 'Top Instances' tab revealed that users are logging into ChatGPT using their corporate credentials. However, my goal is to block this access, so I’ve noted the need to implement a policy specifically to restrict users from using corporate credentials to access ChatGPT.

After evaluating all the widgets, I have finalized the policy as follows:

• The report indicates that there are approximately nine generative AI applications in use within our environment. Among these, ChatGPT/OpenAI and Microsoft Copilot are sanctioned. The remaining non-sanctioned generative applications should be blocked, while the sanctioned applications will be allowed with a User Coach notification. This approach will ensure that users read the privacy guidelines before accessing the Gen AI sanctioned applications..
• Access to ChatGPT using corporate accounts must be restricted.
• Prevent the use of Copilot without commercial data protection.
• DLP policies need to be enforced for upload, download, and post activities related to both ChatGPT and Copilot.

Policy flow chart:

Categorization of Gen AI Applications

Netskope categorizes CCI applications using the tag option primarily for the centralization of application management within the Cloud Confidence Index (CCI) interface.We currently have around 239 applications in the Generative AI category. Note that the number of applications in this category may change over time as new Generative AI tools emerge and are added to Netskope's database. For the most current information, it's recommended to check the latest Netskope CCI database updates -

Now Let’s create a Application tag for ChatGPT and Microsoft Copilot naming it as “Gen AI Sanctioned List”

Path : Netskope UI >>> CCI >>> Cloud Apps >>> ChatGPT

Open the ChatGPT CCI app, then click on the pencil icon next to the Tag option. Type “Gen AI Sanctioned List” and select the create tag option.

In a similar manner, search for “OpenAI” and “Microsoft Copilot Application,” click on the Tag edit option, and then select the “Gen AI Sanctioned List” that we created earlier.

Now we have 3 applications mapped to the custom Tag “Gen AI Sanctioned List”.

We will use this CCI tag for next policy creations.

Data Protection Measures

Applying a DLP profile for Generative AI applications is crucial to safeguard sensitive information from unauthorized access and leaks.It ensures compliance with data protection regulations and protects the organization's reputation. 

Check out the DLP webinar series on Netskope Academy for a best practice approach rLink]

Netskope has a wide list of predefined DLP profiles available for use in policies .This includes Predefined DLP rules for well-known compliance regulations (e.g., PCI, PHI, PII). Here I am creating a DLP policy to block source code for ChatGPT and Copilot. Please refer to the section below in the GTS article for detailed configuration steps.

https://community.netskope.com/generative-ai-60

DLP Policy :

Access Control Policies

We’ve covered the creation of a DLP policy, but before moving forward, we must first implement inline policies to reduce the surface area for DLP evaluation.

As per the flowchart, we need to configure the following inline policies:

1. Block all Generative AI applications except those that are sanctioned.
2. For sanctioned Generative AI applications, implement a user coaching message that outlines the organization's data protection policy. Users must acknowledge this notification in order to proceed.9Ref]
3. Prevent users from logging into ChatGPT using corporate credentials.0Ref]
4. Enforce the use of Copilot only with a Commercial Data Protection license.sRef]

Netskope processes policies sequentially and stops at the first matching policy unless it's a DLP policy set to "Alert and Continue.We have structured the policy to reduce the surface area for DLP evaluation by placing block rules at the top, which prevents unsanctioned traffic.

• As shown in the screenshot above, the first rule (7.1) is configured with the category set to Generative AI and includes the CCI tag “Gen AI Sanctioned AI.” This rule applies a domain profile constraint to detect and block all corporate emails.

• The second rule (7.2) is having a category as “Generative AI” with the same CCI tag “Gen AI Sanctioned AI.”. Here, I selected the action as “User Alert” and added a customized template for the user coaching message, which includes the organization's data protection guidelines.
• The third rule (7.3) again with the Generative AI category and the “Gen AI Sanctioned AI” CCI tag. For this rule, a DLP profile is attached to detect source code, with the action set to Block.
• The fourth rule (7.4) has the “Generative AI” category and CCI tag, with the action set to Allow. This ensures that all sanctioned Generative AI applications are permitted.
• Finally, the last rule is solely categorized as “Generative AI” with the action set to Block. This rule will capture and block all non-sanctioned AI traffic.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.