Skip to main content
Solved

Netskope DLP use cases for ChatGPT

  • April 13, 2023
  • 8 replies
  • 1111 views
M
Netskope Employee
Forum|alt.badge.img+10

With the growing popularity and use of ChatGPT, it is increasingly important to also monitor and secure private details and company confidential information from being shared with ChatGPT. 

As the Customer Zer0 team (CISO group), we have implemented some DLP rules for ChatGPT. Please note that currently, Netskope does not yet have a predefined connector for ChatGPT. We would hence need to create a custom connector so that DLP rules can be applied instead of an outright block to the webapp. We want our users to continue to use ChatGPT with discretion in an enterprise environment. This custom connector can be built from HAR logs. 

Here’s what we have in place:

Realtime policy

 

The Netskope chatgpt custom DLP profile contains the ‘netskope’ keyword. 

Results and end-user experience

In this example, DLP source code classifier is getting triggered, and hence the question is not being posted to ChatGPT. 

 

PII and PCI data being blocked from getting posted to ChatGPT. 

 

Let us know which use cases you would like to implement for ChatGPT with Netskope DLP.

 

Note: This blog post was tested and developed when the predefined ChatGPT connector was not yet available to configure in Netskope's Real-time policies. With R104 now rolled out, the predefined ChatGPT connector is available to be configured in policies. 
Please refer  https://community.netskope.com/t5/Next-Gen-Secure-Web-Gateway-SWG/Netskope-Next-Gen-Secure-Web-Gateway-Controls-for-ChatGPT/m-p/3646 for more details. 

Best answer by madhurasridhar

Note: This blog post was tested and developed when the predefined ChatGPT connector was not yet available to configure in Netskope's Real-time policies. With R104 now rolled out, the predefined ChatGPT connector is available to be configured in policies. 
Please refer  https://community.netskope.com/t5/Next-Gen-Secure-Web-Gateway-SWG/Netskope-Next-Gen-Secure-Web-Gatew... for more details. 

This topic has been closed for replies.

8 replies

S
Forum|alt.badge.img+5
  • shivamparikh
  • New Member
  • 6 replies
  • April 20, 2023

Does this support only block activity?

I tried to setup a policy in Alert, block & user alert mode, there is some inconsistency, Alert & User alert is not working & Block policy it worked only on PII data and not on sourcecode.

Shivam Parikh
S
Forum|alt.badge.img+5
  • shivamparikh
  • New Member
  • 6 replies
  • April 21, 2023

For me DLP policies is not working, when I just create a normal SWG policy then only it is working.

Shivam Parikh
oscar
Netskope Partner
Forum|alt.badge.img+12
  • oscar
  • Netskope Partner
  • 21 replies
  • April 26, 2023

Hi all, @madhurasridhar , thanks for the post.

 

We found the reason DLP is not working for chatGPT.

ChatGPT input is sent as a HTTP POST, sending the message inside the JSON payload.

The problem comes when the input text contains newline characters.

Nweline characters are sent as ' ' and Netskope does not treat these as newline but as a literal '' and an 'n'.

This means if I send for instance a list of card numbers or SSN numbers as follows:

132412341234

132412341234

 

What is being actually sent is "132412341234 132412341234".

Netskope sets implicitly word boundaries to entities, this means word boundary characters (dot, coma, semicolon, whitespace, etc) must be found before and after the sensitive data to match.

 

Considering the format the data is sent to chatgpt, what netskope sees is:

"132412341234" and "n132412341234".

Thus the second SSN numbers won't match because of the start 'n' .

 

If you send the same SSN separated by whitespace instead of newline it matches correctly.

 

We have reported this to our TAM as well asking for an ER to allow us to decide if word boundary are desired or not.

Regarding how is netskope supposed to read ' ', this is more complicated matter. The first approach should do the trick.

 

I hope my explanation is clear. Please let me know if you need more info or details.

Thanks and regards,

Òscar

M
Netskope Employee
Forum|alt.badge.img+10
  • madhurasridhar
  • Author
  • Netskope Employee
  • 15 replies
  • April 28, 2023

Hi @shivamparikh yes, only block policy can be configured too. Did you create the custom app for ChatGPT similar to ours? In case you are having any issues with the test, please send an email to support@netskope.com 

M
Netskope Employee
Forum|alt.badge.img+10
  • madhurasridhar
  • Author
  • Netskope Employee
  • 15 replies
  • April 28, 2023

Hi @oscar thanks for the detailed info. This surely will be helpful for us, and also other customers who have a similar policy for ChatGPT. 

T
Netskope Employee
Forum|alt.badge.img+3
  • tikeda
  • Netskope Employee
  • 3 replies
  • May 2, 2023

I suggest this for a short term solution.

""" is considered as delimiter by Netskope.
The regex below should match both "132412341234" and "n132412341234"

[n|]d{12}
oscar
Netskope Partner
Forum|alt.badge.img+12
  • oscar
  • Netskope Partner
  • 21 replies
  • May 2, 2023

Hello @tikeda , thanks for the suggestion.

 

EDIT: the solution below WORKS.

 

The inconvenience I see is, since we are using builtin data identifiers, the suggested tunning would require us to create a custom entity just to add the potential initial "n". This should be done for every builtin you are using.

 

an example for SSN:

Kind regards,

Òscar

M
Netskope Employee
Forum|alt.badge.img+10
  • madhurasridhar
  • Author
  • Netskope Employee
  • 15 replies
  • Answer
  • May 17, 2023

Note: This blog post was tested and developed when the predefined ChatGPT connector was not yet available to configure in Netskope's Real-time policies. With R104 now rolled out, the predefined ChatGPT connector is available to be configured in policies. 
Please refer  https://community.netskope.com/t5/Next-Gen-Secure-Web-Gateway-SWG/Netskope-Next-Gen-Secure-Web-Gatew... for more details. 

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement