Netskope Global Technical Success (GTS)

Next-Gen ChatGPT Enterprise API - DLP Controls

Netskope Cloud Version - 123

Objective

DLP Controls on ChatGPT Enterprise Instance using Next- Gen ChatGPT Enterprise API Module

Prerequisite

Netskope Next Gen CASB API license with ChatGPT Enterprise feature enabled

Context

How to apply DLP controls on your organization ChatGPT Enterprise Instance with Next- Gen ChatGPT Enterprise API Module

Do You Know?

• On Feb 6, 2024, Netskope announced a new API module called ChatGPT Enterprise API. 
• This feature is now generally available, delivering advanced security and compliance controls for your AI-powered workflows.
• Below are the capabilities part of the solution:

1. Ability to perform DLP & threat scan over conversations & files to adhere to compliance standards
2. Ability to perform retroactive and ongoing scans for files & conversations
3. Policy creation via unified NextGen API policy framework and supports visibility via dedicated dashboard

Configuration

Step 1 - Create a New Policy on Netskope Tenant UI >> Policies >> API Data Protection. A detailed guidance on the Next-Gen API Policy can be found here.

Under SAAS, Click on Next Gen >> New Policy Tab. The New API Data Protection Page Loads like below:

Step 1.1 - Adding the Collaborators

• Under Collaboration, You may select the Exposure options mentioned in the snapshot below.
• Please Note: The Owner drop-down is disabled by default. It is only enabled when a web mail app like Google Mail or Outlook application is selected from Object and not required for ChatGPT Enterprise App
• User Geo is also disabled by default and only enabled when Microsoft 365 Apps are selected from Object to determine User Geographic Location.

Collaborators can be included/excluded using Definition or Exclusion Option with the below Collaboration source:

Internal/External: It can be a  list of file sharing exposure options including Owner, Internal, All Internal users, External & Anonymous

User Group: Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option.

User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.

Domain: Displays a list of domains. You can select one or many domains.

Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

# of Internal Users: To set thresholds for when content sharing triggers a policy violation, click to set the range and number of internal users.

Step 1.2 - Specifying the ChatGPT Enterprise App with App Instances

• Under Object, Select ChatGPT Enterprise Application & specify App Instance which will be automatically added at the time of ChatGPT Next Gen API Integration.

You can choose to scan All content of the Instance.

Please Note: Specifying Specific resources on the basis of Resource ID. Resource ID is only available for Github Repository & not supported for ChatGPT Enterprise App. 

You can further add the Criteria with the below options.

Let us choose to add the available Resource Type - File/Attachment & Chat Message Body for our DLP Policy to detect the DLP violations on both the resources

Step 1.3 - Setting up the DLP Profile & Action

• Now select the DLP Profile like below:

For this API Data Protection Policy, DLP-PII (Predefined) Profile is selected. You can choose to select the predefined or custom profiles on the basis of organization requirement.

Set the Action as Alert. As of Now, Next-Gen ChatGPT Enterprise App only supports Alert Action. See the feature compatibility matrix here.

The predefined DLP profile can detect all the below User Information.

Step 1.4 - Give a Policy Name & set the Policy Status as Enabled.

Step 1.5: Save the Policy and Apply the Changes.

Verification:

Try Uploading a PII Data on the ChatGPT Enterprise Instance like below:

Next Gen ChatGPT Enterprise API will start monitoring the violations.

You can further find more information about the file under the Option API-enabled Protection >> Inventory >> File Name & the DLP Violations of the File

You can also drill down more on the Application with the API Dashboard to monitor total violations, Users, Files Summary & In-depth DLP Violation Properties.

Terms and Condition

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.