Skyhigh Security for ChatGPT
Prerequisites
Make sure that you have any one of the following products to begin with:
- Skyhigh Security Shadow IT
- Skyhigh SSE (Cloud Proxy)
or
- Skyhigh Secure Web Gateway
About Skyhigh Security Capabilities for ChatGPT
This topic explains how Skyhigh Security can assist organizations with Artificial Intelligence (AI) tools such as ChatGPT. Skyhigh Security provides administrators the ability to manage AI applications in their Cloud, Hybrid, and On-Prem deployments via the following features:
- Increased visibility for ChatGPT in your organization.
- Determine the volume of data being uploaded.
- Identify which of your top talkers/users are using ChatGPT.
- Block complete access to ChatGPT and other AI applications.
- Apply specific controls, such as blocking uploads or logging into ChatGPT.
- Prevent sensitive data from being uploaded to ChatGPT.
Visibility
Monitor Usage
Skyhigh Security monitors ChatGPT along with other social engineering applications in the Skyhigh Cloud Registry under the Artificial Intelligence category. This provides visibility into the AI services used within your organization. For details, see About the Cloud Registry.
Understand Data Usage
You can leverage your Shadow IT data to determine the number of users and the volume of data uploaded to the ChatGPT service. For details, see About Services.
Use the OpenAI – ChatGPT filter to determine the following:
- Number of users using the ChatGPT site.
- Data volume linked with the ChatGPT site.
- Your existing proxy/firewall is blocking or allowing access to the ChatGPT site.
Block AI Services (Completely)
Create Skyhigh Service Groups
Skyhigh Security allows you to create a service group on the Skyhigh CASB dashboard based on the Artificial Intelligence category or the OpenAI - ChatGPT service name. The following example uses an AI Warning service group to share this information with your proxy/firewall. For details, see Create a Service Group.
NOTES
- You can name the service group based on your requirement.
- Skyhigh Security recommends that you create service groups using the Artificial Intelligence category.
Configure Closed Loop Remediation
You must configure Closed Loop Remediation so that your Skyhigh environment acts as an external web server, providing a URL to be used in the destination field of your proxy/firewall ruleset. For details, see About Firewall and Proxy Integrations.
You can now copy and paste the highlighted URL into the destination field of your proxy/firewall ruleset. Once done, you can then choose whether to block or coach users who attempt to access this website.
- https://t76172-1001862871.do.myshn.net:8443/clr/serviceGroups?deviceId=2
- https://t76172-1001862871.do.myshn.net:8443/clr/serviceGroups/Warning?deviceId=2
- https://t76172-1001862871.do.myshn.net:8443/clr/serviceGroups/Block?deviceId=2
- https://t76172-1001862871.do.myshn.net:8443/clr/serviceGroups/AI%20Warning?deviceId=2
Block AI Services (based on User Activity)
You can block the AI services used within your organization based on the user activity (login, upload) as show in the following example from Skyhigh SSE Cloud Proxy.
- Under Web Policy > Application Control, select Activity Control.
- Apply these activity controls to the AI Warning service group created earlier to this configuration.
- Edit these rules to apply to all traffic, and add the ChatGPT URL/Domain/Host information.
NOTE: For Secure Web Gateway users, contact your Skyhigh Security engineer to understand how this is set up in the App Prism ruleset.
Coach users but allow access to ChatGPT
Skyhigh Security allows you to limit access to AI services used within your organization by providing access only to users with a business justification.
- Go to Web Policy > Web Filtering.
- Select or configure the Category & Domain Coaching rule.
- Select and edit Coach & Allow access to these domains.
- When presented, populate Smart Match with the ChatGPT domain under the Add New items view.
- Click Save, and Publish your policy.
Coach with DLP filtering applied
Skyhigh Security allows you to block sensitive information or DLP (Data Loss Prevention) content from leaving the organization.
- Go to Web Policy > Data Protection (DLP).
- Select or configure These rules apply to all traffic, then choose URL/Domain/Host to populate the ChatGPT URL/Domain/Host information or select the AI service group.
- Create or build DLP Classifications within your DLP policies to only block content that matches your DLP Classifications and is posted to your AI service group or ChatGPT url.
Reporting
You can now generate reports or schedule reports for delivery.
For Secure Web Gateway (On-Prem) users
If you are using Skyhigh Security Shadow IT or SSE/UCE, you can use the lists generated from the Skyhigh Cloud Registry to perform activities such as block, monitor, coach by subscribing to those lists in your policies. For details, see Configure Closed Loop Remediation.
If you are using Secure Web Gateway (On-Prem), then coaching or blocking on-premise must be done via a URL list obtained from an external source because there is no built-in AI category or list. For coaching, you can use the standard coaching ruleset and modify the base ruleset as follows:
While syncing a DLP policy from Secure Web Gateway to the cloud, Skyhigh Security recommends using the standard coaching ruleset for Secure Web Gateway (On-Prem) filtering, and the Coaching with Cookies ruleset for the cloud. You can do this by using a criteria in the cloud which equals to True for the cookie-based ruleset and False for the standard coaching ruleset.
NOTES
- The Coaching with Cookies ruleset is available on the online ruleset library found at contentsecurity.skyhigh.cloud.
- The standard coaching and Coaching with Cookies rulesets are enabled, but only the cookie-based ruleset is set to sync to the cloud.