AI Access Security
Create Custom Policies to Control GenAI App Usage (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
AI Access Security Docs
Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
Strata Cloud Manager
)Create custom policy rules in
Strata Cloud Manager
to control GenAI App usage in
your organization.Your Web Security policy rules are
evaluated and enforced ahead of your Security policy rules. In the event a
Web Security and Security policy rule both apply to the same traffic, the Web
Security policy rule Action and
Enterprise DLP
inspection configuration
take precedence over the Security policy rule. After a successful match to a Web
Security policy rule, no further policy rule evaluation is performed.For example, you create Web Security policy rule and Security policy rule that
apply to
User Group A
and multiple GenAI apps. - Web Security Policy Rule AallowsUser Group Aaccess to the specified GenAI apps and has anEnterprise DLPData Profile Aassociated with the GenAI apps to prevent exfiltration of sensitive data.
- Security Policy Rule BblocksUser Group A's access to the same specified GenAI apps.
In this case, when any user in
User Group A
accesses
a GenAI app specified in the Web Security and Security policy rules they are
allowed and Enterprise DLP
inspection and verdict rendering is performed
because Web Security Policy Rule A
is higher in the
policy rulebase evaluation order. - Use theAI Access SecurityInsights dashboard to discover risks posed by GenAI apps.TheAI Access SecurityInsights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
- Perform the initialAI Access Securityconfiguration.This includes creating anEnterprise Data Loss Prevention (E-DLP)data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.ForNGFW, this also includes creating an internal trust zone and an outbound untrusted zone.
- Log in toStrata Cloud Manager.
- Selectand select your targetManageConfigurationNGFW & Prisma AccessSecurity ServicesWeb SecurityConfigure Scope.
- SelectandSecurity SettingsThreat ManagementCustomizeVulnerability Protectionfor your Web Security policy rules.The Vulnerability Protection settings you configure here are applied to Web Security policy rules.
- Select theVulnerability Protection Profileyou created during the initial configuration.
- Configure the remaining Vulnerability Protection settings as needed.
- Save.
- SelectPoliciesto continue creating policy rules to control GenAI app usage.
- Modify the predefinedSanctioned GenAI Accesspolicy rule.
- Select the predefinedSanctioned GenAI Accesspolicy rule andEnable.
- Click the predefinedSanctioned GenAI Accesspolicy rule to modify it.
- Make the required changes for the predefinedSanctioned GenAI Accesspolicy rule.
- Save.
- Create a custom Web Access policy rule.
- Add Policy.
- Enter a descriptiveName.
- Enablethe Web Access policy rule.
- (Optional) Add aDescriptionfor the Web Access policy rule, and add a predefinedTagor create a new one.
- (Optional) Configure aScheduleto specify the times the Web Access policy rule is active.
- Define traffic to enforce based on the trafficSource(where it originates).For example, based on your risk discovery investigation you determine unauthorized users associated withUser Group Aaccess a GenAI app sanctioned for use byUser Group B. In this case you can create a Web Access policy rule to block access to the GenAI and addUser Group Aas the user groupSource.
- ConfigureBlocked Web ApplicationsandAllowed Web Applicationsto define which GenAI apps you want to block or allow access to.(Allowed Web Applications) Only add supported GenAI apps to the list of allowed apps.
- Application—Add one or more GenAI apps.
- Application Category—An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
- Application Group—An application group is a static grouping of individual apps that you create.
(Allowed Web Applications) When adding your allowed application, click theDLPcolumn and add a DLP Rule.Enterprise Data Loss Prevention (E-DLP)is required to prevent exfiltration of sensitive data and to generateSensitive Assetsdata when discovering risks posed by GenAI apps. - Configure the rest of the Custom Web Access policy rule as needed.
- Save.
- Push ConfigandPush.