Enterprise DLP
Strata Cloud Manager
Table of Contents
Strata Cloud Manager
Strata Cloud Manager
Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT
for
Prisma Access (Managed by Strata Cloud Manager)
on Strata Cloud Manager
.- Log intoStrata Cloud Manager.
- Selectand create the decryption profile and policy rule required to enableManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionEnterprise DLPonStrata Cloud Manager.Do not enableStrip ALPNin the decryption profile.Enterprise DLPcannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
- (Optional) Create a data pattern.Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
- Create a data profile or use an existing data profile.
- Selectand in the Actions column,ManageConfigurationData Loss PreventionDLP RulesEditthe DLP rule.
- EnableNon-File Based Match Criteria.DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.You can keepFile Based Matched Criteriaenabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long asNon-File Based Match Criteriais enabled.
- Modify theActionandLog Severity.
- Modify the rest of the DLP rule as needed.
- Save.
- Create a Shared Profile Group for theEnterprise DLPdata filtering profile.
- SelectandManageConfigurationNGFW and Prisma AccessSecurity ServicesProfile GroupsAdd Profile Group.
- Enter a descriptiveNamefor the Profile Group.
- For the Data Loss Prevention Profile, select theEnterprise DLPdata profile.
- Add any other additional profiles as needed.
- Savethe profile group.
- Create a Security policy and attach the Profile Group.Alternatively, you can selectto create or add ChatGPT to a Web Security Policy. You can skip this step if you create a Web Security Policy for ChatGPT.ManageConfigurationNGFW and Prisma AccessSecurity ServicesWeb Security
- SelectandManageConfigurationSecurity ServicesSecurity PolicyAdd Rule.You can also update an existing Security policy to attach a Profile Group forEnterprise DLPfiltering.
- In the Applications, Services, and URLs section,Add Applicationsto search for and selectopenai-chatgpt.
- Navigate to the Action and Advanced Inspection section, and select theProfile Groupyou created in the previous step.
- Configure the Security policy as needed.TheActionyou specify in the data profile determines whether egress traffic to ChatGPT is blocked. The Security policy ruleActiondoes not impact whether matched traffic is blocked.For example, you configured the data filtering profile toBlockmatching egress traffic but configure the Security policy ruleActiontoAllow. In this scenario, the matching egress traffic to ChatGPT is blocked.
- Savethe Security policy.
- Push your data filtering profile.
- Push ConfigandPush.
- Select (enable)Remote NetworksandMobile Users.
- Push.