Implement DLP in Secure Access to Restrict Open AI ChatGPT Usage for Programming

Available Languages

Download Options

  • PDF     (2.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.9 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 19, 2024
Document ID:222303

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to implement Data Loss Prevention (DLP) in Secure Access to restrict Open AI ChatGPT usage for programming and coding.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Secure Access
    • DLP
    • Open AI ChatGPT

    Components Used

    The information in this document is based on these software and hardware versions:

    • Secure Access
    • DLP
    • Open AI ChatGPT

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    1.Create a data classification to use Source Code Data Identifier

    Navigate to Secure Access Dashboard.

    • Click on Secure  > Data Classification > Add

    smakhdoo_0-1715169485575smakhdoo_1-1715169580368

    • Enter the Data Classification Name  > Select Built-in Data Identifiers > Search for Source Code and select it

    smakhdoo_13-1715172590457

    smakhdoo_12-1715172212654

    2.Create a DLP Policy and call the Data Classification "Source Code" in it.

    • Click on Secure > Data Loss Prevention Policy

    smakhdoo_17-1715173001839

    • Click on Add Rule > Real Time Rule  

    smakhdoo_0-1715258532405

    • Provide a Rule Name > Set appropriate Severity

    smakhdoo_1-1715258806562

    • Under Data Classifications select Content and select Source Code

    smakhdoo_0-1715259358615

    • Under Identitiesselect desired identities as required 

    smakhdoo_0-1723018148682

    • Under Destinations select Select Destination Lists and Applications for Inclusion
    • Select Application Categories> Select Generative AI > Select OpenAI API (Vetted)  and OpenAI ChatGPT (Vetted)  in Outbound and InboundDirection

    smakhdoo_3-1715260707432smakhdoo_1-1715261288964

    • Under Actionselect Block 
    • Under User Notifications, you can setup email notifications to end users, when the rule is triggered (optional)

    smakhdoo_2-1715262366860

    • Click on Save

    smakhdoo_1-1715262260242

    3.Ensure you have an Internet Access Policy in place for traffic towards Chat GPT with Decryption enabled.

    Example:

    smakhdoo_2-1723018650164

    4.Using Open AI ChatGPT try to download or upload any program.

    • Ask for a sample python program and this request gets blocked.

    smakhdoo_3-1723019500685

    • Ask if the program is correct or not and this request gets blocked.

    smakhdoo_7-1723020096852

    Verify

    We can see when user tries to ask ChatGPT for a sample python program, the request gets blocked.
    We can confirm that a DLP event was triggered in Secure Access Data Loss Prevention logs.

    • Go to MonitorData Loss Prevention

      smakhdoo_0-1723024245849
    • We are able to see the DLP event. 

    smakhdoo_1-1723024561806

    • Click on the three dots at the end of the event log to check for more details about the event.


    smakhdoo_2-1723024705805

    • Click on View details.

    smakhdoo_3-1723024903825

    • Now we see the entire Event Details. 

    smakhdoo_4-1723025128110

    • Expand the classificaton to see what content matched with the classifier.


    smakhdoo_7-1723025241337

    • We see all the details of the content which matched the classifier / Classification of the DLP policy.

    smakhdoo_8-1723025729712

    Troubleshoot

    • Ensure the access policy which matches web requests for Open AI ChatGPT has decryption enabled.
    • To quickly check if SSE is decrypting traffic for Open AI ChatGPT, check the certificate of the website which shows common name includes keywords "Cisco Secure Access" in it.

    smakhdoo_0-1723103734670

    smakhdoo_2-1723705611285

    smakhdoo_3-1723705677158

    smakhdoo_1-1723705455732

    • Open ChatGPT > Open developer tools > Select Network > Next try to ask ChatGPT for a sample python program 
    • Observe that the request results in a block. Under domain you see "block.sse.cisco.com

    smakhdoo_5-1723019746216

    • Ask ChatGPT whether the program code is correct.
    • Observe that the request results in a block and under "domain" you see "block.sse.cisco.com".


    smakhdoo_8-1723020185797

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    19-Aug-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sharjeel Makhdoomi
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products