Introduction
This document describes how to implement Data Loss Prevention (DLP) in Secure Access to restrict Open AI ChatGPT usage for programming and coding.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Secure Access
- DLP
- Open AI ChatGPT
Components Used
The information in this document is based on these software and hardware versions:
- Secure Access
- DLP
- Open AI ChatGPT
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
1.Create a data classification to use Source Code Data Identifier
Navigate to Secure Access Dashboard.
- Click on
Secure
> Data Classification
> Add
- Enter the
Data Classification Name
> Select Built-in Data Identifiers
> Search for Source Code
and select it
2.Create a DLP Policy and call the Data Classification "Source Code" in it.
- Click on
Secure
> Data Loss Prevention Policy
- Click on
Add Rule
> Real Time Rule
- Provide a
Rule Name
> Set appropriate Severity
- Under
Data Classifications
select Content
and select Source Code
- Under
Identities
select desired identities as required
- Under Destinations select
Select Destination Lists and Applications for Inclusion
- Select
Application Categories
> Select Generative AI
> Select OpenAI API (Vetted)
and OpenAI ChatGPT (Vetted)
in Outbound and Inbound
Direction
- Under
Action
select Block
- Under
User Notifications
, you can setup email notifications to end users, when the rule is triggered (optional)
3.Ensure you have an Internet Access Policy in place for traffic towards Chat GPT with Decryption enabled.
Example:
4.Using Open AI ChatGPT try to download or upload any program.
- Ask for a sample python program and this request gets blocked.
- Ask if the program is correct or not and this request gets blocked.
Verify
We can see when user tries to ask ChatGPT for a sample python program, the request gets blocked.
We can confirm that a DLP event was triggered in Secure Access Data Loss Prevention logs.
- Go to
Monitor
> Data Loss Prevention
- We are able to see the DLP event.
- Click on the three dots at the end of the event log to check for more details about the event.
- Now we see the entire Event Details.
- Expand the classificaton to see what content matched with the classifier.
- We see all the details of the content which matched the classifier / Classification of the DLP policy.
Troubleshoot
- Ensure the access policy which matches web requests for Open AI ChatGPT has decryption enabled.
- To quickly check if SSE is decrypting traffic for Open AI ChatGPT, check the certificate of the website which shows common name includes keywords "Cisco Secure Access" in it.
- Open ChatGPT > Open developer tools > Select Network > Next try to ask ChatGPT for a sample python program
- Observe that the request results in a block. Under domain you see "block.sse.cisco.com
- Ask ChatGPT whether the program code is correct.
- Observe that the request results in a block and under "domain" you see "block.sse.cisco.com".
Related Information