AI Access Security
Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
AI Access Security Docs
Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
Create custom policy rules in Strata Cloud Manager to control GenAI App usage in
your organization.
Your Web Security policy rules are
evaluated and enforced ahead of your Security policy rules. In the event a
Web Security and Security policy rule both apply to the same traffic, the Web
Security policy rule Action and Enterprise DLP inspection configuration
take precedence over the Security policy rule. After a successful match to a Web
Security policy rule, no further policy rule evaluation is performed.
For example, you create Web Security policy rule and Security policy rule that
apply to User Group A and multiple GenAI apps.
- Web Security Policy Rule A allows User Group A access to the specified GenAI apps and has an Enterprise DLP Data Profile A associated with the GenAI apps to prevent exfiltration of sensitive data.
- Security Policy Rule B blocks User Group A's access to the same specified GenAI apps.
In this case, when any user in User Group A accesses
a GenAI app specified in the Web Security and Security policy rules they are
allowed and Enterprise DLP inspection and verdict rendering is performed
because Web Security Policy Rule A is higher in the
policy rulebase evaluation order.
- Use the AI Access Security Insights dashboard to discover risks posed by GenAI apps.The AI Access Security Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.Perform the initial AI Access Security configuration.This includes creating an Enterprise Data Loss Prevention (E-DLP) data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.For NGFW, this also includes creating an internal trust zone and an outbound untrusted zone.Log in to Strata Cloud Manager.Select ManageConfigurationNGFW & Prisma AccessSecurity ServicesWeb Security and select your target Configure Scope.Select Security SettingsThreat Management and Customize Vulnerability Protection for your Web Security policy rules.The Vulnerability Protection settings you configure here are applied to Web Security policy rules.
- Select the Vulnerability Protection Profile you created during the initial configuration.Configure the remaining Vulnerability Protection settings as needed.Save.Select Policies to continue creating policy rules to control GenAI app usage.Modify the predefined Sanctioned GenAI Access policy rule.
- Select the predefined Sanctioned GenAI Access policy rule and Enable.Click the predefined Sanctioned GenAI Access policy rule to modify it.Make the required changes for the predefined Sanctioned GenAI Access policy rule.Save.Create a custom Web Access policy rule.
- In Strata Cloud Manager, even though you can create custom policy rules through Security Policies for GenAI Apps, it's recommended that you use Web Security to create policy rules efficiently.
- It's not recommended to have both GenAI and non-GenAI apps in the same policy if the Enterprise Data Loss Prevention (E-DLP) license isn't active.
- Add Policy.Enter a descriptive Name.Enable the Web Access policy rule.(Optional) Add a Description for the Web Access policy rule, and add a predefined Tag or create a new one.(Optional) Configure a Schedule to specify the times the Web Access policy rule is active.Define traffic to enforce based on the traffic Source (where it originates).For example, based on your risk discovery investigation you determine unauthorized users associated with User Group A access a GenAI app sanctioned for use by User Group B. In this case you can create a Web Access policy rule to block access to the GenAI and add User Group A as the user group Source.Configure Blocked Web Applications and Allowed Web Applications to define which GenAI apps you want to block or allow access to.(Allowed Web Applications) Only add supported GenAI apps to the list of allowed apps.
- Application—Add one or more GenAI apps.
- Application Category—An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
- Application Group—An application group is a static grouping of individual apps that you create.
(Allowed Web Applications) When adding your allowed application, click the DLP column and add a DLP Rule. Enterprise Data Loss Prevention (E-DLP) is required to prevent exfiltration of sensitive data and to generate Sensitive Assets data when discovering risks posed by GenAI apps.