This document outlines the technical considerations and configurations necessary for integrating Unique with the Clients existing DLP solutions to monitor and protect against the leakage of sensitive information. Unique does not offer a DLP itself but the option to integrate an existing DLP.
While some DLP measures are taken by Unique, for some others we depend on the client’s expertise and infrastructure. Below you find methods available to prevent data leaking when using the Unique FinanceGPT Chat.
This article does not outline Unique's additional measures to avoid data loss and leakage (e.g., disclaimer information, terms of use, training, Technical and Organizational Measures (TOMs), opt-out from training, and prompt checking for Microsoft Azure OpenAI Services, etc.) but the options to integrate the clients existing DLP.
Methods
I DLP Proxy
This form of DLP is not implemented by Unique. Unique and its platform profit from the clients existing infrastructure that prevents leakages as it does for any other site like googling it or pasting by accident into a text field.
Unique's clients usually rely on managed devices. Most of them funnel their device traffic through a VPN and a proxy before it egresses out to the internet.
There is also a variation of this setup where the browser uses a browser plugin to pipe all egress traffic first to the DLP itself without relying purely on the network setup1.
This DLP proxy (which may not be its only purpose) has the ability to inspect certain protocols, in Unique's case https
. After unwrapping the content (see in diagram B.1 ), it gets scanned with the DLP and depending on the result either repackaged and egressed(see in diagram B.2) or rejected.
If clients do not feature such a device and proxy setup only route (see in diagram A) remains available and no DLP is possible in this regard.
Performance Impact
Depending on the proxy and DLPs speed, this method can have a latency, speed, and User Experience impact which Unique cannot sadly not mitigate as they are fully dependent on the clients' system throughput.
II Analytics APIs
Main article: Analytics
This is more of a post-processing, controlling sort of prevention driven by some of our key clients. While actively monitoring user input and trying to avoid leakages, some cases can only be really detected when scanning and post-processing the prompts, messages, and chats.
Unique offers specific Analytics APIs that can be called by a controlling service or automation that in turn runs the content through the client's DLP system.
Output/findings of DLP scans should be regularly reviewed (regular sample checks) by the respective client’s compliance and/or data protection team. It is not the responsibility of Unique to check output (not allowed by contractual terms and also not part of the Unique service offering). Clients should make sure that the output/ findings are handled according to internal guidelines, policies, and regulations.
Performance Impact
This approach does not affect the end users in either latency or speed as it is completely asynchronous.
III Pre-LLM DLP Calling
This feature does not exist and would need to be offered and built.
Scenarios
Scenario | Handled with method |
---|---|
Data/File Upload Scans | Proxy Usually the existing DLP solutions of the client scan the uploaded files during web browsing activities, the DLP's role is primarily at the proxy level. Here, the DLP system inspects web traffic to identify any potential transmission of sensitive data. |
Prompts | Proxy and Analytics API Unique offers an API that can be integrated with the existing DLP systems to monitor the data being processed. The API is designed to work with the bank's existing security infrastructure to log queries and extract them for DLP inspection. There is no real-time interception by DLP systems as the response time to receive answers to prompts (questions) would be too long for chat interactions (incl. streaming). Instead, the DLP system will scan the prompts during post-chat analysis. This approach allows for a balance between user experience and security, ensuring that sensitive information is not inadvertently exposed during interactions. |
General information on DLPs
In summary, the DLP system works in tandem with web proxies and cloud services to provide a comprehensive security net for all forms of data transmission within the banking environment. By scanning prompts post-chat, intercepting file uploads, and integrating with SharePoint and Azure, the DLP system plays a crucial role in preventing data loss and ensuring compliance with data protection regulations.
The integration of Unique with DLP solutions is a critical step in safeguarding sensitive banking information. By adhering to the guidelines outlined in this document, banks can leverage the benefits of AI while ensuring that their data remains secure and compliant with regulatory standards.
Compatibility
While it is known that certain enterprises manage to force clients to allow-list their domain, Unique is known to be compatible with https
(or ssl/tls) interceptors/proxies. If the client is unsure whether their DLP system works with Unique, get in touch with a customer success representative to get a PaaS account to test it out.
Unique relies on state-of-the-art connections, encryptions, ports, and sockets3 without bizarre modifications that are known to malfunction with existing DLP solutions.
Vendors
Unique does not make any vendor recommendations. There are some vendors though that are proven to be compliant with Unique (under regards to 1):
1: This method is known to be breaking or sunset with the upcoming introduction of Manifest V3 into the browsers. The DLP vendors are aware of these issues and work on a solution themselves.
2:
3: Unique leverages sockets for its chat messages streaming but only uni-directional from the backend services towards the browser and not vice-versa.
Author |
---|