Data Leakage Prevention (DLP)

Owned by Dominik Meyer
Last updated: Sept 27, 2024 by Andreas Hauri
5 min read

 

 

🔒 Data leakage prevention is crucial in today's digital age! It's all about safeguarding sensitive information from unauthorized access or accidental disclosure. At Unique, we take this responsibility seriously. With our cutting-edge technology and robust security measures, we are dedicated to preventing data leaks and ensuring your valuable data remains confidential and protected.

This document outlines the technical considerations and configurations necessary for integrating Unique with the Clients existing DLP solutions to monitor and protect against the leakage of sensitive information. Unique does not offer a DLP itself but the option to integrate an existing DLP.

While some DLP measures are taken by Unique, for some others we depend on the client’s expertise and infrastructure. Below you find methods available to prevent data leaking when using the Unique FinanceGPT Chat.

This article does not outline Unique's additional measures to avoid data loss and leakage (e.g., disclaimer information, terms of use, training, Technical and Organizational Measures (TOMs), opt-out from training, and prompt checking for Microsoft Azure OpenAI Services, etc.) but the options to integrate the clients existing DLP.

 

 

Methods

I DLP Proxy

This form of DLP is not implemented by Unique. Unique and its platform profit from the clients existing infrastructure that prevents leakages as it does for any other site like googling it or pasting by accident into a text field.

Unique's clients usually rely on managed devices. Most of them funnel their device traffic through a VPN and a proxy before it egresses out to the internet.

There is also a variation of this setup where the browser uses a browser plugin to pipe all egress traffic first to the DLP itself without relying purely on the network setup1.

This DLP proxy (which may not be its only purpose) has the ability to inspect certain protocols, in Unique's case https. After unwrapping the content (see in diagram B.1), it gets scanned with the DLP and depending on the result either repackaged and egressed(see in diagram B.2) or rejected.

If clients do not feature such a device and proxy setup only route (see in diagram A) remains available and no DLP is possible in this regard.

Performance Impact

Depending on the proxy and DLPs speed, this method can have a latency, speed, and User Experience impact which Unique can sadly not mitigate as they are fully dependent on the clients' system throughput.

II Analytics APIs

Main article: Analytics

This is more of a post-processing, controlling sort of prevention driven by some of our key clients. While actively monitoring user input and trying to avoid leakages, some cases can only be really detected when scanning and post-processing the prompts, messages, and chats.

Unique offers specific Analytics APIs that can be called by a controlling service or automation that in turn runs the content through the client's DLP system.

Output/findings of DLP scans should be regularly reviewed (regular sample checks) by the respective client’s compliance and/or data protection team. It is not the responsibility of Unique to check output (not allowed by contractual terms and also not part of the Unique service offering). Clients should make sure that the output/ findings are handled according to internal guidelines, policies, and regulations.

Performance Impact

This approach does not affect the end users in either latency or speed as it is completely asynchronous.

Log Fields Configuration

Each entry logged by the Unique API will contain the following mandatory fields:

  • timestamp: The date and time of the query, formatted as DD-MM-YYYY; HH:MM:SS GMT+X.

  • username: The identifier of the user who initiated the query.

  • prompt: The user's query to Unique, excluding any sensitive prompt engineering sections.

Example Log Entry

{ "timestamp": "01-01-2024; 14:23:05 GMT+1", "username": "mheppler", "prompt": "Give me the list of all employees within Unique." }

DLP Policy Configuration

To ensure compliance with privacy laws and regulations, the following considerations must be taken into account when configuring DLP policies:

  • Privacy Compliance: Ensure that monitoring practices are compliant with GDPR, CCPA, and other applicable regulations.

  • Encryption Handling: Configure SSL interception to inspect encrypted traffic while managing trust certificates responsibly.

  • Policy Definition: Clearly define what constitutes sensitive data and the conditions under which it is monitored and blocked.

  • Ethical Transparency: Maintain transparent communication with users regarding the extent and purpose of monitoring.

Scan/Extract Frequency

The API is configured to allow paginated daily scans of log files, aligning with the operational practices of Security Operations Center (SOC) teams. This frequency supports efficient management and timely response to potential data leakage incidents.

Review by Clients Compliance teams

Output / findings of DLP scans should be regularly reviewed (regular sample checks) by the respective client’s compliance and/or data protection team. It is not the responsibility of Unique to check output (not allowed by contractual terms and also not part of the Unique service offering). Clients should make sure that the output/ findings are handled according to internal guidelines, policies and regulations.

Reporting issues

Please report if you experience any issues to enterprise-support@unique.ch

III Pre-LLM DLP Calling

This feature does not exist and would need to be offered and built.

Scenarios

Scenario

Handled with method

Scenario

Handled with method

Data/File Upload Scans

Proxy

Usually the existing DLP solutions of the client scan the uploaded files during web browsing activities, the DLP's role is primarily at the proxy level. Here, the DLP system inspects web traffic to identify any potential transmission of sensitive data.

Prompts

Proxy and Analytics API

Unique offers an API that can be integrated with the existing DLP systems to monitor the data being processed. The API is designed to work with the bank's existing security infrastructure to log queries and extract them for DLP inspection.

There is no real-time interception by DLP systems as the response time to receive answers to prompts (questions) would be too long for chat interactions (incl. streaming). Instead, the DLP system will scan the prompts during post-chat analysis. This approach allows for a balance between user experience and security, ensuring that sensitive information is not inadvertently exposed during interactions.

General information on DLPs

In summary, the DLP system works in tandem with web proxies and cloud services to provide a comprehensive security net for all forms of data transmission within the banking environment. By scanning prompts post-chat, intercepting file uploads, and integrating with SharePoint and Azure, the DLP system plays a crucial role in preventing data loss and ensuring compliance with data protection regulations.

The integration of Unique with DLP solutions is a critical step in safeguarding sensitive banking information. By adhering to the guidelines outlined in this document, banks can leverage the benefits of AI while ensuring that their data remains secure and compliant with regulatory standards.

Compatibility

While it is known that certain enterprises manage to force clients to allow-list their domain, Unique is known to be compatible with https (or ssl/tls) interceptors/proxies. If the client is unsure whether their DLP system works with Unique, get in touch with a customer success representative to get a PaaS account to test it out.

Unique relies on state-of-the-art connections, encryptions, ports, and sockets3 without bizarre modifications that are known to malfunction with existing DLP solutions.

Vendors

Unique does not make any vendor recommendations. There are some vendors though that are proven to be compliant with Unique (under regards to 1):

1: This method is known to be breaking or sunset with the upcoming introduction of Manifest V3 into the browsers. The DLP vendors are aware of these issues and work on a solution themselves.

2:

Unique acknowledges that certain names, brands, trademarks, or logos mentioned or displayed on our platform are the property of their respective owners. Any references made to these names, brands, trademarks, or logos are for informational purposes only and do not imply endorsement, sponsorship, or affiliation with Unique. We have no intention of infringing upon the rights of the trademark owners, and any use of their names, brands, trademarks, or logos is in accordance with the principles of fair use.

Unique strives to provide accurate and reliable information, but we make no representations or warranties regarding the accuracy, reliability, or completeness of any content related to the mentioned names, brands, trademarks, or logos. Users are advised to independently verify any information and should direct any inquiries or concerns regarding these names, brands, trademarks, or logos to their respective owners.

By using our platform, you agree that Unique shall not be held responsible or liable for any direct or indirect damages or losses arising from the use or reliance on any information related to the mentioned names, brands, trademarks, or logos. It is your responsibility to exercise caution and seek professional advice when necessary.

3: Unique leverages sockets for its chat messages streaming but only uni-directional from the backend services towards the browser and not vice-versa.

 

Author

@Dominik Meyer

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service