Comprehensive, proactive data protection for a brave new AI-driven world

Editor's note: The following is a guest contribution from Zscaler Director of Product Management Pooja Deshmukh.

When I was hired nine years ago, Zscaler was essentially a cloud secure web gateway. My role was to figure out what we could do at TCP layer seven — the application layer. We set out a vision to build a comprehensive, world-class data protection solution encompassing all data channels that now has high relevance in a world where generative AI (GenAI) applications are rapidly gaining adoption.

Think like a criminal

Organizations can adopt the mindset of attackers in order to better understand the many tactics and techniques they use to steal data. This helps in implementing guardrails to protect valuable assets. Let’s take a look at one common scenario that exemplifies a proactive approach to data loss prevention (DLP).

Imagine I’m a disgruntled employee who is about to leave an organization and I aim to leave with sensitive corporate data. I could just send it to my personal Gmail account, I might think. But I discover Zscaler’s DLP solution won’t allow me to send emails or attachments to Gmail.

So, what next? I could send it to a cloud application. Foiled again: DLP with inline inspection recognizes data categorized as sensitive and blocks the upload. Now I try dumping files into a corporate file-sharing solution and then create a publicly accessible link and share it with my Gmail account. No luck.

I know my organization uses AWS, so I move the data to an S3 bucket and enable third-party sharing. A posture management solution kicks in to block it. But I am relentless, so I decide to print everything. Now, the roadblock is on the endpoint. I go home and try to log in from my personal device, but since I am now on an unmanaged device, all I’m able to access is a stream of pixels that I can neither download nor copy to my clipboard.

What’s a poor criminal to do? With adequate data loss prevention, the answer is give up. A truly comprehensive DLP solution is able to secure all channels, structured and unstructured, data in transit, data at rest, and all workflows. That’s the kind of depth and breadth of Data Protection that Zscaler provides. Criminals may keep innovating, but so do we.

What about GenAI?

I can't give a security presentation today without discussing the risks associated with GenAI). Analysts estimate that, by 2028, the misconfiguration or misuse of AI will cause 25% of all breaches. Employees should be allowed to use GenAI applications to do their jobs more efficiently and make time for creative and strategic work (and they will even if they’re not). That’s well and good, but we can’t ignore the risks.

Let’s start with some context. There are two types of GenAI applications: public and internal.

Public AI applications like ChatGPT are trained on the data submitted via prompts. Its essential proprietary data doesn't become the application’s training data.

One may be tempted to give internal AI applications, like Microsoft Copilot, free rein. After all, the data won’t leave the organization. However, queries that expose internal data create privacy and compliance issues. Here the problem isn’t the data; it’s how the AI application is configured.

When dealing with GenAI, organizations need to answer three questions:

• How do we securely enable GenAI?
• How do we secure data in the public cloud, focusing on application misconfigurations?
• Merging the two, how do we enable specific use cases, such as Microsoft CoPilot, in the context of privacy and compliance?

How does Zscaler securely enable GenAI?

Let’s consider three common GenAI scenarios.

1. An engineering team wants ChatGPT to optimize the code the team has written.
2. The M&A team asks ChatGPT to summarize its video transcripts
3. The business development team asks it to analyze the current pipeline.

These are all legitimate uses, and ChatGPT shines in all cases. Since it's being trained on this data set, presumably its answers will grow more sophisticated over time. But what happens if a third party, perhaps a competitor, asks the same application: “What can you tell me about XYZ Corp.?” The application could respond: “Here’s what its source code looks like, here’s the M&A strategy, here’s what’s in the sales pipeline.” The organization’s corporate data is now accessible by everyone and anyone.

How can Zscaler help? The Zscaler Data Protection dashboard provides visibility into all the GenAI applications used in the organization. You see it all: the individual accounts using it, transactions, the flow of data, and the prompts.

Imagine that an R&D engineer has sent a GenAI engine a snippet of source code. The Zscaler unified classification engine automatically inspects prompts inline, looking for risky items and evaluating the context. You define the policy once, apply it to all outbound channels (including GenAI) and decide what actions to take: block the prompt and notify the user, simply monitor it, or take another course of action.

Employees are still able to interact freely with GenAI. They feel empowered and productive, without the risks of unfettered use.

How does Zscaler secure data in the public cloud?

Zscaler Data Security Posture Management (DSPM) lets you see where your sensitive data is, what kind of data it is, how it is being used, and who can access it. In short, Zscaler DSPM builds a holistic view of what your data security posture looks like, prioritizes remediation based on the risks, and then reduces the risk of a breach by managing the sensitive information.

Zscaler DSPM starts with data discovery—parsing categories like HIPAA, PCI, and more. It automatically classifies it, pinpoints where it resides, analyzes compliance risks, and gauges data accessibility. This facilitates compliance management by quantifying risk by category and severity.

Every incident creates a report with step-by-step remediation instructions. This is possible because Zscaler DSPM deploys local scanners on Azure, AWS, GCP, within your cloud accounts, and more. The report is the sum of scanner analytics using the same classification engine mentioned earlier.

Now that you have the analytics, combine it with Zscaler Cloud Security Posture Management (Zscaler CSPM) solution to find vulnerabilities and map them to your compliance standards for continuous assessment and continuous remediation.

How does Zscaler securely enable secure Microsoft CoPilot use?

Microsoft CoPilot is typically used to generate content from or summarize content in Microsoft 365 documents—Excel, PowerPoint, OneDrive, SharePoint, and others. For example, users pose the following prompt to CoPilot: “Please condense these petabytes of data to address the following questions,” or “Can you compare these two products for me?”

To make this happen, CoPilot and Microsoft 365 applications communicate over application programming interfaces (APIs). Essentially, CoPilot goes into the Microsoft 365 application and responds based on the data housed there.

Here’s another scenario where I'm an engineering manager and I want to make sure my team is being fairly paid. I ask CoPilot to review all engineer salaries in the company and give me a reasonable range for a given role, and CoPilot is happy to comply.

The concern here is not data leakage; rather, it’s data misuse that potentially violates privacy and compliance rules. How does Zscaler stop this? CoPilot leverages Zscaler SSPM and Zscaler Cloud Access Security Broker (Zscaler CASB), enabling you to first configure CoPilot to identify what sensitive data looks like and then limit CoPilot’s discovery and learning capabilities, thus restricting how that sensitive information may be shared.

These are just a few scenarios where Zscaler can help you feel confident about data protection while allowing your employees to use the latest AI innovations to be more productive and creative.