From chaos to control: managing Generative AI apps securely
If you are struggling to gain visibility into the numerous newly developed Generative AI apps, their usage, and assessing their risks, this article is for you. As employees integrate these apps into their daily routines, security teams face significant difficulties in managing them securely without hindering productivity. The rapid adoption of these apps means that security protocols must evolve quickly to keep pace with the changing landscape. Additionally, with the vast number of Generative AI apps available, even if an organization blocks access to a popular app, employees can easily switch to other alternatives on the market. This constant pivoting makes it even more challenging for security teams to maintain a secure environment while ensuring that employees have the tools they need to be productive. The balance between security and productivity is delicate, and finding effective strategies to manage this balance is crucial for organizations.
So, the question becomes: how can you address this issue? The short answer is: Microsoft Defender for Cloud Apps.
Step #1
Discover genAI apps
First, you need to understand what applications are available for your users and what risks they carry. There are thousands of AI applications out there in the market, most of them posing an extremely high risk when used in conjunction with sensitive data. Use the Cloud apps catalog to identify the apps that fit into your organization's security requirements. The catalog contains information of over 31,000 cloud apps (~700 of them GenAI). The apps are ranked and scored based on more than 90 risk factors to provide you with ongoing visibility. Risk scoring is based on 4 main categories:
General: Basic facts about the company that produces the app, including its domain, founding year, and popularity. These fields are meant to show the company's stability on the most basic level.
Security: Accounts for all standards dealing with the security of the data used by the discovered app, and includes fields such as multifactor authentication, encryption, data classification, and data ownership.
Compliance: Accounts for the common best-practice compliance standards that are upheld by the company that produces the app. The list of specifications includes standards such as HIPAA, CSA, and PCI-DSS.
Legal: Accounts for the regulations and policies in-place to ensure data protection and privacy of the app's users, such as DMCA, and data retention policy.
For simplicity, you can just use the preconfigured risk scores for these applications. If you would like to fine tune, you can override risk scores as well. For more information on how risk scores are calculated and what else you can do with risk, please check the following link:
More information on discovered apps:
Step #2
领英推è
Understand what is being used within your organization
Cloud App Discovery analyzes your traffic logs against the Microsoft Defender for Cloud Apps catalog. With Cloud App Discovery, with a few clicks you can understand what GenAI tools are being used, by how many users, how much data your users are uploading and so on. This gives you a good overview of the risks you are facing in a moment. From there, you can run snapshot or continuous reports with different first party or third party integrations. Defender for Endpoint integration is a prime example of this. More information on app discovery:
Step 3
Monitor, govern and block genAI apps
The next step is to identify and block those apps that are deemed too risky based on certain factors. With App Discovery Policies, you can easily sweep through all the applications based on predefined criteria (risk score, traffic, uploaded data, etc) and create automated actions on these. Automated actions can include creating alerts for these applications when they appear, reach certain thresholds, but also unsanctioning and then blocking them on user devices through Defender for Endpoint integration.
There are many ways to use Cloud Discovery policies, just a few examples:
- detect new risky or non-compliant app use, or use of unsanctioned apps
- detect unusual usage patterns on your network
- detect risky OAuth apps
- and so on
Licensing
Parts of the features elaborated above are available as part of Microsoft 365 E3, while there are additional features that are part of Microsoft 365 E5 Security, that includes Defender for Endpoint P2 as well for natively integrated policy enforcement. For more information, feel free to comment or reach out to your Microsoft representative.
Resources used (in addition to the above):
Great blog post from our colleague, assafyatziv, with more details on the topic: https://lnkd.in/dZPn96iR
Cloud Discovery policy examples: https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery
This article is up-to-date as of 7 January, 2025.