Why you should make sure your data is secure

When working with Copilot for M365, we need to remember that we are responsible for

the data security aspects of the implementation. Sure Microsoft has done what

they can from their end, making sure your data stays safe and that it is not

used to train the model. But we still have some obligations that we need to

fulfill internally.

This has been a long time coming and is not just something we need to do because of

copilot. This is something we need to do, because of several regulations set

out by governments to protect and secure data. Copilot has just made the issue

all the more pressing, because of a term I'll called obscurification. What I

mean by this is hiding something, in the mess of things.

A lot of organizations have a messy data infrastructure, and have little to no control

over access to their data. This however has not been as big of an issue because

people didn't necessarily know where to look for data. However copilot unravels

this, by being able to not only search for titles of documents, but also the

words within the documents. Let's take an example.

An IT administrator saves all their passwords, for server accounts in a document,

that they put into sharepoint site only for the internal it organization. Then

overtime, some people get added because they might need access to a document

for the phone system, people change departments but don't have their access

removed. And suddenly 20 people have access to this sharepoint site, but only 7

of them are currently in the internal IT department. Now the 20 people don't

need to have access to the password, and may not even know they are there. And

they will not find them because they are not looking for them.

But then John who is now working as a consultant for the same company, ask copilot for a

documents with passwords because he forgot the password to one of his

customers, and know he saved it in a document on his onedrive. Suddenly it will

tell him of the password document of the internal IT department.

How do we fix this?

First off,

we will have a quick discussion about IAM (Identity and Access Management). IAM

is an excellent solution to some of the problems of oversharing documents. If

you have a proper IAM setup, you can make access to documents automated, and

much more regulated and auditable.

We can use dynamic groups based on attributes such as departments, offices, countries and

so forth, to control access to sharepoint sites relevant only to people with

these attributes. This way, when people change roles or office, they will have

access automatically removed and not just be forgotten.

Furthermore, we can use features such as PIM and Access reviews to control if people need

short term access to documents or sites. This way we can make sure that it is

done in a certain time frame, and they will automatically loose access

afterward or have people weekly or monthly do access reviews to make sure only

relevant people have access.

At some point we will do a whole series of IAM, where we cover subjects such as Zero

trust, JEA, JIT and how we can implement these things with microsoft products.

Purview, Information Protection and Compliance.

When we are talking about data security, information protection and regulations, one of the

greatest tools we have available is microsoft Purview. This is the portal where

Microsoft have gathered all their data compliance and information protection

settings like Sensitivity labels, DLP, Retention policies, Communication

compliance and so forth. From here you will be able to secure your data, who

has access to it, how they are able to share it, and much more. Microsoft

Purview features are included in E5 licenses, and some features are included in

E3 as well, and is definitely something you should look into implementing.

Specifically for copilot, there is a section in the purview portal called "AI

Hub". Which is for now just a few policies focused on the usage of AI, and

the monitoring of these policies.

You will from here be able to activate Microsoft purview Audit. Which will enable you to

see interractions with copilot. You will be prompted to onboard devices to

purview, and install Microsoft purview browser extension (Which is done in the

intune portal).

You will also set up DLP policies which will help you monitor activities at third party

AI apps, and with the purview extension and onboarding, you will be able to use

DLP policies to make sure sensitive information is not shared with third party

AI. You will be able to monitor Unethical use of AI Aswell, set up through

communication compliance.

My next series will be focused on Microsoft Purview, and give you more in depth

knowledge of the different features, and how you can implement them.