Word, Excel, PowerPoint, Teams, Outlook, and other Microsoft 365 products all come with an AI assistant called Copilot. Microsoft wants to free people from the mundane tasks of everyday life so they may concentrate on solving problems creatively.
The fact that Copilot has access to anything you’ve ever worked on in 365 sets it apart from ChatGPT and other AI solutions. Instantaneously search and gather information from all of your papers, presentations, emails, calendar entries, notes, and contacts with Copilot.
And that’s where information security teams run into trouble. All of the sensitive data that a user has access to, which is frequently far too much, is accessible to Copilot. 10% of an organization’s M365 data is typically accessible to all staff members.
Copilot Security: Making Certain A Safe Microsoft Rollout Of Copilot
Additionally, Copilot is capable of quickly producing fresh, sensitive data that needs to be secured. Before the AI revolution, people were significantly more capable of creating and sharing data than they were of protecting it. Consider the trends in data breaches. Generative AI fuels this fire with kerosine.
When it comes to generative AI as a whole, there are many things to explore, such as deepfakes, model poisoning, and hallucinations. But I’ll be concentrating on data security in this post, and how your team can make sure that Copilot is rolled out safely.
Use Cases For Microsoft 365 Copilot.
With a collaborative suite such as Microsoft 365, the applications of generative AI are practically endless. It’s understandable why a large number of IT and security teams are rushing to secure early access and are organizing their deployment strategies. The production increases will be substantial.
You can ask Copilot to create a proposal for a client, for instance, by opening a blank Word document and providing it with a target data set that includes PowerPoint decks, OneNote pages, and other office documents. It takes only a few seconds to have a complete proposal.
Here are some other instances that Microsoft provided at their launch event:
• Copilot may participate in your Team meetings and record action items, provide a real-time summary of the topics covered, and identify any unanswered issues.
• Outlook’s Copilot feature can assist you with email prioritization, inbox management, thread summarization, and reply generation.
• Excel’s Copilot can analyze raw data and provide you with trends, insights, and recommendations.
The operation of Microsoft 365 Copilot
This is a summary of the steps involved in processing a Copilot prompt:
• A user enters a prompt into a program such as PowerPoint, Word, or Outlook.
• Based on the user’s M365 permissions, Microsoft collects the user’s business context.
• The LLM receives a prompt (similar to GPT4) to produce an answer.
• Microsoft carries out responsible AI post-processing checks.
• The M365 app receives a response from Microsoft along with instructions.
Microsoft 365 Copilot security model from Microsoft
_665da2b7714a4.png)
.png)
There is always a strong conflict between security and productivity when using collaborative technologies.
This was seen during the COVID-19 pandemic when IT teams hurriedly implemented Microsoft Teams without properly comprehending the underlying security mechanism or the configuration of their organization’s M365 groups, permissions, and connection policies.
What Microsoft takes care of for you:
• Isolation of tenants: Only information from the current user’s M365 tenant is used by Copilot. The AI tool won’t display information from any tenants to whom the user may be invited or from any renters who may have cross-tenant sync enabled.
• Boundaries education: Copilot trains its basic LLMs for each tenant without using any of your business data. You shouldn’t be concerned that comments from other users in other tenancies will contain your confidential information.
What you must oversee:
• Acknowledgments. All organizational data that each user can examine at least is made visible through Copilot.
• Labels. The MPIP labels of the files that Copilot retrieved its answer from will not be inherited by Copilot-generated content.
• People. AI-generated content needs to be reviewed by humans; Copilot’s responses aren’t always safe or 100% factual.
Authorizations
It would be a great idea to grant Copilot access to only what a user may access if businesses could simply implement the least privilege in Microsoft 365.
Getting Copilot ready for tenant security
Understanding your data security posture before your Copilot implementation is essential. As Copilot is probably going to be widely accessible early in the upcoming year, this is an excellent moment to implement security controls.
With our Data Security Platform, which offers a real-time picture of risk and the ability to automatically enforce the least privilege, Varonis protects thousands of Microsoft 365 customers.
With almost no human work required, the service provider can assist you in mitigating the largest security threats using Copilot.
Find and categorize every piece of sensitive AI-generated content automatically.
- Constantly monitor sensitive data in M365
- Warn and react to anomalous behavior
- Automatically enforce least privilege permissions
- Automatically guarantee that MPIP labels are accurately applied.
A free risk assessment is the ideal place to start. Setting it up only takes a few minutes, and in a day or two, you’ll have a real-time view of the danger to sensitive data.
