Undoubtedly, Microsoft Copilot and generative AI will transform the way we work. However, it also poses some information security challenges and risks that need to be addressed and mitigated. With the General Availability of Copilot mere days away, there will be many who will be gearing up to pilot the service ahead of an organisation wide investment and rollout.
In this post I share my thoughts about piloting Copilot from an Information Security perspective. I hope it will be useful for others who are interested in the same topic. I look forward to hearing about your experiences of information security with Copilot.
Aims
- To be comfortable with the current state of sharing
- Increase organisational maturity in permissions management and the governance of information
Objectives
- Reduce risks of oversharing through the correct application of wide scope permission groups and links
- Conduct a review of current permissions strategy and policy, updating as necessary
- Audit the current state of sharing
- Instil the right behaviours through a culture of information security and readiness for generative AI
- Identify longer running activities which can run in parallel to a pilot thereby shortening the runway
- Identify and exclude superfluous content
- Improve governance and auditing
- Implement additional tooling to better manage sharing
- Add additional layers of protection, reporting and alerting
Why
- Copilot will expose the cracks that already exist in your approach to permissions management through a change in the findability construct.
- Microsoft assume that organisations have already reached a high level of maturity e.g. through the application of labelling and classification which is not always the reality.
- Failing to communicate the importance of the active management of permissions and reporting of oversharing will undoubtably lead to information security incidents which places the organisation at risk.
How
As a prerequisite, performing a risk assessment that covers items such as:
- Privacy and data protection
- Responsible use of AI
- Intellectual property and copyright
- Client or commercial contractual considerations
- Data licensing when using including content from connected services
will provide the foundations for the information security requirements to be delivered.
Pre-pilot
These steps do not incur additional costs apart from time as they take advantage of existing E5 licensing needed to use Copilot (though if you want to demonstrate Copilot in action then it will cost you a license…). They are a mixture of technical (IT led with the Business as the Stakeholder) and business activities (e.g. business led communications with IT’s help). They should shorten the runway to Copilot as not everyone will have set up DLP etc. and should defer the need for heavy lifting to once the pilot is underway. The key point to remember is that you are probably already in a good place but Copilot will expose the cracks that already exist and people need to get comfortable with the current state. There is no specific order in which the activities have to be performed and pick the options that matter to you.
10-steps to pilot
| 1 | Review the use ‘out of the box’ wide scope permission groups e.g. Everyone Except External Users. Remediate as needed. Using the Search Query Tool can help with this. | Technical |
| 2 | Consider hiding wide scope permission groups e.g. Everyone Except External Users to reduce risks around accidental misuse. Be mindful that the Microsoft may ‘helpfully’ add these groups in certain situations. | Technical |
| 3 | Review the Sharing links reports for SharePoint sites for “Anyone”, “People in the organisation” . Raise awareness of the side effects of “People in the organisation” and remediate links as needed. | Technical |
| 4 | Review the default settings for file and folder links in SharePoint and adjust as required. This will not fix links which already exist but it helps to reduce future oversharing. | Technical |
| 5 | Raise awareness of features like ‘Who can see‘ this in Delve, Search etc. to help staff identify and take action on overshared items. | Business |
| 6 | Get staff to perform a check of their personal content in OneDrive. Highlight the OneDrive sharing report to them. | Business |
| 7 | Remind SharePoint Site Owners and Team Owners that they are responsible for their content and highlight to them / remind them about the sharing reports, the impact of inheritance, how to handle sensitive document types. Ensure that the Site Owners are the recipients of access requests. | Business |
| 8 | Identify specific sites or libraries which would benefit from being excluded from search results and exclude as necessary. In doing so balance the impact this would have on site users. | Technical |
| 9 | Get VIPs comfortable with both the shift in the findability construct and what Copilot will decline to show (but search would). It helps if you show them Copilot in action*. | Business |
| 10 | Work with the Infosec team and perform some randomised search whack-a-mole tests to get a sense of what the remaining oversharing looks like and to simulate potential employee search patterns. Remediate as necessary. | Technical |
* If you have access to Copilot, use prompts like “how does my pay compare to my peers?”, “show me documents that contain the word passport”, “summarise the amount of personal information available to me” This will simulate the VIP fear associated with the change in the findability construct.
The goal of the above is to get comfortable with your current state, raise awareness of the risks of oversharing and perform fast fix remediations. Once completed, you should be able to identify and understand any gaps or risks in relation to Copilot’s capabilities and your estate.
During the pilot
The next set are the slow burning activities which will incur costs and may take a considerable amount of time to implement. The aim is for these activities to run in parallel to your Copilot pilot and some may extend beyond that point. Some of the activities are not specifically related to Copilot but they take advantage of actions to enable Copilot, serve to harden your M365 environment as well as improve the quality of responses and increase maturity of information management.
10-steps during the pilot
| 1 | Coach staff about the shift in approach to findability, their responsibilities towards acceptable use and the continual need for good permissions management. Start with the pilot cohort in order to refine your approach and messaging. | Business |
| 2 | Review the security and governance of systems which are connected to and discoverable from within your M365 environment e.g. aligning identities in services connected to Microsoft Search. | Technical |
| 3 | Identify and archive content that offers little value in terms of knowledge management and discovery. Microsoft Syntex Archiving may assist with this. | Business |
| 4 | Implement Microsoft Purview Information Protection using its classification controls, integrated content labelling and corresponding data loss prevention policies to provide just enough access. Establish policies for security and compliance. | Technical |
| 5 | Establish continual auditing and report for SharePoint Sites and Teams at the container level and automate the maintenance of their security. | Technical |
| 6 | Continue to routinely review links and groups used to grant permissions. Microsoft Syntex Advanced SharePoint Management may assist with the reviews of potential oversharing, implementation of Site Access Reviews and the restriction of links to specific groups. | Technical |
| 7 | Establish Microsoft Purview Information Barriers around key segments e.g. HR or Finance and Teams. In doing so establish a default setting for all locations e.g. Owner moderated. | Technical |
| 8 | Review external access controls together with who and which domains have access. | Technical |
| 9 | Implement Conditional access for SharePoint and OneDrive | Technical |
| 10 | Consider investment in a Role Based Access Control solution to enforce role and group based security in order strengthen governance around both end user and administrator access. | Technical |
Take away
Whatever your approach will be, do some information security housekeeping first and get comfortable with the new findability construct.
Microsoft Copilot will undoubtedly expose the cracks and you do not want to be sunk by a link, or prompt…
buildbod.com 