Protect your Microsoft 365 data in the age of AI: Introduction

Introduction

In recent presentations I talked about protecting your data in the age of AI. This subject almost always comes together with a concern (at least when using AI professionally, in your home environment your mileage may vary). This concern is caused by various factors, from which i’ll highlight a few that relate to my expertise:

• Having no insight on AI usage or (sensitive) company data that is shared with AI platforms .
• Lacking awareness of what is done with your data and where it is stored (if at all).
• Lack of knowledge on how to meet legal and regulatory requirements.
• Not knowing how to make AI apps or platforms behave ethical.
• The lack of knowledge on how to train your users on ethical AI usage.
• Having no company policy on secure data usage and in particular secure AI usage.
• Being unaware of the measures in your ecosystem that can be leveraged to create an insight on AI usage or maybe even take control of AI usage in your environment.

Of course the lack of transparency of AI apps doesn’t help in this regard. We often want to know how our data is processed and which data is stored or used by the developer of the app, where the case of the developer using your data to improve their large language model is the one that speaks to mind most.

The influence of GenAI at home

More and more employees are using generative AI tools to be more productive in their home environment. Customer products are packed with “AI” these days. While it’s often used as a buzzword to promote products, the fact is that a lot of companies are using GenAI to improve their users productivity. Examples are Google (Gemini in Android and their search service), Apple (Apple Intelligence in iOS), Microsoft (Copilot in Edge and their search service Bing) or more “independent” companies like OpenAI (ChatGPT) and Anthropic (Claude).

As users now know they can be more productive with GenAI services, they take this knowledge with them to the workplace. As an employer, you can do one of two things:

1. Provide your users with a GenAI service that adheres to your company policy (if you have one).
2. Don’t provide your users with a GenAI service of your choosing.

The challenge however remains the same: how do you maintain control over your data?

About this new blog series

In this new blog series, I want to take you through the possibilities that the Microsoft Purview platform offers to address the concerns mentioned above. We’ll also explore additional products beyond Microsoft Purview that are included in your Microsoft 365 license to help us achieve our goals. To make things more tangible and relatable, we’ll use a fictional organization throughout this series.

Our fictional company

In this blog series, we’ll use the following fictional scenario:

We are a film production company that produces science fiction films.
Under no circumstances are we allowed to make references to existing Star Wars films. We also want to comply with the following conditions:

• Create insight in the use of GenAI apps in our company.
• Allow the use of M365 Copilot but prohibit its use on files labeled as sensitive.
• Allow third-party GenAI apps ChatGPT, Claude, and Google Gemini, but block the sharing of the following sensitive information:
  • ABA Routing Number, Azure SAS, Azure Storage Account Key (Generic), Belgium National Number, Credit Card Number, Drug Enforcement Agency (DEA) Number, Germany Identity Card Number, Germany Tax Identification Number, Germany Value Added Tax Number, International Banking Account Number (IBAN), IP Address, IP Address v4, IP Address v6, Netherlands Citizen’s Service (BSN) Number, Netherlands Tax Identification Number, Netherlands Value Added Tax Number, SWIFT Code, U.S. Bank Account Number, U.S. Driver’s License Number, U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN), Star Wars Saga
• Block usage of other GenAI apps completely.

This list may be supplemented with other conditions as the blog series progresses.

Data Security Posture Management for AI

Data Security Posture Management for AI (DSPM4AI) is a solution that can be found in Microsoft Purview, which provides us with easy to use policies and solutions to create an insight on and control AI usage in our Microsoft 365 environment. The DSPM4AI solution is in full development and new additions are added to the roadmap frequently.

It is important to know that under the hood, DSPM4AI uses techniques (or modules if you will) that are already in store within Microsoft Purview:

• Data classification
• Information Protection (aka Sensitivity Labeling)
• (Endpoint) Data Loss Prevention (DLP)
• Communication Compliance
• Insider Risk Management
• Auditing

If you would like to know more about one of these modules, click the links above to go to the blogpost I created on the specific topic.

DSPM4AI is one of the main solutions we will be using in this blog series.

Up next

In the next part in this series, we will be taking a look at the licensing requirements and other prerequisites we need to have in place. See you there!