Data does not move by itself; people move data.

This statement may seem simple, but it contains an important insight into data security: technology is only part of the solution. For robust information security, a proper balance is needed between technology that aligns with your organization and employees who know how to handle data securely. In this blog, I’ll share three practical tips to structurally strengthen the human aspect of data security, based on experience in various projects.

1. Form a Diverse Working Group

For your data security initiative, assemble a working group with people from different departments, roles, and backgrounds. Include data owners, department heads, the Chief Information Security Officer (CISO), and representatives from the Central Data Office (CDO), information security, and Document Information Management. This provides insight into information and information flows within your organization. Additionally, expand the group with representatives from IT and functional support.

After all, these are the people that have the real insight on what data is sensitive to your company, and what the specifications or properties of that data are.

2. Make End Users Part of the Design

Automatic detection of sensitive data and targeted alerts for risky actions help raise awareness among end users and support the adoption of data security. However, successful implementation depends on involving users. Start with training that strengthens both knowledge and desired behavior.

Up to now, the ‘Protect Your Microsoft 365 Data in the Age of AI’ series consists of the following posts:

1. Protect your Microsoft 365 data in the age of AI: Introduction
2. Protect your Microsoft 365 data in the age of AI: Prerequisites
3. Protect your Microsoft 365 data in the age of AI: Gaining Insight
4. Protect your Microsoft 365 data in the age of AI: Licensing (This post)

Every series has at least one episode that you feel was the weakest of the bunch; however, the series would not be complete without it. The same applies to this post. Although it is, of course, much more enjoyable to delve into the technical aspects, we must also address the more essential matters, such as licensing in this case. After all, before you begin protecting your data in the age of AI, you naturally want to know what it will cost you, so that you can perhaps draft a business case.

In the case of protecting your Microsoft 365 data in the age of AI, we’ll have to deal with 2 types of licensing models, which we’ll talk about in the next chapters.

Per-user licensing model

This is the actual subscription-based license that grants you the right to use Microsoft 365 services, and in this case, Microsoft Purview and Microsoft Defender for Cloud Apps.

Up to now, the ‘Protect Your Microsoft 365 Data in the Age of AI’ series consists of the following posts:

1. Protect your Microsoft 365 data in the age of AI: Introduction
2. Protect your Microsoft 365 data in the age of AI: Prerequisites
3. Protect your Microsoft 365 data in the age of AI: Gaining Insight (This post)

Now, with the introduction and prerequisites being taken care of, we can focus on the first objective in this blog series which -if you might remember- is the following:

Create insight in the use of GenAI apps in our company.

While this is possible by leveraging Microsoft Defender for Cloud Apps, we’re going to take this one step further and use Microsoft Purview Data Security Posture Management for AI (DSPM4AI) to also create insight on which sensitive data is shared with GenAI apps.

Creating policies

Let’s dive back into the Purview console and start where we also started with our previous article in this series. The DSPM4AI console. While we satisfied all the prerequisites in our previous article, we can see in the screenshot above that 1 tick box is still missing that satisfying green checkmark. And that’s the one we are going to enable right now.

It allows us to extend our insights for data discovery and specifically; the use of generative AI apps in our organization. As can be seen in the screenshot above, it takes the manual creation of policies out of our hands by creating an Insider Risk Management policy that allows us to detect when users use a browser to visit AI sites and also creates an endpoint Data Loss Prevention (eDLP) policy that allows us to capture when and which sensitive information is pasted or uploaded to AI sites. Let’s create both policies and check out what’s under the hood.

In the previous blog post in this series we introduced the ‘Protect Your Microsoft 365 Data in the Age of AI’ series, Data Security Posture Management for AI (DSPM4AI) and the fictional company that we will use to explain all the goodness Purview and other Microsoft 365 solutions have in store to help us address the concerns that we talk about in the first post.

Up to now, the ‘Protect Your Microsoft 365 Data in the Age of AI’ series consists of the following posts:

1. Protect your Microsoft 365 data in the age of AI: Introduction
2. Protect your Microsoft 365 data in the age of AI: Prerequisites (This post)

In the second post in the series, we will be taking a look at the prerequisites that we need to configure in order to make use of Microsoft Purview Data Security Posture Management for AI, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps to meet our needs. If we add other Microsoft 365 solutions in this series, this blog post will be updated.

Prerequisites: Data Security Posture Management for AI

When navigating to the DSPM4AI solution in Microsoft Purview, we are greeted with a nice list of prerequisites we need to set up to get started.

Introduction

In recent presentations I talked about protecting your data in the age of AI. This subject almost always comes together with a concern (at least when using AI professionally, in your home environment your mileage may vary). This concern is caused by various factors, from which i’ll highlight a few that relate to my expertise:

• Having no insight on AI usage or (sensitive) company data that is shared with AI platforms .
• Lacking awareness of what is done with your data and where it is stored (if at all).
• Lack of knowledge on how to meet legal and regulatory requirements.
• Not knowing how to make AI apps or platforms behave ethical.
• The lack of knowledge on how to train your users on ethical AI usage.
• Having no company policy on secure data usage and in particular secure AI usage.
• Being unaware of the measures in your ecosystem that can be leveraged to create an insight on AI usage or maybe even take control of AI usage in your environment.

Of course the lack of transparency of AI apps doesn’t help in this regard. We often want to know how our data is processed and which data is stored or used by the developer of the app, where the case of the developer using your data to improve their large language model is the one that speaks to mind most.

The influence of GenAI at home

More and more employees are using generative AI tools to be more productive in their home environment. Customer products are packed with “AI” these days. While it’s often used as a buzzword to promote products, the fact is that a lot of companies are using GenAI to improve their users productivity. Examples are Google (Gemini in Android and their search service), Apple (Apple Intelligence in iOS), Microsoft (Copilot in Edge and their search service Bing) or more “independent” companies like OpenAI (ChatGPT) and Anthropic (Claude).

Introduction

Before you can make use of all features in Microsoft Purview, such as information protection and data loss prevention, it is essential to understand which information is sensitive for your organization and where this information is located within your organization. Identifying this sensitive information can be done in two ways: through (auto-)labeling or continuous classification based on document content characteristics.

When is classification information collected and where is it stored?

Let’s take a look at the image above by Enrique Saggese. Classification information is created or updated when 1 of the following actions happen to content: