Ewelina Paczkowska
Solution Architect, Threatscape's Microsoft Security Practice
The rapid expansion of Artificial Intelligence (AI) across industries has brought significant advancements in automation, productivity, and innovation. However, as AI tools like Microsoft Copilot become more integrated into everyday business operations, data protection must evolve to meet the challenges of an increasingly complex landscape. This is where Microsoft Purview, a comprehensive data governance solution, steps in. By providing powerful tools for managing data security, compliance, and privacy, Purview helps organisations safeguard their sensitive information in the age of AI.
In the ever-changing world of AI, data security is no longer just an IT concern – it is a strategic business priority. But how do organisations ensure robust protection strategies? The answer begins at the top. Effective management buy-in is essential to ensuring that the right resources are allocated, the right strategies are implemented, and the right culture is fostered within the organisation to address the risks posed by AI. With Microsoft Purview’s integrated solutions, organisations can take a comprehensive, proactive approach to data protection. Additionally, Microsoft’s “secure by default” initiative empowers businesses with the right configurations from the outset, simplifying the implementation of strong data security practices.
Why Does Management Buy-In Matter?
The importance of management buy-in for implementing a robust data protection strategy cannot be overstated. Senior leadership plays a critical role in creating a culture of security and compliance, driving the allocation of resources, and prioritising investments in the right tools and technologies. Data protection, especially with AI tools like Copilot, requires long-term commitment and investment. Without leadership support, organisations may struggle to allocate the necessary resources, both human and technological, to create a comprehensive data security framework.
The cost of insufficient investment in data protection can be high. In an era where AI is generating and processing an increasing amount of sensitive data, the consequences of breaches or non-compliance can be severe. These risks not only expose organisations to financial penalties and reputational damage but also jeopardise customer trust. For example, an employee unintentionally uploading confidential information to an AI tool like Microsoft Copilot could lead to the accidental exposure or misuse of sensitive data, especially if AI-generated content is mishandled. In this scenario, management’s commitment to data protection is pivotal in driving the strategic direction that ensures the security of such information.
The Importance of Data Security in The Age of AI
As AI tools become deeply embedded in business processes, the risk landscape expands. AI systems like Microsoft Copilot have the capability to process vast amounts of sensitive data in real-time. However, this introduces new threats, including the unintentional exposure of confidential information, intellectual property, and personal data. Accidental data leaks or misuse could occur if sensitive information is shared with the wrong AI application or used inappropriately, leading to potential compliance violations.
Moreover, in an increasingly regulated environment, data is not just a valuable business asset – it is also a heavily scrutinised one. Regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require businesses to implement stringent data protection measures to ensure the privacy and security of personal information. As businesses leverage AI technologies to enhance their operations, they must also be prepared to navigate an evolving regulatory landscape that places greater emphasis on how data is handled, shared, and protected.
AI tools can amplify the risks related to data security, but they also offer an opportunity to enhance compliance and streamline data protection. Leveraging solutions like Microsoft Purview, organisations can automate and optimise data protection practices, ensuring that sensitive information is protected from the moment it enters the system to when it is shared or used in AI processes.
Microsoft Purview: Data Protection Across Licensing Tiers
Microsoft Purview provides an array of powerful tools that help businesses safeguard their data across different licensing tiers, from Microsoft 365 Business Premium to E3 and E5. Let’s explore how businesses can optimise their data security posture with Purview across these three common licensing levels.
E5: Advanced Compliance and Security Features
The Microsoft 365 E5 license is the highest tier and offers the most comprehensive data security features within Microsoft Purview. With a full Microsoft 365 E5 or E5 Compliance license, organisations gain access to advanced compliance solutions such as Microsoft Information Protection (MIP) with auto-labelling, Insider Risk Management, Communication Compliance, Advanced eDiscovery, and Data Loss Prevention (DLP) covering endpoints and Microsoft Teams. These features help monitor user behaviour, detect suspicious activities, and ensure compliance with industry regulations.
E3: Comprehensive Data Loss Prevention and Retention Policies
For businesses on the Microsoft 365 E3 plan, Microsoft Purview offers essential data protection tools, including Microsoft Information Protection (MIP) and manual sensitivity labels, Data Loss Prevention (DLP) and Retention Policies. These features help organisations protect their sensitive data from being inadvertently shared or leaked through email, file-sharing, or other collaboration tools.
Business Premium: Core Data Security Tools for SMBs
For smaller businesses, the Microsoft 365 Business Premium license provides access to a core set of data protection tools. While it lacks some of the advanced compliance features available in E3 and E5, Business Premium still offers valuable security capabilities, including manual sensitivity labels, basic encryption, retention, audit, and Data Loss Prevention.
Key Data Protection Features in Microsoft Purview That Can Help Gain Control Over Your Data
Communication Compliance: Detect Copilot Interactions
Microsoft Purview provides a Communication Compliance policy template called “Detect Microsoft Copilot Interactions” that helps organisations track and monitor sensitive prompts and responses in Copilot. This policy ensures that confidential information is not exposed during AI interactions, whether the data is generated through AI prompts or responses.
Insider Risk Management: Risky AI Usage
With Insider Risk Management, businesses can use the “Risky AI Usage” policy template to track sensitive data being uploaded to AI sites and applications. This allows organisations to monitor employees’ interactions with AI tools like Copilot or ChatGPT, ensuring that sensitive information is not inappropriately shared or exposed.
Microsoft Defender for Cloud Apps (MDA)
Using Microsoft Defender for Cloud Apps, businesses can set up an Activity Policy to track interactions with Copilot or generative AI applications. For example, the activity type filter can be set to “interact with Copilot,” ensuring that all interactions with AI are logged and monitored for compliance.
Additionally, businesses can set up App Discovery Policies with filters for “category equals generative AI” to monitor or block the usage of AI applications within their organisation.
Data Loss Prevention (DLP)
With Endpoint DLP, organisations can block the upload of sensitive files to unapproved apps and cloud service domains. By configuring these policies to block interactions with specific URLs, businesses can prevent sensitive information from being processed by non-secure or unauthorised third-party AI platforms.
Additionally, you can set up a DLP policy scoped to Microsoft 365 Copilot (currently in preview) to prevent it from processing content based on the sensitivity label applied to emails or files.
Encryption Settings for Sensitivity Labels
In addition to configuring DLP policies, businesses can modify the encryption settings for their sensitivity labels. For example, organisations can choose to prevent Microsoft 365 Copilot from accessing sensitive information by restricting access based on the sensitivity labels applied to emails or documents.
Avoid granting the “Copy and extract content (EXTRACT)” permission to documents with highly sensitive labels. This permission allows Microsoft 365 Copilot to access and create new content based on labelled and encrypted documents. By restricting EXTRACT on sensitive content, you prevent Copilot from processing and using protected information, ensuring that your most sensitive data remains secure and inaccessible for content generation. This adds an additional layer of protection, reducing the risk of exposure while maintaining productivity.
DSPM for AI
A notable addition to the new Purview portal is Data Security Posture Management for AI (DSPM for AI), which helps businesses proactively assess security risks related to AI tools like Microsoft Copilot.
DSPM for AI helps you track and manage Microsoft 365 Copilot interactions by leveraging Activity Explorer. This tool enables you to monitor Copilot prompts, detecting potential risks and improving data protection.
In addition, DSPM for AI offers several critical capabilities:
- Oversharing Protection
- Sensitive Data Protection
- Risk Detection
- ChatGPT Enterprise Risk Management
- Regulatory Guidance
Whether your organisation is on the E5, E3, or Business Premium licensing plan, Microsoft Purview offers a tailored approach to data protection that meets your specific needs. Threatscape’s award-winning Microsoft experts are available to support your data protection journey with a wealth of expertise and vital know-how.
For those organisations requiring a helping hand through their Purview implementation, Threatscape’s complimentary Microsoft Purview Advisory Service offers insight into the data security protections available within your Microsoft 365 license. With a no-obligation consultation with one of our award-winning Microsoft security experts, you’ll receive advice and recommendations on the type of data security risks companies face, and insight into how Purview and other capabilities within Microsoft 365 help defend against those risks.
