Microsoft 365 Copilot: How to boost your productivity with AI. Part two: Data security and governance | IntraTeam event | April 2024
1 like314 views
The document discusses strategies for enhancing data security and governance during the implementation of Microsoft 365 Copilot, emphasizing the importance of 'just enough access' policies. Key recommendations include optimizing data lifecycle management, governing access through labeling and permissions, and adopting a comprehensive approach to privacy and compliance. It outlines the technical architecture of Copilot, highlighting its encrypted data handling and Microsoft's commitment to customer data security.
Microsoft 365 Copilot: How to boost your productivity with AI. Part two: Data security and governance | IntraTeam event | April 2024
- 2. Nikki Chapple Principal Cloud Architect nikkichapple @chapplenikki www.nikkichapple.com All Things M365 Compliance
- 3. Agenda • The risks of not addressing data security and governance as part of your Microsoft 365 Copilot transformation • How to configure Microsoft 365 for “just enough access” to safeguard your sensitive data • How to improve data governance to deliver more accurate and relevant recommendations
- 4. Big Data - A New Era 4
- 5. Essentials for Copilot success Nominate and activate your Copilot executive sponsors, in partnership with your AI Council Define initial high value scenarios and target a critical mass of users for rapid value Define your path to secure your data for compliance and peace of mind
- 6. Copilot for Microsoft 365 implementation Copilot implementation Sponsor Scenarios Security Copilot essentials checklist User Enablement Prepare organization and employees for the AI transformation journey Workstreams support each other for maximum value and ROI Technical Readiness Address technical deployment and optimization, including governance, security, compliance, and management Leadership journey
- 7. 1 6 2 3 5 3 4 Data flow ( = all requests are encrypted via HTTPS) User prompts from Microsoft 365 Apps are sent to Copilot Copilot accesses Graph and Semantic Index for pre-processing Copilot sends modified prompt to Large Language Model (LLM) Copilot receives LLM response Copilot accesses Graph and Semantic Index for post-processing Copilot sends the response, and app command back to Microsoft 365 Apps 1 2 3 4 5 6 Microsoft 365 Trust Boundary Customer’s Microsoft 365 Tenant Semantic Index Azure OpenAI RAI Azure Open AI instance is maintained by Microsoft. Open AI has no access to the data or the model. RAI is performed on input prompt and output results Customer data is not stored or used to train the model
- 8. Improve your data quality with Data Lifecycle Management 8 • Restrict access • Delete redundant, obsolete, or trivial (ROT) data • Access permissions • Sharing links • Naming conventions • Metadata Create Store and Use Archive Delete
- 9. Technical considerations for compliance and security of deployment
- 10. Copilot for Microsoft 365 basic architecture 6 2 3 5 3 4 Microsoft 365 Service Boundary Customer Microsoft 365 Tenant Semantic Index Azure OpenAI RAI Azure OpenAI instance is maintained by Microsoft. OpenAI has no access to the data or the model. RAI is performed on input prompt and output results Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation models 1 Data flow (lock) = all requests are encrypted via HTTPS and wss://) 1 User prompts from Microsoft 365 Apps are sent to Copilot 2 Copilot accesses Graph and Semantic Index for pre-processing 3 Copilot sends modified prompt to Large Language Model 4 Copilot receives LLM response 5 Copilot accesses Graph and Semantic Index for post-processing 6 Copilot sends the response, and app command back to Microsoft 365 Apps
- 11. Microsoft’s approach to privacy You control your data You know where your data is located We secure your data at rest and in transit We defend your data
- 12. Common questions we hear from customers How do we know our data is secure? When will we be able to audit Copilot usage? What can I do to avoid overexposing our data? Where is my data processed?
- 13. Copilot for Microsoft 365 Built on Microsoft’s comprehensive approach Security Compliance Privacy Responsible AI
- 15. 1. Understand your current risks and data security readiness
- 16. Most data stored outside Microsoft 365 and users work in email 3rd Party data storage Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded SharePoint Your OneDrive Others OneDrives
- 17. Use of OneDrive increases but emailing files not sharing files - no adoption or training Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded Your OneDrive SharePoint 3rd Party data storage Your OneDrive Others OneDrives
- 18. Pioneers create ungoverned Teams & Sites Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded Your OneDrive Others OneDrives SharePoint 3rd Party data storage
- 19. 3rd Party data storage We create public Teams with default configuration Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded Others OneDrives Your OneDrive
- 20. 3rd Party data storage SPO There is ungoverned file sharing Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded Others OneDrives Your OneDrive
- 21. 3rd party data is migrated into Microsoft 365 - increasing sprawl 3rd party Your OneDrive Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded
- 22. Govern Access - Admins added as owner of all groups, Teams & sites by default SPO Your OneDrive Ungoverned - access Ungoverned – no access Location hidden from scope – Excluded
- 23. Govern groups, Teams and sites Data Lifecycle management Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive
- 24. Copilot for Microsoft 365 Optimization Assessment Data Security readiness score License profile Deployment path 0% - 66% Office 365 E3, Microsoft 365 Business Standard/Premium, or higher Core 67% - 100% Microsoft 365 E5 Best-in-Class Determine your deployment path Solution Assessment Program (microsoft.com)
- 26. 5 If used, disable Restricted SharePoint Search Apply appropriate Data Security controls Get started quickly and continue to optimize along the way *Restricted SharePoint Search will limit Copilot for Microsoft 365 experiences and organization-wide search. It is a temporary option which gives you time to address oversharing concerns while getting started on your Copilot journey. 4 OPTIMIZE FURTHER AS NEEDED Core Restrict data oversharing and data leaks with manual labeling and policies Required licenses: Office 365 E3, Microsoft 365 Business Standard/Premium, or higher Best-In-Class Prevent data oversharing, data leaks, and detect non-compliant usage at scale with auto labeling and policies Required licenses: Microsoft 365 E5; and SPP-SharePoint Advanced Management YES 3 Deploy Copilot for Microsoft 365 2b Enable Restricted SharePoint Search* NO 2a Ready to deploy? Get started Copilot for Microsoft 365 Optimization Assessment Determine path (26 questions; 30 minutes) 1
- 27. SPO 1. Temporary measure - Restricted SharePoint Search Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive Add up to 100 sites Frequently visited sites Your OneDrive Shared files with you & you have accessed This disables organization-wide search No impact on Purview e.g. DLP
- 28. 2. User adoption so users know they can revoke access to their shared OneDrive files Your OneDrive Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Relies on user adoption
- 29. SPO 3. Convert Public workspaces to Private workspaces Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive All users in the tenant can access content in Public Groups Use Container sensitivity labels to restrict Public Teams being created Identify Viva Engage/ Teams that need to be Public e.g All staff or social
- 30. SPO 4. Regularly review workspace membership Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive Manual reviews Dynamic groups (Entra ID P1) Entra ID Groups/Teams/Viva Engage Access Reviews (Entra ID P2 licence) SAM reviews for Sites
- 31. SPO 5. Implement workspace provisioning controls and sensitivity labels Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive Container sensitivity labels to control access permissions Build or Buy e.g. Orchestry
- 32. 6. Govern Teams - Use private/shared channels to restrict access Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access SPO Your OneDrive Control who can create Shared channel bi-directional config
- 33. SPO 7. Restrict who can share files and folders and sharing links Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive Use container labels (feature enabled via PowerShell)
- 34. SPO 8. Govern Site Access - Block site access to non- members Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive SharePoint Advanced Management licenses $3 PUPM for all users
- 35. 9. Govern Content - Use DLP and or encrypted sensitivity labels to restrict access Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Teams SPO Automated labelling & default label on Document Library requires E5 IP&G licencing for all users
- 36. SPO 10. Govern Content - Retention policies/labels to keep what you need and delete the rest Others OneDrive Teams Teams Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Automated requires E5 IP&G licencing for all users
- 37. SPO Archive SPO 11. Govern Content - Externally archive inactive content Others OneDrive Ungoverned - access Ungoverned – no access Governed location – No access Governed location – have access Your OneDrive Microsoft now has a SharePoint archive service
- 38. Summary User adoption Container permissions Review container membership Protect content Govern content lifecycle