Microsoft Copilot: 5 steps to secure data access

The arrival of Copilot increases productivity, research and information access capabilities in the Microsoft 365 environment and therefore reinforces the need to properly govern and control data access within all Microsoft apps Teams, SharePoint, OneDrive, Outlook, and more. 

Accurate management of access, rights and sharing seems essential before deploying Copilot AI to ensure that users only have access to appropriate data and avoid content oversharing.

Here are 5 tips for making data access secure when deploying Copilot:

1. Understand how data is shared
2. Explore risks on the Microsoft 365 tenant
3. Minimise the risk of overexposure
4. Manage data access over time
5. Support change management

1. Understand how data is shared

Before deploying Copilot, companies must carry out an analysis and a snapshot of their data and information assets. The challenge is to understand how information stored in OneDrive or SharePoint is shared inside and outside the organization, where the data is located, who handles the most sensitive and strategic data, how the data is shared, and who has access to what.

• Maintain a global view of the information in the Microsoft 365 environment and the resources of each user: the number of shared mailboxes, OneDrive, Teams groups, Sharepoint sites, etc.
• Maintain a view by user or data type: depending on whether or not the data is sensitive, it is essential to also get a more detailed view of the data.

2. Explore risks on Microsoft 365

Analysing risks when deploying a tool like Microsoft Copilot is essential in order to identify the potential risks and threats to which the information system may be exposed and to minimise the attack surface.

The Microsoft Copilot tool relies on the permissions or access policies put in place. This means that it will not offer any document or information to a person who does not have the right to access it. However, the risk of unauthorised, malicious access may occur if rights and authorisations are not configured in a compliant manner.

It is therefore necessary to pay particular attention to accesses and authorisations by, for example, mapping data accesses, rights and permissions in order to identify sensitive and critical points and correct them.

• Evaluate data exposure: number of anonymous shares, public SharePoint and Teams sites (with or without owner).
• Visualise points of focus, highlighting a potential risk linked to configurations for sharing (anonymous links, to the entire company, guest access), access, authorisations for each resource collected. Examples of points of focus:
   
  • Guests accessing sensitive sites
  • Extended rights to sensitive data (labelled with Purview for example)
  • Public SharePoint and Teams sites without an owner

Visualising critical points on information assets allows the company to clearly see the risk of data overexposure data or non-compliant access in order to establish an appropriate action and remediation plan. 

3. Reduce the risk of overexposure

In a "secure by design" approach, once the risks have been analysed, it is important to be able to minimise the attack surface and remedy critical points.

When deploying the Copilot tool, ensure you have processes to identify potentially overshared content and notify data owners to individually remediate or automate it.

• Rights management by administrators: based on the results of the audit carried out beforehand, administrators can correct how groups, roles and sensitive sites are configured based on the principles of least privilege and need to know.
  
  
• Rights management by data owners: in practice, users grant rights, create groups, share and much more on a daily basis. This large volume of data requires the addition of users, who are the data owners, in order to manage access authorisations and clean up critical permissions as much as possible, thus strengthening access security.
  Example of actions by data owners:

• Deleting a badly configured share (company-wide or anonymous)
• Removing obsolete or illegitimate access rights from a site/group 
• Revoking rights to sensitive files
• Checking members of a Teams team which involves confidential data

4. Manage data access over time

One of the main difficulties of this type of management is its evolving nature, in perpetual motion. Every day new files are created and shared, new permissions are granted.

Is there any sharing controls (e.g. default sharing link, link expiration, site owner sharing approvals)? How to investigate changes, audit regulary? 

• Set up data access reviews and regularly audit : once every three or six months for example, beyond the security and compliance benefits, this helps get users used to this process of revalidating access and data sharing and encourages good practices.
• Make security simple and effective for those involved: for data owners/managers, their task must be made as simple as possible: simplified view of all accesses, simple options for correcting obsolete rights or illegitimate accesses, etc.

5. Support change management

Generative AI is a powerful and innovative tool that enables considerable productivity gains. To get maximum benefits, these new uses must be supported with practical cases and training. It is also essential to regulate these uses by adding limits and making users responsible for the risks, particularly around data security and the consequences of poor configuration/sharing, for example.

Implementing the Copilot tool is a guarantee of trust in end users but it requires a secure approach. To protect against the risks of data leaks and malicious intent, it is useful to implement an effective Data Access Governance strategy in which the user is a stakeholder. This process includes data inventory, cleaning, stakeholder engagement and user training.

DETOX FOR MICROSOFT 365: ONLY 2 STEPS TO REDUCE DATA EXPOSURE

The new DETOX dynamic audit solution for Microsoft 365 gives our customers the resources to effectively prepare for the mass adoption of the Microsoft Copilot generative AI tool.

It is an “all-in-one” solution that aims to avoid overshared content by eliminating  dangerous, risky or obsolete access, thanks to a dynamic audit and automate remediation. 

The solution includes an audit phase (collecting and analysing meta data) with the results output via simple and clear dashboards (tenant status, risks, problem areas to be corrected).

The great strength of the DETOX solution is that it provides for mass remediation by data owners. Users who have critical points to correct are targeted with a revalidation and verification campaign. They receive a personal dashboard, MyDataSecurity, and check and correct points that require action (validation or correction). First audit, remediate and then track the changes to keep the environement compliant and secure.

START YOUR DATA RISK ASSESSMENT 👉