Copilot: Protect your data with the right IAM policy
Microsoft’s AI tool Copilot will soon be indispensable; no company can ignore the tool’s advantages. If you plan to use Copilot, you must ensure that you do so securely and that sensitive information is protected. Microsoft helps customers with a convenient pre-scan that immediately shows whether an organization is ready to enable Copilot. This requires, among other things, the right Identity and Access Management (IAM) policy, so that data is accessible only to authorized users. If this is not in order, sensitive data can easily end up in the hands of unauthorized users, resulting in reputational damage and possible compliance issues. We unfortunately see this go wrong often, especially at scale-ups. In this article we explore the intersection between Copilot and IAM.
The rapidly growing popularity of Copilot recently prompted Managed Service Provider (MSP) Previder to organize two knowledge sessions about the tool. Both the global distributor of IT products and services TD SYNNEX and Tools4ever spoke during these knowledge sessions about Copilot and the IAM challenges that come with Copilot.
Increasing interest from customers
Copilot is a useful AI tool from Microsoft, based on technology from AI company OpenAI. Companies train Copilot on their own business data, and this data always remains their own property and never becomes the property of Microsoft. Copilot offers compelling capabilities. For example, the AI assistant can summarize very large datasets, provide insight into trends visible in business data, or draft text for a job posting or a quote.
We are receiving more and more questions from customers about Copilot and how to use it. Although adoption in many organizations is still limited to pilot projects, interest is high and it is only a matter of time before customers want to apply Copilot at larger scale. We already see concrete examples with our partners. A good example is Previder, which supports customers with data center services, digital workplaces, IT infrastructure, backup solutions, and security. The MSP uses Copilot to draft quotes, where the tool combines customer and sales data. As a result, Previder can generate an error-free quote in a short time with a simple prompt.
Start using Copilot securely
Using tools like Copilot can deliver significant value. To get started securely, it is important that the foundational setup of the IT environment is in good order. An essential component is Identity and Access Management (IAM). Customers want to ensure that users have access only to the data they are authorized for, and that other data remains protected. This may sound obvious, but in practice many customers overlook it.
Arnout van der Vorst, Identity and Access Management Architect at Tools4ever, explains: "If you start using Copilot, you enable it in your Microsoft 365 environment. The tool then indexes and analyzes your entire environment, including your SharePoint sites, email traffic, and all your data. You can then ask Copilot questions, after which the tool provides helpful visibility into your data and delivers all kinds of valuable insights."
Not managing permissions properly can lead to many problems
Copilot significantly simplifies access to and visibility into your data. This provides major benefits, but it also introduces risks. If user access rights in your Microsoft 365 environment are not configured correctly, Copilot can give unauthorized users access to all kinds of sensitive data with a simple prompt. For example, an intern might unintentionally gain visibility into management salary data. Or an employee might see the personal information of colleagues.
An attacker who gains access to an employee’s account can also benefit from this simplified visibility. Consider so-called insider threats as well, such as a sales employee with an employment dispute who, before leaving the company, can retrieve all kinds of sensitive business and customer data through Copilot. Unintentional mistakes by employees also fall under insider threats, such as incorrectly combining information from multiple customers into a single quote via Copilot. This can lead not only to the leakage of sensitive information, but also to reputational damage as well as compliance issues.
Microsoft offers a scan that shows to what extent an organization is ready to start working with Copilot. "This scan is essentially a benchmark, and shows how ready you are to actually enable Copilot," says Van der Vorst. "Microsoft reports that in ninety percent of the scans they perform, organizations turn out not to be ready." Figures from our partner TD SYNNEX show that this percentage is conservative and in reality even higher."
The IAM challenge for scale-ups
There are major differences between companies. Many large organizations are well on their way and have strictly segmented and protected access to their data. Van der Vorst: "At many scale-ups that is not the case, and employees have access to a very broad range of data. This is partly because roles at smaller companies are much more fluid in practice, which requires broader access rights. Therefore, anyone growing from startup to scale-up would be wise to elevate IAM to the next level as well."
Customers can perform Microsoft’s scan themselves, or have it carried out by an MSP such as Previder. In the latter case, the MSP also advises the customer on any measures needed to prepare the organization for using Copilot. And supports the customer in implementing these measures.
The right policy
Getting started with Copilot securely does not require a specific solution as much as it requires applying the right IAM policy. "The IAM solution HelloID from Tools4ever helps customers define, implement, and manage this policy. For example, role mining quickly maps which users have access to which data. Role mining is a technique in which you analyze employees’ existing authorizations to derive roles," explains Van der Vorst. The technique plays a crucial role in Role Based Access Control (RBAC). Thanks to HelloID, customers are and remain in control, and they can prove it.
Given the widespread popularity of Microsoft Copilot, this article focuses on this AI tool. However, the importance of IAM and proper access rights management is also relevant for other AI assistants, such as Sendsteps.ai, NeuralPit, and Amazon Q. Want to learn more about working with Copilot securely? Contact us!