Introduction

Generative AI is currently a hot topic in the workplace, especially with the release of Copilot and other paid for business AI tools making its way into the workforce’s day-to-day grind. Your own personal secretary, researcher, teacher, ghostwriter, the possibilities are endless. And while we welcome these tools into our work life; what can we do to continue protecting our users and corporate data against misuse?

Microsoft Purview Data Security Posture Management

Microsoft has rolled out the new Purview Data Security Posture Management (DSPM) for AI feature to give you a clear view of data security risks and suggest ways to protect your data. DSPM offers insights into your data, how it’s used, and continuous risk assessment to help keep your data secure and strengthen your overall data security. It provides insights and controls to secure your AI apps, with preconfigured policies that protect your data, prevent data loss, and prevent oversharing of data within your organisation by AI tools. This means you can focus on innovation without worrying about security breaches. Combining DSPM with features like sensitivity labels and data loss prevention policies, your sensitive information will always be under lock and key.

Shadow AI

In a nutshell, DSPM for AI allows you to not only monitor how your users are using Copilot but also detect the interactions of other AI tools. Giving you the means to effectively assess your data exposure and setup policies to protect your users and data. The list of AI tools supported by DSPM for AI can be found here.

So, what’s in the box?

DSPM for AI does the following for us:

1. Combines all the signals from Information Protection, Insider Risk Management, and Data Loss Prevention into a central location and then provides you with insights in AI activity from all the combined data.
2. Provides actionable recommendations for policies to make your security more effective. Policies templates are available for all recommendations ensuring the protection of your data and preventing data loss.
3. Provides ongoing risk assessment and trends by looking at all the historical data, giving you the ability to continuously improve your security posture and, just as important, let you understand whether your current policies are being effective.
4. Access to data assessments to allow you to implement compliance controls to ensure proper data handling and storage policies.

Requirements

Naturally there are some steps to get this up and running, including licensing to enable the features and technical steps to be implemented.

Licensing Requirements

To use DSPM for AI, you need a Microsoft 365 E5 or Microsoft 365 E5 Compliance license. These licenses provide access to the necessary tools and features within Microsoft Purview to manage data security and compliance for AI applications, including Microsoft 365 Copilot.

Technical Requirements

To ensure that DSPM for AI can collect the necessary signals and offer its full functionality, the following must be actioned or enabled:

1. Microsoft Purview Audit. Microsoft Purview Audit. Purview Audit keeps an eye on user activities in your system, giving you insights into how people are interacting with Microsoft Copilot.
2. Install the Microsoft Purview browser extension. Browsing and sharing sensitive data with AI websites can be a potentially risky user activity. The Microsoft Purview Compliance Extension for Edge, Chrome, and Firefox collects signals that help you detect when these activities occur.
3. Onboard devices to Microsoft Purview. Onboarding user devices to Microsoft Purview allows activity monitoring and enforcement of data protection policies when users are interacting with AI apps.
4. Enable insider risk management policies. Gaining visibility into browsing and sensitive prompts in other AI apps can give you insights into activity patterns that can help you improve your data security posture for AI.