Copilot for Security - protective shield or security gap?

Note: If you prefer to read this article in German, please visit my blog!

Does it allow unauthorized access to sensitive data?

In this article, I address the following security question with regard to Copilot for Security:

What data can Copilot for Security actually access?

As a powerful AI assistant, it can access the company's internal documents, data and systems to create customized content and solutions. At the same time, it can also access publicly available information, news and trends to process their content in your prompts (if access to public web content is approved by your company).

Microsoft has built-in two protection mechanisms to protect your company from data misuse when using Copilot for Security.

1. Restriction of access rights at user level
2. Restriction of access rights at admin centre level

Restriction of access rights at user level

In terms of data access, you can think of Copilot for Security as the extended arm of your security team. It's like a tool that helps you with your work, but it can't do anything that you couldn't do yourself. For this reason, it only has access to the data that you can access. It is therefore impossible for them to accidentally give you unauthorized access to sensitive data.

Here is a summary of the data to which Copilot for Security has access:

• Your company data: Copilot for Security can access internal documents, data and systems that are relevant to you. This could be emails, files in SharePoint or information from your Microsoft 365 environment, for example.
• Public data: If your organization allows it, Copilot for Security can also access public information, such as news articles or research studies. This helps it to better assess current threats and proactively warn you.
• Your requests: Copilot for Security is not an independent actor, but works on your instructions. It can only access data that you make available to it via a prompt or for which you have the corresponding authorizations.

Restriction of access rights at admin center level

Each admin centre represents an additional door to sensitive company data for Copilot for Security. Take the Microsoft Purview Compliance Center, for example: Here, Copilot can dive deep into personal data with the right authorizations. It could recognize patterns that allow conclusions to be drawn about sensitive information such as health data or political beliefs. Such analyses are common in practice, for example to identify compliance risks.

As access to the individual admin centers increases the power of Copilot for Security enormously, each admin center must be activated individually via a plug-in. This additional protection mechanism ensures that Copilot for Security's access to sensitive data is always deliberate and controlled.

To summarize:

Copilot for Security is a powerful tool that can help you protect your company data. But it is important to understand how access to this data works. With the right settings and careful planning, you can ensure that Copilot for Security is a real asset to your security strategy.

Now you know what data Copilot for Security accesses. In my next post, I'll explain what it does with this data.

Do you still have questions or would you like to know more? Then please leave a comment!

#teamdatenschutz #copilotforsecurity #AI