Data Security Posture Management (DSPM) is an Important First Step in Deploying Gen AI and Copilot Tools

By Karthik Krishnan, CEO, Concentric [ Join Cybersecurity Insiders ]
703

Microsoft’s advanced AI assistant, Copilot, has gained significant traction in corporate environments and is rapidly changing how users interact with data across Microsoft 365 applications. Although Copilot introduces countless new possibilities, it has also brought challenges related to data access and security that must be considered.

As organizations embrace digital transformation and AI adoption, protecting all information is critical, especially data generated by AI. With increasing reliance on AI and machine learning technologies to streamline operations, increase productivity, and reduce costs, classifying and ensuring adequate access controls to sensitive data is paramount to keeping it safe.

Ultimately, Copilot has brought four key security issues into organizations. First, its output inherits sensitivity labels from the input, which means if data is not classified correctly, the output will also be incorrectly classified. In the case where sensitive data used to generate a quarterly financial report is not correctly classified at the input stage, Copilot will generate a comprehensive report including sensitive earnings data yet fail to classify this data as confidential. A report like this could inadvertently be shared with an external stakeholder.

Copilot also inherits access control permissions from its inputs, and thus the output inherits these permissions. If data has inappropriate permissioning, sharing and entitlements, the output will also have the same issues possibly leading to a potentially devastating data breach or loss. Concentric AI’s Data Risk Report shows that a great number of business-critical files are at risk from oversharing, erroneous access permissions, inappropriate classification, and unfortunately can be seen by users both internal or external who should not have access.

Consider this example: An HR manager using Copilot to create an internal report which includes employee’s personal information -and may have source data with overly permissive access controls. This would allow any department member to view all employee records. As a result, this Copilot-generated report would inherit these permissions, and sensitive employee information would be accessible to all department members, violating privacy policies and potentially leading to legal challenges.

The third key security issue with Copilot is due to company context on sensitivity not factored into the output. Every company has sensitive data including financial records, intellectual property and business confidential customer data. However, Copilot is unlikely to factor this context into its decision making around outputs or who should have access to it.

Imagine a product development team using Copilot to brainstorm new product ideas based on existing intellectual property (IP) and R&D data, with inputs that might include confidential information about upcoming patents. Copilot, lacking context on the company’s sensitivity towards this IP, will incorporate detailed descriptions of these patents in its output. If this output is shared with a broader audience, the company has inadvertently exposed future product plans and risks IP theft.

Lastly, Copilot output is unclassified and output that may be sensitive could easily be accessible by anyone. For example, a marketing team could use Copilot to analyze customer feedback, generating a report on customer satisfaction trends. Perhaps the input data contains sensitive customer information, such as criticism of unreleased products. Since Copilot outputs are unclassified by default, the generated report will not flag any of the sensitive customer feedback as confidential. If the report is uploaded to a shared company server without appropriate access restrictions, internal leaks and competitive disadvantage become a significant risk.

Why we need data security posture management for AI usage 

Data security posture management (DSPM) is an essential pre-requisite to deploying and operating Copilot to help ensure that organizations can adequately balance Copilot’s productivity increases while ensuring sensitive data is protected.

DSPM empowers organizations to discover sensitive data, visibility into where it resides and determine the type of sensitive data existing across cloud environments. DSPM provides the ability to identify risks by proactively detecting and assessing business-critical data, thereby preventing potential breaches before they occur.  In addition, DSPM uniquely classifies data – by tagging and labeling sensitive data. Overall DSPM helps to remediate and protect sensitive information against unauthorized data loss and access.

As data moves through the network and across structured and unstructured data stores, it is labeled appropriately no matter where it resides. It is then monitored for risks, such as risk sharing, inaccurate entitlements, inappropriate permissions, or wrong location.

The full potential of Copilot can be unlocked safely with DSPM. When it comes to deploying any type of AI tool, including Copilot, DSPM is critical before, during and after deployment. The risk to sensitive data is high enough without Copilot in the mix; adding it blindly greatly amplifies that risk for organizations.

DSPM addresses the four security challenges organizations face before, during and after a Copilot deployment. DSPM’s approach to managing risks involves sophisticated natural language processing (NLP) capabilities to accurately categorize data, including outputs from Copilot. This ensures that sensitive information is correctly identified and protected, addressing potential security risks without compromising productivity.

With incorrectly classified output due to inherited sensitivity labels, DSPM solutions mitigate this risk by implementing advanced data discovery and classification processes that automatically identify and classify data based on its content and context before input into Copilot. DSPM can also continuously monitor data flows, reclassifying data as necessary and ensuring that any data processed by Copilot and its subsequent outputs maintains the correct classification levels. By ensuring that all data is accurately classified at the source, DSPM prevents incorrect sensitivity labels from being propagated through Copilot’s outputs.

Before data is processed by Copilot, DSPM tools can enforce the principle of least privilege, correcting over-permissive access settings and preventing sensitive outputs from being inadvertently shared or exposed. This proactive approach to permissions management significantly reduces the risk of data breaches and loss. When it comes to inappropriate permissioning, sharing and entitlements, DSPM addresses this challenge by providing granular visibility into data access controls and entitlements across the organization’s data stores. It automatically assesses and adjusts permissions based on the data’s classification, ensuring that only authorized users have access to sensitive information.

Regarding lack of company context in output sensitivity, advanced DSPM systems leverage sophisticated natural language processing and machine learning algorithms to understand the nuanced context of data, including its relevance to specific business processes and its sensitivity level.

By integrating DSPM with Copilot, organizations can ensure Copilot is informed about company-specific sensitivity context, providing a blueprint for Copilot as it factors in this critical information when generating outputs. This ensures that sensitive data, such as intellectual property or confidential business information, is handled appropriately, maintaining confidentiality and integrity.

Finally, DSPM solutions directly address the challenge of unclassified outputs by automatically classifying all data processed by Copilot, ensuring that outputs are immediately tagged with the appropriate sensitivity labels. This automatic classification extends to Copilot-generated content, ensuring that any sensitive information contained within these outputs is immediately recognized and protected according to its classification.

By enforcing strict classification protocols, DSPM ensures that sensitive outputs are not inadvertently accessible, maintaining strict access controls based on the data’s sensitivity and compliance requirements.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display