Event banner
Event details
183 Comments
- Another contributor mentioned "In an ideal world, zero trust is always best." Do you have any guides or resources for how to start with zero trust for cloud services, like SharePoint and gradually open it up for documents stored in a shared environment?
- HenryTea
Microsoft
Great question Jennifer! In addition to the link that Rajesh kindly shared, please also check out https://learn.microsoft.com/en-us/security/zero-trust/copilots/zero-trust-microsoft-365-copilot.
- For sensitivity labels that include permissions that are set by the label/policy rather than by the end user - what's the best route for maintaining ownership/author rights internally, but only read rights externally to the specific guest? We want to share specific files with our accountant - we have owner rights, the single external accountant only has read rights. Is this a single label or multiple?
- There are 2 ways to configure a label to ensure certain users have author and certain users can only view. The admin can define a label and assign permissions to user based on their email address. Alternatively, a label can be defined with user assign permissions. this label will allow the author to apply the label and set specific users with read permissions. See https://learn.microsoft.com/purview/encryption-sensitivity-labels#configure-encryption-settings for more information on encryption.
- Does that mean within a single label, I can assign two separate sets of permissions?
- Given Microsoft and Open AI have scored poorly on the Foundation Model Transparency Index https://crfm.stanford.edu/fmti/May-2024/index.html in the past, will Copilot be publishing transparency reports with voluntary codes of conduct from the White House and the G7. Specifically, how do we know what the data practices of security and governance within Copilot are being carried out with customer enterprise data given a current 40% reporting transparency and 20% risk transparency. Are such researchers' findings at Stanford and Princeton University of no credit?
Emergent abilities in LLM are being debated, with Microsoft publishing a controversial paper on the subject: https://arxiv.org/pdf/2303.12712 and their own researchers making statements at talks such as https://www.microsoft.com/en-us/research/video/physics-of-ai/. What security and governance steps do Microsoft Co-pilot have in place should emergence be real, is our only option to switch off co-pilot?
- When Sébastien Bubeck states from Microsoft Research in the Physics of AI that Intelligence Emergence of LLM at a critical input level of data generates answers not intended and "The Truth is that nobody has a clue what's going on", what are the business risks for those in the governance of Copilot?
- The world is seeing different strategy on AI standards being evolved in the EU and USA, with common aspects such as ISO/IEC 25059 and ISO/IEC TR 24028 and ISO 25000 being published. What strategy is Microsoft following? How will they be evolving their systems regionally with all these conversations and initiatives? For example, see: - The National AI Strategy of the UK - GOV.UK (http://www.gov.uk) - AI Safety Summit 2023: The Bletchley Declaration https://www.gov.uk/government/publications/ai-safety-summit-2023-the-bletchley-declaration - Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (USA) https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/
- tannerbriggsHi Richard, Microsoft works with regulators in Microsoft services regions to understand local laws and regulations. Per the Data Protection Addendum, Microsoft will comply with local laws. Microsoft takes a holistic approach to compliance with regulations, frameworks, and standards, and is currently examining which certifications are pertinent to adopt given the evolving AI space. ISO 42001 is under consideration and we're actively seeking customer feedback to substantiate the adoption of the most important regulations affecting our customers. https://aka.ms/dpa.
- Microsoft states "It’s important that you’re using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization.” In an ideal world, zero trust is always best, do you really think M365’s permission models in most business is securely locked down well enough to let Copilot run free?
- Does Copilot results inherit the security labels from the source files? If not isn't that a serious risk for source files containing sensitive data? What happens if you are not an E3 or E5 license holder, will it be up to an employee to double-check the AI’s work and ensure data is classified and assessed for risk properly?
- HenryTea
Hi Richard, thank you for the question. All details around sensitivity label inheritance are described here, https://learn.microsoft.com/en-us/purview/ai-microsoft-purview#copilot-protection-with-sensitivity-label-inheritance. It is applicable to the following licenses as listed here: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Learn.
- How helps has Data Loss Prevention to protect data in relation to Copilot for M365. Can you create DLP policies so Copilot cannot access / use content under control of DLP?
- DLP policies can govern the Copilot results, by monitoring egress activities such as pasting the result to emails or browsers to other Gen AI tools and prevent sensitive content from being leaked. Feel free to provide your feedback or product requests to your Microsoft representative.
- Hi Samson. You mean Endpoint data loss prevention (Endpoint DLP) to prevent pasting sensitive information into a prompt? I do understand that. That is also a part of Purview AI Hub. I'm on DLP in SharePoint and Exchange. Has DLP a relation with Copilot on that side?
- Regarding "Preparing your data for Copilot: options for getting started even while staying in control". Can you explain if using content types and metadata for SharePoint content will help Copilot for Microsoft 365 for better understand what relevant content is, based on a prompt. So, in other words will for example using SharePoint Premium Content recognition and extracting information from a document in metadata columns help in getting better answers from Copilot. Or doesn't Copilot for M365 do anything with that metadata. and content type information.
- Regarding "Preparing your data for Copilot: options for getting started even while staying in control", beside Restricted SharePoint Search and disable search on a site or library, will it be possible in the future to exclude (blacklist) of include (whitelist) Copilot for M365 using certain data locations, without disabling search. So, like how you can include or exclude SharePoint sites for using information by Viva Topics.
- tannerbriggs
Hi Martin, We're working on a roadmap item that will allow you to set a parameter on a SharePoint site that will exclude the documents in that site from Copilot. Stay tuned on the Microsoft roadmap site for additional detail (we can't release more information about this at this time): https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=Microsoft%20Copilot%20(Microsoft%20365).
- Hi Tanner. Thanks for your answer. Will it be possible to set that parameter based on a Microsoft Purview Site & Group Label. If that is not what's on your mind, maybe you can add this setting to the Site & Group labels.
