Hello everyone!!
Well, this entry isn’t purely technical either, those will come, but I think we need to establish some foundations first before diving into the details.
How many times have we heard this phrase when someone tries to control something that seems nearly uncontrollable? Probably many times. And honestly, that’s a bit like what’s happening with generative AI and information protection. I’ve seen many large companies hesitant to deploy any type of generative AI in the workplace, particularly Copilot, out of fear of «the skeletons it might uncover.» And the truth is, it’s a tricky issue.
When we face this dilemma, two things can happen:
- We have a solid governance model in our collaboration environments.
- We have a chaotic mess.
Okay, fine, we might fall somewhere between these two extremes. But to make things interesting, let’s assume we’re at one of the two ends.
If I’m in the first case, and I have my house clean and sanitized (as they said in The Matrix), I shouldn’t worry too much about what «the AI» might uncover. My users likely have the right permissions, and everything is properly organized. But just in case, let’s review what it means to have a solid governance model and what we should consider, primarily in Microsoft 365 environments, though this can be applied to other platforms as well:
- Organized site creation model: Users follow basic rules for creating their sites/teams or must submit a request to do so.
- Periodic site reviews: Every X amount of time, we check if a site/team is still necessary. If not, the owner must confirm its relevance, or the site is deleted.
- Periodic group reviews: To ensure that employees who have changed departments or left the company are removed from groups granting them access to certain information.
- Retention and deletion policies: These help define how long we want to keep our information assets and prevent digital hoarding.
- Sharing options: The ability to share with anonymous users should be disabled (or strictly controlled), and the default sharing option should be «specific people.»
- Educated users: This is the hardest part. Users should be trained on how to share information, review permissions, and revoke access when necessary.
If we follow all these guidelines, concerns should be minimal. This doesn’t mean we can ignore risks entirely, there are still potential threats, which we’ll discuss in future entries, but they are relatively low.
What other measures can we take to enhance security? A proper information classification policy with labeling that applies encryption or enables advanced DLP (Data Loss Prevention) configurations is a great practice. However, implementing this can be complex, especially if label-based protection is applied, as it can disrupt business processes. So, we need to proceed with caution, we’ll explore options in future entries. Another approach is to monitor AI interactions. With Copilot, this is relatively easy, while with other AIs, it may be more challenging but still feasible. The goal is to track what users are asking their new «toy» and ensure no one is investigating things they shouldn’t be.
But this is what happens when everything is in order: things are easy. Now, what happens when we don’t have the governance mechanisms mentioned above? If my users create sites daily, those sites are never reviewed, each user grants access to whomever they want, and there are no policies for site or group reviews…
Then, I do need to worry about what AI might extract from my organization if I give it access. But the solution is not to «block AI». This, aside from going against business interests, won’t solve the problem. It will just sweep it under the rug.
If we find ourselves in this situation, the first step is to establish a proper governance policy. However, this policy will impact users who have been freely roaming around in Teams and SharePoint. Therefore, proper change management is crucial, or we’ll end up with a lot of unhappy users.
Once a governance model is in place, the next step is damage control. This must come after implementing governance; otherwise, we’ll be endlessly patching up sites.
So, what does damage control involve? Essentially, reviewing all the sites, teams, etc., in the tenant that we have no idea about. Their purpose, the information they contain, who they’re shared with, etc. This won’t be easy or quick, but it’s necessary. Because the problem isn’t AI, AI has simply revealed a serious deficiency in our environment. Users could already access this information through search functions, perhaps in a more cumbersome way, but they could, so this is something we must fix.
How do we do it? In the case of Microsoft, we have a couple of new tools to control oversharing, such as SharePoint Advanced Management and Purview DSPM. Additionally, we may need third-party tools or PowerShell scripts to assist with this. My goal is to dedicate a specific post (or multiple) to explore these options.
In summary, much of the concern about integrating AI into a company isn’t about AI itself—it’s about how well-organized the «house» is before introducing it. So, the key question is:
How well organized is your house?
Best regards!!
Lo AsegurarIA 