Microsoft Copilot is a powerful AI assistant that can leverage Microsoft 365 (M365) data from across an organization to generate accurate and relevant insights. But some of that data should be under special lock: you do not want sensitive enterprise information to be used as part of a large language model (LLM). And the reality is that common misconfigurations—such as mislabeled files and overly broad user permissions—can lead to sensitive data exposure to unauthorized users.
Rubrik recently launched Data Security Posture Management (DSPM) for Microsoft 365 Copilot to help organizations reduce the risk of sensitive data exposure by identifying overexposed, mislabeled, and misplaced sensitive data. With Rubrik helping remediate these vulnerabilities at scale, your IT, security, and Modern Workplace teams can accelerate secure adoption of Copilot. Here’s how.
What is Microsoft 365 Copilot?
Microsoft 365 Copilot is an AI assistant integrated within M365 services such as Outlook, Word, Teams, SharePoint, and OneDrive.
Like other AI-powered software built on LLMs (like ChatGPT), Copilot generates answers based on an organization’s business content—documents, emails, calendar, chats, meetings, and contacts—to offer relevant and contextual responses. Copilot achieves this by combining LLM technology with Microsoft Graph, an API that provides access to data stored across M365 services.
Copilot introduces new data security risk
Copilot follows the same data access controls already in place in M365, surfacing only data which users have permissions to view. However, as data is generated and shared by end users across M365 platforms like OneDrive and SharePoint, data access permissions become increasingly difficult to manage. So improperly configured permissions can lead to the oversharing of sensitive data across the environment.
Copilot amplifies this challenge, as it makes data more easily accessible and shareable by end users. So organizations that are considering a Copilot implementation need to act quickly and take measures to prevent the oversharing of sensitive data. For some, this reality can scuttle a perfectly valuable Copilot project.
IT and security teams should consider the following challenges when managing M365 data:
Lack of data visibility and control. Rapid data sprawl across M365 can make it impossibly challenging for organizations to know what data resides where—including sensitive data.
Mislabeled and unlabeled sensitive files. Inconsistent and inaccurate labeling can lead to inadequate access controls, which increases the risk of unauthorized access and data breaches.
Overexposed sensitive data. The ease with which users can share M365 files across an entire organization or through a publicly available link can lead to overexposed sensitive data. Right-sizing access and enforcing least privilege access can be virtually impossible to do manually.
Misplaced sensitive data. Misplaced data, such as data stored in the wrong OneDrive or SharePoint site, can result in exposure to unauthorized users and as well as compliance issues.
Without proper data classification, labeling, and permissions, Copilot could expose sensitive data to unauthorized users. The impact of such a data leak could be significant, especially if the data is accessed by malicious insiders or external threat actors. Data leaks could also lead to compliance violations and hefty fines.
Rubrik Data Security Posture Management (DSPM) for M365 Copilot
To help mitigate these risks, Rubrik DSPM for M365 Copilot provides the data visibility and control needed to ensure sensitive data is correctly classified, labeled, and segmented—and has the right access permissions. This allows customers to leverage the power of Copilot while safeguarding sensitive data from the risk of exposure, all within a comprehensive cyber resilience platform.
With Rubrik DSPM for M365 Copilot, you can:
Gain control and visibility of your data. Rubrik DSPM continuously and autonomously discovers and classifies all known and unknown data—both structured and unstructured—at a very rapid rate. In addition to your M365 environment, you can use Rubrik’s powerful classification engine across on-premises, cloud, and other SaaS applications, thereby benefiting from a single pane of glass for all of your assets and data.
Detect and remediate missing or incorrect MIP sensitivity labels. Correct data labeling is essential for restricting access to sensitive data when using Copilot. It is also important for ensuring compliance and maintaining robust security controls across your organization. Rubrik DSPM identifies sensitive files with missing or incorrect Purview Microsoft Information Protection (MIP) sensitivity labels and enables you to easily remediate at scale by applying correct labels directly from our product.
Reduce access to sensitive files. Rubrik DSPM detects sensitive files with public or organization-wide access so you can right-size permissions and prevent the exposure of sensitive data to unauthorized users.
Ensure your data is in the right place. With many companies dedicating SharePoint sites to specific purposes and managing access at the site level, Rubrik DSPM can help ensure that the right data doesn't slip into the wrong site, thereby preventing exposure to unauthorized individuals. Rubrik offers customized policies to meet the needs of each organization.
How it works
After setting up Rubrik DSPM for your M365 environment, Rubrik will discover and classify all of your OneDrive and SharePoint assets. The Dashboard provides a bird’s eye view of your M365 data landscape, including the total number of assets at critical or high risk of sensitive data exposure. Lowering this metric is key to preparing your data for secure Copilot adoption.
You can then get detailed information about each drive or site in the Asset Inventory. This includes essential information about data types, sensitivity, and risk.
To start reducing risk, you can click on an asset or go to the Data Security Violations page. Here you can find a prioritized list of your most at-risk assets based on the following misconfigurations:
Sensitive data that is publicly exposed
Sensitive data that has org-wide access
Sensitive data that is missing a Confidential label
Sensitive data residing in the wrong location
For this blog post, we’ll look at an example of a OneDrive location where this is unlabeled sensitive data.
Once you confirm that the data is indeed sensitive, you can apply an MIP label directly from here.
One complete cyber resilience platform for your M365 data
With Rubrik DSPM, you can proactively reduce the risk of sensitive data exposure as described above and protect your M365 data from cyber attacks, data loss, and accidental deletion.
Having one cyber resilience platform where you can harden your data security posture and recover your data makes it easier to manage your data, minimizes operational complexities, and enhances your ability to respond swiftly to potential threats.
The future: new technology means new threats
Things move fast these days, and it is vital that your security measures keep pace. As advanced AI tools like Microsoft Copilot are introduced into the enterprise they can expose and magnify existing technical security debt.
Ensuring that your data is correctly classified, labeled, and appropriately accessible is essential for maintaining a secure and resilient operational environment. By addressing these vulnerabilities proactively, you can harness the full potential of Copilot while safeguarding your organization's most valuable digital assets.
Take the first step today by getting a free M365 Copilot risk assessment. To learn more about how Rubrik can help you safely deploy Copilot, check out our self-service walk-through demo.