Microsoft 365 Copilot Governance and Security Assessment

Introduction

Microsoft Copilot is a powerful tool that assists developers by providing code suggestions, explanations, and more. However, ensuring proper governance and security is crucial when integrating Copilot into your organization. Let’s explore the key aspects:

1. Security Development Lifecycle (SDL)

Copilot Studio follows the Security Development Lifecycle (SDL), a set of strict practices that support security assurance and compliance requirements. These practices ensure that Copilot is robust and secure. For more details, refer to the Microsoft Security Development Lifecycle Practices.

2. Commercial License Agreements

Your Copilot Studio service is governed by your commercial license agreements, including the Microsoft Product Terms and the Data Protection Addendum. These agreements outline the terms and conditions for using Copilot.

3. Geographical Availability

Refer to the geographical availability documentation to understand where data processing occurs. This information is essential for compliance and data protection.

4. Data Loss Prevention (DLP) Features

Power Platform (which includes Copilot) offers robust DLP features. Configure DLP policies to manage the security of your data effectively. Learn how to set up DLP policies for Copilots in your organization.

5. Additional Governance Measures

To enhance governance and security:

• Disable Copilot Publishing: Admins can turn off the ability to publish Copilots with generative answers and actions for your tenant using the Power Platform admin center.
• Control Data Movement: Limit data movement across geographic locations for Copilot Studio generative AI features outside the United States.
• Manage Conversational and AI Actions: Use the Microsoft 365 admin center to govern the conversational and AI actions and extensions that appear in Copilot for Microsoft 365.
• Customer Lockbox: Copilot Studio supports securely accessing customer data using Customer Lockbox.

Security Assessment

Consider a comprehensive security assessment before integrating Copilot:

1. Self-Guided Questionnaire: Begin with a self-guided questionnaire to evaluate your organization’s readiness for Copilot integration.
2. Tenant Configuration Assessment: Assess your Microsoft tenant configurations, existing policies, and governance features.
3. Recommendations: Based on the assessment, make necessary adjustments to meet security requirements.

Remember, Copilot Studio is a powerful ally, but proper governance ensures a smooth and secure experience. 

Let’s delve into the security aspects of Microsoft 365 Copilot and its compliance with regulations, including the General Data Protection Regulation (GDPR).

Security Threads and Filtering

1. Server-Side Request Forgery (SSRF) Vulnerability: Recently, researchers discovered an SSRF flaw in Microsoft Copilot Studio. This vulnerability allowed authenticated attackers to bypass SSRF protection, potentially leaking sensitive cloud-based information across multiple tenants. The flaw enabled external HTTP requests to access internal services within a cloud environment, posing risks to data confidentiality.
2. Impact on Shared Infrastructure: While no cross-tenant information was immediately accessible, the infrastructure used for Copilot Studio was shared among tenants. Any impact on this shared infrastructure could affect multiple customers. Although the extent of risk remains uncertain, the shared nature magnifies the potential consequences.
3. Local Subnet Access: The exploit also allowed access to other internal hosts unrestricted on the local subnet to which the instance belonged. This highlights the importance of securing local network boundaries.

Sensitive Information Protection and GDPR Compliance

• Data Residency and Compliance Boundary: Copilot for Microsoft 365 adheres to existing privacy and compliance obligations, including GDPR. It ensures that data remains within specified boundaries, respecting regional regulations.
• GDPR and EU Data Boundary: Microsoft Copilot for Microsoft 365 complies with GDPR and EU data boundaries. It protects sensitive business data while enabling conversational AI tasks within the Microsoft 365 environment.

Practical Examples: (Dummy Company)

1. Server-Side Request Forgery (SSRF) Vulnerability:
   • Scenario: An employee at TechGuard Solutions uses Copilot to develop a new feature that interacts with external APIs. However, they inadvertently introduce an SSRF vulnerability.
   • Governance Solution:
     • Code Review: Implement mandatory code reviews for Copilot-generated code. Ensure that any external requests are properly validated and restricted to authorized endpoints.
     • Security Training: Train developers on secure coding practices, emphasizing SSRF prevention.
     • Automated Scans: Integrate automated security scans into the CI/CD pipeline to catch SSRF vulnerabilities early.
2. Impact on Shared Infrastructure:
   • Scenario: TechGuard Solutions shares Copilot Studio infrastructure with other tenants. A misconfigured Copilot instance affects multiple customers.
   • Governance Solution:
     • Isolation: Isolate Copilot instances within dedicated virtual networks or subnets.
     • Monitoring: Implement monitoring and alerts for unusual behavior or resource usage.
     • Incident Response: Develop an incident response plan to address shared infrastructure incidents promptly.
3. Local Subnet Access:
   • Scenario: Copilot-generated code inadvertently accesses internal services on the local subnet.
   • Governance Solution:
     • Network Segmentation: Segment the network to prevent unauthorized access between subnets.
     • Least Privilege: Limit Copilot’s access to only necessary resources.
     • Regular Audits: Conduct regular audits to identify and remediate any unauthorized local subnet access.

Use Case: TechGuard Solutions (Dummy Company)

Background:

TechGuard Solutions is a mid-sized technology consulting firm specializing in cloud solutions. They recently adopted Microsoft 365 Copilot Studio to improve code quality and accelerate development.

Governance Measures:

1. Tenant Configuration Assessment:
   • Action: TechGuard’s IT team reviews their Microsoft 365 tenant settings.
   • Outcome: They configure Copilot Studio permissions, disable unnecessary features, and enforce data residency boundaries.
2. Data Loss Prevention (DLP):
   • Action: TechGuard sets up DLP policies for Copilot-generated content.
   • Outcome: Sensitive data remains protected, preventing accidental leaks.
3. Customer Lockbox:
   • Action: TechGuard enables Customer Lockbox for Copilot Studio.
   • Outcome: Developers can securely access customer data only when necessary.
4. GDPR Compliance:
   • Action: TechGuard ensures that Copilot adheres to GDPR requirements.
   • Outcome: Personal data processed by Copilot remains within EU boundaries, respecting privacy regulations.

Connectors:

1. Microsoft Graph Connectors:
   • Purpose: Microsoft Graph connectors allow you to ingest unstructured, line-of-business data into Microsoft Graph. This data becomes accessible to Copilot for Microsoft 365, enabling natural language prompts and semantic understanding.
   • Usage: Users can find, summarize, and learn from line-of-business data through Copilot. In-text citations provide previews of external content, and reference links allow deeper exploration.
   • Gallery: Over 100 connectors are available, connecting to services like Azure, Box, Confluence, Google, Salesforce, and more¹.
2. Copilot Connectors:
   • Scope: Copilot connectors cover productivity cloud data in Microsoft 365, business data in Dynamics 365, analytical data in Microsoft Fabric, and non-Microsoft enterprise sources².
   • Benefits: They expand Copilot’s capabilities by leveraging Graph connectors and Power Platform connectors.
   • Use Case: Imagine TechGuard Solutions using Copilot connectors to seamlessly integrate their business data, enhancing productivity and insights.

Remember, connectors empower Copilot by bridging external data sources, making it even more versatile!

OpenAI chatbot using Microsoft Azure, here are the steps you can follow:

1. No-Code Chatbot with Azure OpenAI Service (Bubble):
   • Use the Microsoft Azure OpenAI Service Chatbot Template within your Bubble application.
   • Configure the Azure OpenAI Service Plugin by following these steps:
     • Click the “Plugins” button in your Bubble application.
     • Select the “Azure OpenAI Service Plugin” from the list.
     • Obtain the API key and endpoint from your Azure OpenAI Service setup.
     • Paste the key and endpoint into the appropriate text boxes in your Bubble plugin setup.
   • Deploy your chatbot as a web app and test it out! You’ve created a no-code chatbot without any coding knowledge.
2. Learn from Azure AI Essentials:
   • Watch the video tutorial on how to build a chatbot with Microsoft Azure AI. Learn about common chatbot types and how to use Azure AI to create them.
3. Python App with Azure OpenAI:
   • Explore the Python app repository that uses Azure OpenAI to generate chatbot responses. This project includes infrastructure setup and deployment to Azure Container Apps using the Azure Developer CLI.

Remember, these resources will guide you through the process, whether you prefer a no-code approach or want to dive into Python development.

Conclusion:

In conclusion, while Copilot Studio enhances productivity, organizations must prioritize security and compliance. Regular assessments, robust governance, and adherence to regulations are essential. By doing so, you can harness the power of Copilot while safeguarding sensitive information. 

TechGuard Solutions successfully integrates Copilot Studio while maintaining security and compliance. By following best practices, conducting regular assessments, and educating their team, they harness Copilot’s power without compromising data protection.