Copilot: Protect your data with the right IAM Policy

Copilot: Protect your data with the right IAM Policy

By: Arnout van der Vorst

Microsoft’s AI tool, Copilot, is quickly becoming an indispensable staple in the business world: no company can afford to overlook the tool due to its benefits. If you are considering using Copilot, it’s critical to ensure that your deployment is secure and that sensitive information remains protected. To assist customers, Microsoft offers a convenient pre-scan that promptly determines whether an organisation is prepared to integrate Copilot effectively. This integration requires the right Identity & Access Management (IAM policy), ensuring that data is accessible solely to authorised individuals. Without proper policies, sensitive data could easily end up in the wrong hands, risking reputational damage, potential compliance issues, and other serious consequences. Unfortunately, this is a common oversight, especially in scale-ups. This article explores the intersections between Copilot and IAM.

Due to Copilot’s surging popularity, Managed Service Provider (MSP) Previder recently hosted two knowledge sessions about the tool. The sessions featured discussions from global IT product and service distributor TD SYNNEX and Tools4ever, focusing on the IAM challenges associated with Copilot.

Copilot_extern interesse klant (1)

Growing customer interest

Copilot is a useful AI tool developed by Microsoft, based on technology from AI company OpenAI. Companies train Copilot using their own business data, which always remains their property and never becomes owned by Microsoft. Copilot offers a range of exciting possibilities. For instance, the AI assistant can efficiently summarise extensive datasets, highlight trends in business data, or compose texts for various purposes like job adverts or quotes.

We’re receiving an increasing number of queries from our clients about Copilot and its implementation and use. While many organisations are still experimenting with it in pilot projects, the interest is considerable, and it’s only a matter of time before clients start adopting Copilot on a larger scale. We already see practical applications among our partners. A prime example is Previder, which offers services including data centre operations, digital workplaces, IT infrastructure, backup solutions, and security. Previder uses Copilot for creating quotes, combining customer and sales data to quickly generate accurate proposals with a simple prompt.

Copilot_intern interesse klant

Safely Getting Started with Copilot

Using tools like Copilot can deliver substantial benefits to clients. However, to safely engage with these tools, it’s crucial that their IT environment’s fundamental setup is properly organised. A crucial part of this is Identity & Access Management (IAM). Clients need to ensure that users have access only to the data for which they are authorised, and that other data remains protected. This may seem obvious, but it is an aspect that many clients overlook in practice.

Arnout van der Vorst, Identity & Access Management Architect at Tools4ever, explains: “When you start using Copilot, you activate it within your Microsoft 365 environment. The tool then indexes and analyses your entire environment, including your SharePoint sites, email traffic, and all your data. After that, you can ask questions to Copilot, and the tool provides you with useful insights into your data and various valuable perspectives.”

Copilot_intern veilig aan de slag


Poorly managed rights can lead to many problems

Copilot greatly eases the way you access and understand your data, offering significant benefits but also introducing risks. If the access rights for users in your Microsoft 365 environment aren’t well managed, Copilot could inadvertently grant unauthorised individuals access to sensitive data with just a simple prompt. For example, an intern might unintentionally gain access to management salary details, or an employee might view personal information about their colleagues.

An attacker who manages to gain access to an employee’s account could equally benefit from this simplified access to data. Consider also the so-called insider threats, like a sales employee embroiled in an employment dispute who might use Copilot to extract sensitive company and customer data before leaving the company. Unintentional mistakes by staff also fall under insider threats, such as wrongly combining information from multiple clients on a single quote through Copilot. These errors can lead to the exposure of sensitive information and cause not only reputational damage but also compliance issues.

Microsoft provides a scan that assesses how ready an organisation is to implement Copilot. “This scan essentially serves as a gauge, showing how prepared you are to activate Copilot. Microsoft reports that ninety percent of the organisations they scan are not yet ready,” says Van der Vorst. “Data from our partner TD SYNNEX indicates that this figure is conservative, and in reality, it’s even higher.”

Copilot_extern veilig aan de slag

The IAM Challenge for Scale-Ups

Differences between companies are stark. Many large firms are well advanced, with highly segmented and secured data access. However, Van der Vorst points out, “Many scale-ups don’t have such stringent measures in place, and employees often have access to a wide array of data. This is partly because roles in smaller companies tend to be more fluid, necessitating broader access rights. Hence, companies evolving from startups to scale-ups should consider enhancing their IAM significantly.”

Clients can run the Microsoft scan themselves, or they can opt to have it conducted by an MSP such as Previder. In the latter scenario, the MSP not only performs the scan but also advises the client on any necessary steps to prepare the organisation for using Copilot, supporting them in implementing these measures.

The right policy

Safely deploying Copilot isn’t just about choosing a specific solution; it’s about adopting the correct IAM policy. “HelloID, the IAM solution, by Tools4ever supports clients in developing, implementing, and managing such policies. A key technique in this process is role mining, which swiftly maps out which users have access to specific data. Role mining analyses current employee permissions to define roles,” explains Van der Vorst. This technique plays a crucial role in Role Based Access Control (RBAC). Thanks to HelloID, clients are always in control and can prove compliance at all times.

With Microsoft Copilot’s growing popularity, this article primarily discusses this AI tool. However, the significance of IAM and effective access rights management also applies to other AI assistants like, NeuralPit, and Amazon Q. If you’re interested in learning more about securely using Copilot, please get in touch with us!



Arnout van der Vorst
Meet Arnout van der Vorst, the inspiring Identity Management Architect at Tools4ever since the year 2000. After completing his Higher Informatics studies at the University of Applied Sciences in Utrecht, he started as a Support Worker at Tools4ever. Since then, Arnout has advanced to become a key figure within the company. His contributions range from customer support to strategic pre-sales activities, and he shares his expertise through webinars and articles.