Copilot and management of sensitive documents : Balancing Opportunities and Precautions

Artificial Intelligence (AI) has revolutionized the way we work, especially in document management. Microsoft Copilot, for example, is a powerful tool integrated into the Microsoft 365 suite to facilitate collaboration and boost productivity. However, when dealing with sensitive and confidential documents, its use raises crucial issues regarding security and compliance.

In this article, we explore how Copilot can transform sensitive document management, while highlighting potential risks and best practices for responsible use.

The Benefits of Copilot in Document Management

Copilot stands out for its advanced features that simplify working with complex documents:

Intelligent Search and Summarization: Copilot can quickly search and extract specific information from large documents.
Assisted Writing: It helps create precise and consistent content, reducing time spent on repetitive tasks.
Improved Collaboration: With contextual suggestions, it fosters better coordination among teams.
Process Automation: Copilot can generate summaries, organize information, or even create tables from raw data.

These features are particularly useful in sectors where document management is critical, such as human resources, finance, or cybersecurity.

Connected Experiences and Data Transfer

A technical analysis conducted by Wavestone in March 2024 revealed that connected experiences in Microsoft 365 Apps transfer text data from opened documents to Microsoft servers, even when these files are not stored in the cloud.

Key Findings of the Report:

Text data from PowerPoint and Word files (slides and documents) is transferred to the augloop.office.com endpoint through an encrypted connection.
This behavior is active by default and does not require any user action.
Local files (stored on a workstation or file server) are also affected.

Versions Impacted:

PowerPoint: Versions from 1908 to 2402.
Word: Versions from 2312 to 2402.

Limitations of the Analysis:

LTSC versions (long-term support) and platforms like macOS or mobile devices were not included in the study.

Enhanced Privacy with Microsoft Purview

Blocking Content Analysis in Microsoft 365

To enhance data privacy, Microsoft has introduced an advanced setting in sensitivity labels:
BlockContentAnalysisServices, or simply “Prevent connected experiences from analyzing content”.

Key Features:

Without Protection:
- 🚨 Risk of Exposure: Copilot can access and use sensitive data to provide recommendations or suggestions.
With Protection:
- ✅ Enhanced Security: By blocking content analysis by Copilot, this setting ensures maximum confidentiality for sensitive files.

Note: Some features, such as auto-labeling and DLP (Data Loss Prevention), may be impacted.

Prerequisites:

⚙ Current Channel: 2406+
⚙ Monthly Enterprise Channel: 2406+
⚙ Semi-Annual Enterprise Channel: 2402+

Reinforcement:

Protection via Double Key Encryption:
- Ensures robust encryption for sensitive data, limiting access to users through client-owned keys.

Benefits of the Feature:

Enhanced Privacy: Meets enterprise requirements for protecting sensitive data.
Operational Flexibility: Configurations integrate seamlessly into users’ workflows.
Regulatory Compliance: Helps meet standards such as GDPR.

Loss of Administrative Control Over Copilot

Starting November 11, 2024, Microsoft (MC908119) will remove administrative restrictions on who can use Copilot extensibility features. This means all licensed users will have access to extensibility features, including plugins created through Copilot Studio.

Major Implications:

Increased Exposure:
- Users may activate unvalidated third-party extensions, increasing data exposure and potential attack vectors.
Compliance Challenges:
- The lack of administrative control will make it harder to comply with confidentiality regulations. Security and Governance oversight should precede this Copilot update to maintain visibility and control.

Conclusion

Microsoft Copilot and its connected experience features represent a significant step forward for productivity but require careful attention to security and privacy. New control options, such as BlockContentAnalysisServices and Microsoft Purview tools, allow organizations to balance innovation with data protection.

Recommended Actions

Limit Access to Extensions:
- Regularly audit active plugins via Copilot Studio.
Disable Unnecessary Connected Experiences:
- Configure settings with BlockContentAnalysisServices or Microsoft Purview policies.
Educate Users:
- Train teams on the risks of using AI tools and best practices.

💡 Adopting a proactive strategy to secure sensitive data while leveraging the benefits of AI is an essential priority in today’s digital environment.

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
ApplicationGatewayAffinityCORS	session	No description available.
CLID	1 year	No description
GoogleAdServingTest	session	No description
LiSESSIONID	session	No description available.
LithiumUserInfo	past	No description
LithiumUserSecure	past	No description
LithiumVisitor	1 year	No description available.
original_req_url	past	No description
SM	session	No description available.
SRM_B	1 year 24 days	No description available.

Copilot and management of sensitive documents : Balancing Opportunities and Precautions