Case study: Implement Adaptive Protection for AI data security
Scenario
Contoso Inc., a company specializing in financial software solutions and consultancy services, faces a common challenge in the digital age. Their Research & Development (R&D) and Marketing teams rely on external generative AI tools for various tasks, from data analysis to marketing strategy improvement. While these tools offer benefits, they also introduce data security risks.
AI platforms are valuable for operations but come with risks such as exposing:
- Sensitive financial information.
- Proprietary methodologies.
- Client data.
This case study explores how Contoso addresses these challenges with Microsoft Purview Adaptive Protection. It examines Contoso's approach to managing data security in the face of generative AI risks in the financial technology sector.
Learning objectives
In this case study, you learn:
- How to safeguard sensitive financial data when using external AI platforms.
- Ensure compliance with strict financial data protection regulations.
- Balancing innovation in R&D and Marketing while maintaining data security.
Background
Contoso uses AI into various aspects of its operations. The R&D team utilizes AI to enhance financial software products, improving speed and precision. Meanwhile, the Marketing team uses AI to analyze customer data for strategic marketing decisions.
Although AI is important for Contoso's operations, it also brings data security challenges. Contoso's existing insider risk policy manages data leak scenarios effectively. Still, the use of external generative AI tools introduces new risks, including the exposure of sensitive financial information, proprietary methodologies, and client data.
Contoso faces the challenge of balancing AI's innovation with the need to secure sensitive information and adhere to data security standards.
Scenario development
- AI integration for R&D team: Contoso's R&D team uses AI for forecasting and financial algorithms. They work with confidential product development information, including unreleased features and proprietary technologies. There's a risk of accidental leakage of financial data and confidential product details when using external AI platforms for testing or analysis.
- AI usage for Marketing team: The Marketing team uses AI to analyze customer behavior and create targeted content. They might have access to less detailed customer data but the team has access to confidential information about upcoming product launches and marketing strategies. When using AI tools for campaigns or market analysis, there's a risk of exposing unreleased product details and strategies on insecure AI platforms.
Recognizing these risks, Contoso looked for a strong solution to prevent data breaches and maintain data quality when using external AI tools. They chose Microsoft Purview Adaptive Protection to address these issues.
Solution: Implement Adaptive Protection
Contoso acknowledges the need for a stronger solution to address challenges from external AI tools. They expand their existing Data leaks policy and implement Microsoft Purview Adaptive Protection.
- A combination of insider risk management and data loss prevention (DLP).
- The ability to track and regulate data interactions across R&D and Marketing departments.
- Enhanced security when using external AI tools.
With Adaptive Protection, Contoso creates flexible security policies tailored to different departmental risk profiles and data types. This approach ensures both the R&D team's creative AI work and the Marketing team's strategic use of customer data remain secure.
Prerequisites
Before Contoso can implement Adaptive Protection to address the risks associated with external AI tools, there are several key prerequisites that need to be in place:
| Step | Description | Learn more |
|---|---|---|
| Check Microsoft Purview licensing | Confirm that Contoso has the necessary Microsoft 365 licenses for Microsoft Purview, with access to both Insider Risk Management and DLP. | - Microsoft Purview Data Loss Prevention: Endpoint Data Loss Protection (DLP) service description - Microsoft Purview Insider Risk Management service description |
| Classify and categorize data with Microsoft Purview Information Protection | Use Microsoft Purview Information Protection features, including sensitivity labels, sensitive information types, and trainable classifiers, to classify and categorize Contoso's data. Focus on identifying sensitive financial information, proprietary methodologies, and client data. | Deploy an information protection solution with Microsoft Purview |
| Onboard devices for endpoint DLP | Prepare and configure endpoint devices (laptops, desktops) used by the R&D and Marketing teams for Endpoint DLP monitoring within Microsoft Purview. This task includes making sure all devices are compatible and meet the software requirements. | Onboard Windows devices into Microsoft 365 overview |
Implement Adaptive Protection
Step 1: Contoso starts by creating insider risk management policies
Contoso expands its data security by adding a new insider risk management policy in Microsoft Purview, complementing their existing Data leaks policy. They create a policy with the Risky browser usage (preview) template that includes in indicator to collect signals on browsing to generative AI sites.
With this policy, Contoso is targeting users who handle sensitive data. They're configuring rules to detect behaviors that might pose a risk, such as accessing AI tool websites. This step is part of Contoso's strategy to stay ahead of emerging security challenges in a technology-driven environment.
Step 2: Contoso then configures risk levels
In Microsoft Purview, Contoso selects the Risk levels for Adaptive Protection tab. They use the newly created Risky browser usage policy with their existing Data Leaks policy. The system presents three risk levels: Elevated, Moderate, and Minor. Each level corresponds to the seriousness of potential security incidents.
- Elevated risk level: Triggered by high-severity incidents like confirmed unauthorized data sharing.
- Moderate risk level: Adjusted for medium-severity situations, such as irregular data transfers.
- Minor risk level: Includes monitoring for less severe but still notable activities.
Contoso moves to set the conditions for each risk level. They can:
- Set alert-based conditions: If Contoso selects Alert generated or confirmed for a user, they can set risk levels to activate based on the severity of alerts. A high-severity alert, for instance, might be categorized as an elevated risk.
- Set activity-based conditions: If Contoso selects Specific user activity, the outline the activities to be monitored, their severity levels, and occurrence frequency. This process includes specifying how often certain data access or sharing activities should be detected to trigger a particular risk level.
Contoso opts to assign risk levels based on user activities, allowing them to focus on monitoring specific indicators that are most relevant to their security concerns.
With risk levels configured, Contoso moves on to create a DLP policy focused on blocking risky sharing to generative AI sites.
Step 3: Contoso creates a DLP policy to block pasting into generative AI sites
Contoso next advances their security measures by creating a new DLP to integrate with their Adaptive Protection configuration.
Setup sensitive service domains:
- Contoso identifies and categorizes generative AI tool URLs as sensitive service domains.
- The new DLP policy uniformly blocks the pasting of sensitive data into these domains for all users, ensuring consistent protection of sensitive information.
Configure actions based on user risk levels:
When creating a DLP policy to use with Adaptive Protection, the User's risk level for adaptive protection is condition must be defined. The condition has three values:
- Elevated risk users: For users with an Elevated risk level, the policy restricts access to the generative AI sites listed in the configured sensitive service domains restrictions list.
- Moderate risk users: For users with a Moderate risk level, the policy establishes a Block with override action on access to AI tool domains. This approach provides a balance between control and flexibility.
- Minor risk users: Users categorized under Minor risk are allowed access to the AI tool domains but are still subject to the policy that blocks pasting of sensitive data.
Contoso's policy is designed to manage the use of generative AI tools securely while ensuring data protection. By setting varied rules based on the risk levels of users, the policy achieves a balance. It applies stricter controls for high-risk users to minimize the chance of unintended data sharing, while providing reasonable flexibility for users with lower risk profiles. This approach enables effective use of AI tools across the organization, aligning with both operational needs and security requirements.
With the DLP policy now in place, Contoso completes the final step in enabling Adaptive Protection.
Step 4: Contoso enables Adaptive Protection
After setting up the insider risk management policy, configuring risk level settings, and creating a DLP policy, Contoso is prepared to enable Adaptive Protection. Contoso navigates to the Adaptive Protection settings tab in Microsoft Purview and toggles the Adaptive Protection feature to On. This action starts the process of monitoring and acting based on their configurations.
How Adaptive Protection works at Contoso:
- Risk level assignment: The insider risk management policy now actively scans for user activities that match Contoso's risk level conditions. Detected activities lead to assigning appropriate risk levels to users.
- User monitoring: Users assigned risk levels show up on the Users in scope tab within Adaptive Protection, helping Contoso monitor who falls under each risk category.
- DLP policy actions: The DLP policy, aimed at controlling data interactions with AI tools, begins to enforce its rules. Actions vary based on users' risk levels, like blocking or auditing sensitive data pasting into AI tools.
- Policy management: From the DLP policies tab in Adaptive Protection, Contoso can view and adjust the DLP policy, allowing for continuous improvement and adaptation.
Contoso Inc.'s implementation of Microsoft Purview Adaptive Protection shows a practical approach to managing security risks in the use of external generative AI tools. By effectively integrating risk management policies, fine-tuning risk levels, and enforcing a specific DLP policy, Contoso strengthened its defense against data leaks while maintaining the utility of AI tools in its operations.