Enable Endpoint DLP to prevent generative AI data exposure

  • 7 minutes

In today's digital landscape, where data breaches and online threats are increasingly common, understanding effective strategies for safeguarding sensitive information is critical, especially for organizations using generative AI. Microsoft Purview's Endpoint Data Loss Prevention (DLP) plays a key role in this by protecting sensitive data from unintended exposure, using advanced tools designed for this purpose.

Understand endpoint DLP

Endpoint DLP extends data loss prevention capabilities to endpoint devices like Windows 10/11 and macOS computers. It requires no extra plugins, as it enhances existing data protection methods in these operating systems. Endpoint DLP discovers and protects sensitive data on endpoint devices, following organizational data protection policies. In the context of generative AI, endpoint DLP becomes especially important. Endpoint DLP is capable of monitoring and controlling the flow of sensitive information, which helps in preventing unauthorized data exposures or breaches. A notable use case is to use its capabilities to block the transfer of sensitive data into generative AI tools. This functionality helps organizations align with data security standards and adhere to data protection regulations.

Secure data pasting actions with endpoint DLP

An important feature of endpoint DLP is its capability to block the pasting of sensitive data into specific websites and applications. Organizations have the ability to configure DLP policies for enhanced data security. These policies can prevent users from copying and pasting. For example, they can restrict the transfer of personal data from internal databases or documents. Endpoint DLP prevents data pasting on various platforms, including:

  • Generative AI websites: These sites can process and store the data you input, potentially leading to unintentional data retention or exposure. By blocking data pasting on these platforms, endpoint DLP can help safeguard against inadvertent sharing of sensitive data with external AI tools, which might not align with your organization's data protection policies.
  • Personal email accounts: These accounts might not have the same level of encryption and authentication as your work email, and might be vulnerable to hacking or phishing.
  • Social media sites: These sites might expose your data to the public or to third parties who might misuse it for advertising or other purposes.

By blocking data pasting on these platforms, endpoint DLP can help you:

  • Prevent data exposure: You can avoid accidentally or intentionally sharing sensitive data with unauthorized parties or platforms.
  • Comply with data protection regulations: You can follow the rules and standards that apply to your organization and industry regarding data security and privacy.
  • Enhance data security: You can reduce the risk of data breaches, leaks, or losses that might harm your organization or customers.

Endpoint DLP allows administrators to group sensitive domains or websites and apply different restrictions to each group. For instance, suppose you have a document that contains confidential customer information, like names, addresses, and phone numbers. You can copy and paste this information into your work email or SharePoint site, where it's protected by encryption and authentication. However, if you try to paste this information into a personal email account, such as Hotmail, the situation changes. The same applies if you attempt to paste it into a generative AI tool. In these cases, endpoint DLP intervenes. It blocks the action immediately. Additionally, it displays a warning message. The message might read, This action is prohibited by your organization's data policy. Please contact your administrator for more information. This functionality ensures that sensitive information remains securely within the organization's network.

Get started with using endpoint DLP to block pasting interactions

To activate this feature, configure data pasting restrictions in your endpoint DLP policy for supported web browsers. Currently available in public preview for commercial tenants, this capability enables immediate implementation. The feature works with:

  • Microsoft Edge (works natively)
  • Google Chrome (requires Microsoft Purview extension)
  • Mozilla Firefox (requires Microsoft Purview extension)

Note, if you configured evidence collection for file activities on devices and your Antimalware Client Version on the device is older than 4.18.23110, there's a specific point to consider. Implementing the Restricting pasting sensitive content into a browser scenario might result in viewing random characters when attempting to access the source file in Alert details. To view the actual source file text, you should download the file.

Create your DLP policy for restricting AI tools

When setting up data protection policies, particularly for managing interactions with AI tools, you can define various levels of enforcement for data pasting actions. For example, you might want to create different URL groups that cater to different types of web applications, including AI platforms.

Consider a scenario where you set up a policy that issues warnings to users when they attempt to paste U.S. Social Security Numbers (SSN) into any website, including AI tool interfaces. This policy could trigger an audit action for sites categorized under Group A. Simultaneously, you could establish another policy that outright blocks the paste action—without a warning—for all websites in Group B, which might include certain AI tools known for processing sensitive data.

Create a URL group for AI tools

  1. Open the Microsoft Purview compliance portal and navigate to Data loss prevention > Settings > Endpoint settings, and scroll down to Browser and domain restrictions to sensitive data. Expand the section.
  2. Scroll down to Sensitive service domain groups.
  3. Choose Create sensitive service domain group.
    1. Enter a Group name.
    2. In the Sensitive service domain field, enter the URL for the first website you want to monitor and then choose Add site.
    3. Continue adding URLs for the rest of the websites you want to monitor in this group.
    4. When you're finished adding all URLs to your group, choose Save.
  4. Create as many separate groups of URLs as you need.

Restricting pasting content into AI tools

  1. Create a DLP policy scoped to Devices. For information on how to create a DLP policy, see Create and Deploy data loss prevention policies.
  2. On the Define policy settings page in the DLP policy creation flow, select Create or customize advanced DLP rules and then choose Next.
  3. On the Customize advanced DLP rules page, choose Create rule.
  4. Enter a name and description for the rule.
  5. Expand Conditions, choose Add condition, and then select the Sensitive info types.
  6. Under Content Contains, scroll down and select the new sensitive information type that you previously chose or created.
  7. Scroll down to the Actions section, and choose Add an action.
  8. Choose Audit or restrict activities on devices
  9. In the Actions section, under Service domain and browser activities, select Paste to supported browsers.
  10. Set the restriction to Audit, Block with override, or Block, and then choose Add.
  11. Choose Save.
  12. Choose Next
  13. Choose whether you want to test your policy, turn it on right away, or keep it off, and then choose Next.
  14. Choose Submit.