Guests to arrive from 9:30 for registration and breakfast 10:15 - An Introduction to the FluidOne connected cloud 10:30 - Keynote sessions
Keynote sessions: Mobility trends AI and your business Building the foundations for CoPilot Modernising the approach to Cyber Security
11:45 - Live Q&A panel session 12:00 - 1:1 discovery sessions with the experts 13:00 - Lunch and networking 14:20 - Optional 360 Planetarium experience for customers 15:00 - Event close
##################### 02. Understanding AI Maturity: Early Days Good morning My name is Nick Lloyd - I'm a Lead Enterprise Architect with Fluid One Enterprise IT specialising in Cloud, MPW, Data, AI and Security. I'm here today to talk about what we have seen in terms of our customers' AI journeys i.e. where they are now, where they want to be and key security considerations along the way. I will manage all of one slide before mentioning Copilot but that is the specific use case that me and then my colleague Chris McQueen will focus on to being the abstract to life.
So where are many of our customers today with AI?
For the majority, AI operates at the periphery of their business information - certainly with products such as Copilot that are focussed more on individual users data versus core business systems and highly regulated, structured and managed data (such as ERP, CRMs, finance etc).
Which makes sense - data at the centre of an organisation is the most critical but also most managed, structured, understood - it speaks for itself perhaps whereas AI is seen as a means to boldly go where no business process has gone before - forging new understandings, new opportunities from less well understood unpredictable data - such as that your end users amass
---- Caution is key for most businesses at this point in their AI journey - AI will read source information but not actively change it - it will produce new data rather than amend existing. And ultimately it does not make the decision whether to act upon it's findings - typically human intervention is needed (and a good thing too you could quite reasonably conclude)
To steal line from Satya – “for many AI has been on Autopilot but now it moves forward to be by our sides as our Copilot” - from more passive to active relationship
And as AI becomes more widespread, ubiquitous and trusted, it will inevitably advance upon the higher value information, where it can deliver additional value to the business
And that tomorrow ….. we would strongly recommend you prepare for today! As the slide says before you can (fully) trust it, you need to secure it.
SO HOW DO YOU SECURE IT - WHAT PRACTICAL STEPS CAN YOU TAKE
######################## 03. Understanding AI Maturity: But AI is coming!
So to avoid being too abstract, I'll examine a specific product / use case - and of course, it is the very latest hot topic - Microsoft 365 Copilot. So what is Copilot? - these are my 3 perspectives on Copilot - 2 based on what it is and 1 based on what it isn't
Starting with the first 2 together 1.Digital Assistant on Steroids 2.Digital Version of You
3. So we come to what it is not - what it is not is an AI specific to your business and trained with you business data - it uses your business data but has not been created by your business data
It is important to know that this private Chat GPT instance is just one part of the Microsoft 365 Copilot service - there are other elements that contribute to the overall outcome and introduce your data into the conversation - safely
and a key player is Microsoft graph (a sort of per user database that keeps track of all the data that each user has access to in the M365 subscription).
When you ask M365 Copilot a question, what it does first is use Microsoft Graph to perform a background search through all the business data you have access to and any relevant supporting information it finds, it presents (in the background - unseen by you) to Chat GPT along with your original question. Think if it as like asking a very capable bright apprentice to do a piece of work and giving them a bunch of folders with relevant business documents in to help to do that work.
Chat GPT then uses it vast common sense, to examine that information and produce a useful result.
Once you have received the result and the interaction is ended, Chat GPT then wipes its own memory - gives itself amnesia - it does not keep a copy of any of the business information you gave it - in your M365 tenant, a history of your dialogue will be retained - in your tentnat - but Copilot is explicitly designed to not retain any of your business data so it effectively forgets the conversation.
This keeps your data safe - it is never persisted in Chat GPT ... which you would not want anyway as it is a multitenant / multiuser environment (AI is not cheap - it cost alot in terms of processing / GPUs etc) so it makes sense that for most businesses who are new to AI a service that is shared with others is much more cost effective - it's quite an ingenious approach
and this removes the risk that any other party inside or outside your business could (somehow and it is a big somehow) see your data when asking a question themselves with a similar topic
And also it keeps Chat GPT safe from you - it can't be corrupted by your data, influenced by, introduce biases etc - the relationship is a very clean one - it just has Just In Time access to your data as and when you ask it do something and then it completely forgets the interaction afterwards.
So what do you actually need to secure here? - The main risk is not that Copilot is that it has too much access to your business data and could be an avenue fordata breach, it is that your end users have too much access to your business data and Copilot could be a mechanism whereby which that data could more swiftly leave the building as it were (search engine on steroids). In this age of AI, you still need to address the fundamentals - secure your data properly and stay on top of that. That being said there is another form of AI that you can use to police this AI - which I will come onto later.
At the end of they day whatever data your end users have the right to access, Copilot acting on their behalf, will have as well - except it is an unsleeping tireless digital avatar / version of your end users - and when you do a search as that User it will not only look for what you asked it to look for, it will also look for what it thinks you asked for as well (semantic search) so if you have relied, as business, on hiding some sensitive information in folders you have not told your end users about, tools such as Copilot will expedite the discovery of such data.
########################## 04 + 05 - "Data Readiness: The Foundation of AI and the CIA Triad" and "Data Readiness: The Foundation of AI and the CIA Triad and Copilot"
So what do you need to do to secure your business information before implementing an AI such as Copilot?
In this age of constant innovation you could be forgiven for thinking you have to take some equivalently innovative approach to security but the tools are already there in M365 and the basic principles remain unchanged - even for AI
So when securing their data (or services etc), many businesses leverage the long established Information Security CIA triad - this is something your information security team will recognise and make the adoption of AI appear less alien, less risky - this covers the three key areas of Information Security - your business information's Confidentiality, Integrity and Availability ----- And what do those terms mean C = The right people can access the data, the wrong people can't I = The data is correct - has not been corrupted, changed without authorisation, from trusted source, not tampered with A = There's no point securing the data to such an extent that no authorised user can practically get to it - it needs to be sufficiently available to the right people at the right time and in the right time
All are important but there is a natural order in which they are addressed - Secure first, test data to ensure it is of sufficient quality and then make available
When it comes to traditional AI however there could be some confusion as a slightly different order is implied - Integrity first, train the model with good data - then address ongoing who needs to access to what and the make the data avaialable.
But to add further to the confusion with Copilot, we would recommend looking at Confidentiality first - why - because you aren't training the AI and creating new data - it is using existing data that should be secure already - you need to validate that security
So CIA is the approach - YOU ARE CONSUMING AN AI THAT HAS ALREADY BEEN TRAINED, NOT BUILDING IT YOURSELF
######################## 06. Data confidentiality for Copilot AI SO CIA IS WHAT YOU NEED TO THINK ABOUT, WHAT ARE THE RISKS PARTICULAR TO THIS FLAVOUR OF AI - COPILOT! So we have established your users will have access to a tool that will tirelessly comb through all the data they have access to in M365 –so With Great Power comes Great Responsibility No more as a business can you rely upon ‘Security by Obscurity’ –For examples, Key HR information in a document in a folder no human knows about but where the security permissions are set to allow All to Read – Copilot will find it
[De-emphasise this bit] Privileged Users – Key Concern – Sys admins if they run Copilot whilst logged in with heightened permissions will potentially have heightened access to business information. Not good – they should use a product called PIM to temporarily raise their privileges when they need to to carry out a specific sys admin task and then revert to standard privileges shortly after
################################# 07. Data Security for Copilot AI So once the need to avoid oversharing of information not with Chat GPT but with your end users is understood, the approach is a straightforward - at least from a technical perspective (though of course the effort is not insignificant) - M365 have a plethora of tools in it's tool kit to protect your data from multiple angles - here, you could argue is where the innovation comes in - and it is something business should be doing already, but with Chat GPT, Copilot and this immensely powerful tool that your end users will have access to, the need is greater than ever
Azure Information Protection – Classify and Encrypt documents based on Sensitivity – this type of data
Sensitivity Labels – Apply tags to SharePoint sites, Documents and Emails and employ Policies to limit access – this type of business sensitivity associated with – top secret, commercial, public
Data Loss Prevention – Automatically identify and protect sensitive information - how it is protected in it’s daily use
Retention Policies – Align with Compliance to retain – even if deleted, keep a copy
############################# 08. Defence in Depth – using AI to police AI - Slide
################################ 09. Data Integrity for Copilot AI So we've covered Confidentiality, now to address Integrity - what effort is involved here. Obviously the better your data, the better the outcome but ChatGPT has been trained on the world's data - so it has worked with data of varying degrees of quality, cleanliness etc - it can tolerate and work effectively with data of all quality types So it absolutely is not mandatory to comb through all your data and tidy up it's contents - use consistent terms, fill in any blanks, delete any stale or irrelevant data - obviously none of this hurts but because Copilot uses semantic indexing you don't have to use exactly the same language in all documents to make connections between them and derive useful insights
############################ 10. Read from slide
2 angles here - availability of the service to end users - it runs on M365, global platform - availability of data to Copilot to enhance the service - various options but most probably quite a ways away for a lot of businesses who will have enough to contend with adopting the basics of Copilot first and getting end user data properly secured
############################### 11. Conclusion So in conclusion.... 1. to get your data ready, your business ready for Copilot - you need to secure you data - you can use AI to prepare your data for AI - you don't have to just rely upon People to do the doing when it comes to securing
2. if there is time and resource you can clean up your data but not a priority
3. when it comes to availability the platform speaks for itself but as you mature, there may be enhancements you wish to make here. In sort - if it works with the worlds data usefully, it can with yours too
So with that being said, I believe we will have a short break and then my colleague Chris who will go into further detail as to how you can make your data and IT environment Copilot ready – thank you for your time
