Organizations want to leverage the productivity enhancements Microsoft Copilot for Microsoft 365 may enable, but want to avoid unintentional over-exposure of organizational information while users are accessing these Copilot experiences.  Our Microsoft team is fielding many questions from customers about how to secure and govern Microsoft Copilot for Microsoft 365.  These organizations want to ensure maximum productivity benefit while minimizing their risk.   This article will describe the key considerations an organization should address.

Microsoft Copilot for Microsoft 365 context

First, a quick point of clarification.  Microsoft has released several instances of Copilot for use in different contexts.  At this writing Copilot instances include Microsoft Copilot (integrated in Bing and the Edge Browser), Microsoft Security Copilot, Github Copilot, and more.  In this article I address Microsoft Copilot for Microsoft 365, an instance of the Copilot technologies integrated with Microsoft 365 tenants and applications, via Microsoft Graph.  Microsoft Copilot for Microsoft 365 requires add-on licensing on top of other Microsoft 365 licensing.

Microsoft Copilot for Microsoft 365 is also extensible to non-Microsoft 365 sources of data.  Out of the box, “web grounding” is enabled at the tenant level and disabled at the user level (user can enable).  Web grounding allows Copilot to include web-based searches and the resulting information to be included in responses.  Additionally, via Copilot Studio, organizations can customize Microsoft 365 based experiences and can extend Copilot responses to include non-Microsoft 365 sources of information.

Microsoft 365 Security and Governance control the Microsoft Copilot experience

Here is the primary consideration your organization must understand and act upon in order to minimize unintentional over-exposure of your information via Microsoft Copilot for Microsoft 365:  By design, Microsoft Copilot for Microsoft 365 is accessing and including the information that your users already have access to in your tenant and within the bounds of existing Microsoft commitments.  Microsoft Copilot for Microsoft 365 is providing an additional interface for exposing this information, and is doing some of the heavy lifting for your users in finding, compiling, and contextualizing that information.  But, ultimately, it is exposing information that a user could have accessed on their own using their existing permissions, and given sufficient skill in using Microsoft 365 tools and applications for searching, querying, or accessing that information.  In this article I am not addressing any potential failure of Copilot to follow the published design parameters.  Monitoring and reporting on usage are advised to address this (unlikely) possibility.

Microsoft Copilot for Microsoft 365 is the latest, and possibly most advanced, tool for surfacing Microsoft 365 data to users.  In a sense, Microsoft Copilot is the next iteration of Microsoft Search and Microsoft Delve.  Each of these tools have some administrative controls that allow administrators to limit the information that is returned to a casual user of the tools.   However, using them in this way is somewhat like patching over a structural problem with a layer of drywall mud.  Your primary approach should be securing the underlying access controls and membership of your Microsoft 365 assets.  These assets include SharePoint Online sites, OneDrive for Business sites, Microsoft 365 Groups and Teams, Exchange Online mailboxes, and other Microsoft 365 assets.  Microsoft Purview sensitivity labels and their access controls can also be part of your solution to securing information and restricting access to the appropriate users.

The bottom line here is that there is no Microsoft Copilot for Microsoft 365 quick fix for information over-exposure.  Organizations who find that their existing Microsoft 365 usage and architecture has made information too widely available need to do the heavy lifting of properly adjusting permissions and memberships of the underlying assets, adjusting various Microsoft 365 workload settings and policies, and considering a well-planned crawl/walk/run approach for deployment of Microsoft Purview controls such as Sensitivity Labels (and others) to address additional scenarios.  Your organization should address information access controls at the foundational level first.  Once the foundation is secure then optimize controls around the specific access methods such as Microsoft Copilot.

Key Considerations for Microsoft 365 Readiness for Microsoft Copilot

The key considerations your organization should address when considering a Microsoft Copilot for Microsoft 365 deployment include:

Tier 1 Considerations

• Microsoft 365 Groups (and Teams)
  • Are you overly using public groups and Teams?  Unless permissions are customized, all of the file content in public groups and teams is available to anyone in the organization.  Anyone in the organization can access this information via direct navigation to the underlying SharePoint Online site, or via Microsoft Search, Microsoft Delve, or Microsoft Copilot for Microsoft 365.  (This does not apply to Private Channels and Shared Channels.)
• SharePoint Online Sites
  • Are your site permissions too broad?
  • Is the “Everyone” or “Everyone except External Users” group over-used in any sites?
• SharePoint and OneDrive Sharing Permissions
  • Have you set the restrictions and defaults for sharing links appropriately at the global level?
  • Have you configured per-site sharing link controls appropriately for the site?
• Web Grounding
  • Have you considered whether web grounding should stay enabled at the tenant level?  With web grounding enabled some organizational information may be submitted to Bing in a search query.
• Microsoft Purview
  • Consider using Container labels (sensitivity labels specifically for applying policy at the Group/Team/Site level) to enforce organizational standards at the Group/Team/Site level.
  • Do you have an Enterprise information taxonomy and classification system?  Have you implemented your taxonomy as Sensitivity Labels? There are legitimate tactical use cases for Sensitivity Labels but most organizations need a strategic “crawl, walk, run” multi-month or year rollout to achieve long-term effectiveness and user adoption.

Tier 2 Considerations

• Purview Data Lifecycle
  • Have you implemented or are you implementing information lifecycle policies in Microsoft Purview?  To make quality output from Microsoft Copilot for Microsoft 365 more likely you should address information ROT (Redundant, Outdated, or Trivial) in your tenant while also preserving important and relevant records that may contribute to quality output.  Retention and deletion policies and labels will likely be part of the solution to the problem of ROT.  Appropriate deletion actions can also reduce the likelihood of over-exposure of older but still sensitive information.
• User activity monitoring
  • Are you capturing and reviewing user activity in your tenant?  Specifically for Copilot, are you monitoring the Microsoft Copilot usage reports?  Have you enabled the telemetry capture that provides more detailed usage information?

The list above does not include all considerations for securing your Microsoft 365 tenant. For example, we did not address conditional access or multi-factor authentication scenarios.  However, the above considerations are most directly related to Microsoft Copilot consumption.

Conclusion

Microsoft 365 may add additional Copilot specific configuration and governance controls in the future.   However, the best approach is to ensure that your underlying Microsoft 365 assets are properly permissioned and configured.  As new Microsoft 365 features and controls are released, these actions will continue to pay dividends.

Our Perficient Microsoft team has extensive experience helping organizations like yours  to analyze current state, identify gaps, and take action to secure and govern their Microsoft tenant.   This work directly impacts the Microsoft Copilot for Microsoft 365 experience.  Our engagements range from road-mapping, to foundational security and governance implementations, to extended migration and/or enablement and support offerings and we are able to customize these engagements to your particular areas of concern.  We love partnering with customers to help them achieve the best possible Microsoft 365 service adoption and governance outcomes.

A Data Lake can be a highly valuable asset to any enterprise, and there is a myriad of technology solutions available for leveraging the processes to feed, maintain and retrieve information from the Lake.

But all this technology is, if not worthless, significantly less valuable, if the environment is not well governed and managed. This is the primary Takeaway to keep in mind when a Data Lake solution is being considered – or is already in place but needing improvement – by any organization.

Another takeaway is the idea of positioning the Data Lake as an Aggregator of information – and for it to operate analogically like a Warehouse store – positioned to serve Consumers, but ultimately is responsible for determining how best to collect, store, and make available, the information it houses. This takeaway significantly influences how the Governance of the environment is set up and run.

Accepting the above two statements – the criticality of Governance and the Operating Model of an Aggregator – some other observations can be made:

The Supplier

• Needn’t have knowledge of the Consumer(s) as they work directly and exclusively with the Aggregator
• Needs to be willing to conform to the formats, mechanisms and timings of information delivery as defined (through negotiations as necessary) by the Aggregator
• Needs to be able to describe the information they supply in a “common language” that focuses upon “what” the information is, regardless of how or where it is represented

The Consumer

• Needn’t have knowledge of the Supplier(s) as they work directly and exclusively with the Aggregator
• Needs to be willing to conform to the formats, mechanisms and timings of information delivery as defined (through negotiations as necessary) by the Aggregator
• Needs to be able to describe the information they require in a “common language” that focuses upon “what” the information is, regardless of how or through what mechanism it is delivered

The Aggregator

• Is the “lynchpin” between Suppliers and Consumers, therefore is responsible for ensuring Consumer satisfaction through appropriate “sourcing” (supplier systems) to address the needs of all Consumers
• As the central repository for the information transferred between suppliers and consumers, the Aggregator is keeper of the “common language” referred to in the Supplier and Consumer observations. This may take the form of a Master Information Catalog, a Semantic or Canonical Model, a Business Glossary of Terms or any combination thereof
• Guides both Suppliers and Consumers through the defined interaction processes and the use of the standards and templates defined for aiding these interactions

Governance

• Defines and ensures all parties adhere to the Rules, Rights and Processes for the use and management of the Data Lake
• Identifies and defines all standards and templates needed to ensure the consistency, efficiency and effectiveness of the interactions
• Governance is the ultimate and final authority for negotiating the relationships, duties, rights, obligations and privileges of all parties (Suppliers, Consumers and Aggregator)

As mentioned in a previous entry, these observations may sound dictatorial, but for this to be successful, when it comes to the information assets housed in the Data Lake, a highly collaborative environment where all parties are willing to compromise and reach consensus must be an integral part of the culture of the enterprise.

So, this completes my journey into Data Lakes and the Information Governance needed. I hope you found this interesting and helpful. Feel free to reach out with any comments or observations you may have. Thanks so much for reading my blog.

In my last blog, you may recall that we were discussing the value and the need for Standards and Templates for ensuring a consistent and efficient use of the Data Lake, both in its population (supplying) and in its retrieval (consuming) of information. To achieve this level of consistency and efficiency, as well as reliability, requires a robust Information Governance Program responsible for overseeing the environment. In this entry, I will provide an overview of what this means to me.

As I’ve referenced in previous blog entries, Information Governance can be defined as a strategic practice that defines Rules (inclusive of policies, guidelines, laws, etc.) for interacting with Information, Decision Rights and Responsibilities of all parties involved in these interactions and the Processes and Controls to be followed when performing these interactions. To accomplish this, the IG Practice itself fulfills a set of oversight roles that can be compared to our (the U.S.) form of government consisting of three branches – Executive, Legislative and Judicial.

As far as Rules, Decision Rights and Processes, we need to consider the overall purpose and role of a Data Lake and craft these accordingly. If you accept that the Data Lake will house the Information Assets of the enterprise, the following are some examples of these artifacts consistent with that model.

Rules

As indicated, this is a broad category meant to capture the “enforceable” items with regard to the use of the Data Lake. Some “categories” of these rules include:

• What is Contained: Specific guidance as to the information that is to be resident in the Lake – equally important is any information specifically excluded from the Lake
• Who has Access:   Provides guidance on roles and expectations and controls role assignments for individuals interacting with the Lake – this includes both the users as well as Governance personnel
• How to Interact: Guidance around acceptable behavior in all aspects of interacting with the Lake, from supplying, consuming and governing the information resident in the Lake

Decision Rights

Decision Rights bestow enforceable privileges (and the associated responsibility) upon parties involved in the program. These rights need to be defined for all governance and user roles. Using the Aggregator analogy we have been talking about, the following are examples of the Decision Rights bestowed upon the Supplier, Consumer and Aggregator.

Supplier Rights

• Decide the format of the information they are providing
• Decide what information they are supplying
• Decide when and at what cadence if applicable, information will be provided

Consumer Rights

• Decide what information they are willing to accept
• Decide what format and delivery mechanism they require
• Decide when and at what cadence if applicable, information will be obtained

Aggregator Rights

• Decide what information will be resident in the Lake
• Decide what formats of information that will be accepted from a Supplier and provided to a Consumer
• Decide when and at what cadence they will accept information from a supplier and deliver information to a Consumer

These decision rights may appear “dictatorial” and at cross-purposes, but that is not the case. The expectation is that the decisions be highly collaborative between the parties, but that, ultimately, each party has the right to make a decision best suited for them.

Processes

Processes essentially define how and when the Rules and Decision Rights are utilized along a path of activities put in place to achieve a usage goal of the Data Lake. These Processes again must be defined for both governing the information as well as how the user interactions are to take place. Some Processes that would be defined by the IG Program include:

• Request Management: Processes for making a request for a governance artifact to the Governance Program – inclusive of how the request is handled and tracked
• Artifact Development/Maintenance: Processes around the creation and modifications made to governance artifacts – inclusive of the deployment of these artifacts
• Artifact Enforcement: Processes around how artifacts will be monitored for adherence – inclusive of activities for dealing with non-compliance
• Supply Information: Processes that manage the interaction between a supplier and the aggregator
• Consume Information: Processes that manage the interaction between a consumer and the aggregator

As you can see, there is a lot of “infrastructure” that needs to be put in place for the effective and efficient use of a Data Lake. If the enterprise recognizes that it is worth this investment to ensure the enterprise a valuable and reliable Data Lake.

The establishment and maintenance of this infrastructure is the duty and responsibility of an Information Governance practice area – which is why I consider IG an essential aspect of any Data Lake initiative.

In my next post I will provide some key takeaways to keep in mind when creating the business case for the establishment of an Information Governance Program for getting the most out of a Data Lake.

As I have been continuing to work in the information governance area as it relates to healthcare, I recently came across an interesting development.

Some of my previous blog posts have covered the difference between Information Governance and Data Governance and some of the players in the field, including the American Health Information Management Association (AHIMA) – specifically in the healthcare space and their efforts in the information governance arena.

Since those posts, I’ve recently had a few conversations with the IG Advisors arm of the association and learned they have introduced a new tool for measuring an organization’s maturity with regard to their Information Governance (IG) Program. This tool is called IGHealthRate(TM), and it’s a fairly robust tool for determining not only the current maturity level of an organization but also providing some insights on steps the organization could take to progress forward on the maturity curve.

I’ve always believed that before any change can occur one should clearly define a Vision of where they would like to be, regardless of where they may actually be currently. An assessment tool like IGHealthRate(TM) is a great mechanism for understanding where you are and for forming a solid picture of where you would like to be.

AHIMA’s assessment tool is reflective of most maturity models in that it uses five levels of maturity they have identified as At Risk, Aware, Aspirational, Aligned and Actualized. It then uses its own framework as described in their IG Toolkit to evaluate an organization across all the “pieces,” or what they call Competencies, that a fully robust IG Program possesses and, through surveys and interviews, “scores” the organization’s maturity against each of these dimensions. They call this the Information Governance Adoption Model (IGAM)(TM) and the Competencies they identify are: IG Structure, Strategic Alignment, Enterprise Info Mgmt, Data Governance, IT Governance, Analytics, Privacy and Security, Legal and Regulatory, Awareness and Adherence, and IG Performance. From there, a roadmap can be defined by the organization for how best to evolve within each of these dimensions to move closer to its Vision State.

If you are interested in establishing (or improving) an IG Program, AHIMA’s IGHealthRate(TM) is a good first step to consider. It requires a minimal investment and its results can help build a business case for pursuing and maturing the IG Program.

The explosion of data is something that executives across industry are trying to wrap their heads around. Healthcare is no different. In fact, healthcare data is expected to grow 99% – patient data, wearables, medical literature, scientific articles, etc. are adding to the explosion of healthcare information. This data deluge is a big challenge for healthcare organizations because they are unable to leverage information to make timely and profitable business decisions.

To solve the data challenge many organizations try:

• Implementing Master Data Management or some other data management initiative
• Acquiring quality tools or other technology
• Putting people “in charge” whether through committees or assignments to “manage the information”

Unfortunately, these approaches are not very effective. In order to tackle data challenges healthcare organizations must turn to governance. Governance helps address the information challenges by:

• Ensuring information is fresh, available and accessible
• Articulating who can make changes and when and enforces these decision rights to prevent rogue changes
• Identifying all repositories, their purpose and their content based upon an enterprise-wide common vocabulary
• Defining, maintaining and publishing a common vocabulary specific to the enterprise’s needs and language
• Supplying an enterprise-wide description of each areas information use and the mechanisms to ensure cross-functional alignment and management support
• Providing clearly defined rules for quality, integrity, representation, etc. of the information and clear processes and responsibilities for stewarding the information for adherence to these rules
• Assigning, communicating and enforcing decision rights across the enterprise, as well as ensures actions taken and decisions made are broadly communicated

Information and data governance are quickly becoming imperative for a healthcare industry that is both seeking to capitalize on the value of its information assets and that is committed to ensuring the reliability and integrity of information and data used to improve care quality, operations, and financial performance. After all, trust in health information and high-quality patient care depend on it.

To learn more about trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

Of all the governance trends, none is more foundational and critical to the success of the governance program – indeed the organization itself – than the need for accurate, consistent, and relevant models that communicate the meaning, use, and residency of the information assets of the enterprise.

Modeling not only addresses the integration and ingestion of data across and between information systems, but also aids in communication both within a healthcare organization as well as in the organization’s interactions with patients, partners, vendors and consumers. The models provide a consistent basis for understanding and minimize miscommunications, thereby increasing organizational efficiencies.

Governance programs are adopting not just the classic business glossary, but information reference models that provide the necessary context for the information across business units, technologies, applications, and personnel changes. Governance is becoming the keeper of this common language in order to ensure the associated rules, policies, controls, decision rights, and processes defined to govern the information are both understandable and enforceable regardless of the area of the organization impacted.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

Addressing the ongoing explosion of data sources and storage options requires establishing consistent metadata attributes and semantic models across the enterprise to effectively govern information as an enterprise asset.

The primary objective of any enterprise governance program is to ensure consistent and timely data, so reaching consensus and agreement on a common understanding of concepts and metadata attributes must be addressed and enforced by the program. Cloud applications, for example, continue to be adopted and most have their own semantic and metadata models. Integration of these respective views is foundational to governance because without it meaning and reusability of the information suffers.

A recognition is forming that as information becomes a true enterprise asset, that the need to cross silos and reach consensus on a consistent meaning of the semantics and metadata used to describe the business domains and the information itself is becoming critical. This common understanding is best facilitated and controlled through robust governance that is enforced company-wide.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

The rise of Big Data, self-service, and more powerful and flexible end-user information visualization and preparation tools is impacting governance in a significant manner with regard to structure, decision rights, and accountabilities. End-users are gaining more control of data, including the ability to integrate and manipulate data for their own purposes, and being able to select data based on a relevance criteria not necessarily codified in classic metadata or semantic models.

What this means is that the responsibility of governance, such as adhering to access policies, is becoming the responsibility of practically any individual that needs or uses the data. Stewardship, therefore, is becoming democratized across the user community, directly impacting the centralized model where clear stewards and owners are typically named along domain boundaries. This paradigm shift means that anyone who uses the data has a say in how it is governed, but also the responsibility to behave accordingly.

As self-service as one of the key drivers, the need for broadening the responsibility for the stewarding of the information to a larger community of interested parties is becoming more common. This is consistent with the move towards a business-centric approach as it is the business users who have the need and are taking on this responsibility for the information critical to them. Better data preparation tools and governance stewardship applications are also contributing to and supporting this trend.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

Related to the trend of recognizing the difference between information and data, is that governance of information requires it be viewed as a business capability. This recognition is starting to take hold because healthcare organizations are realizing that it is the business needs and drivers that supply the context for the data housed by IT. Therefore, understanding, governing, and prioritizing the rules, processes, and controls must account for this contextualization.

Data is still the realm of IT, as are the technologies used to house and transmit it. However, data governance and IT governance are still essential and tight collaboration between IT and the business continues to be critical. What this equates to is more active and integral involvement of business personnel and subject matter experts in the governance program. Governance in general is a focus upon behaviors in the use and management of information. Therefore, the emphasis is upon people and process, which is exactly why information governance is being recognized as a business capability.

Governance will continue to be recognized as a business capability and moving out of the IT-only realm. As a business-centric capability, information governance is primarily focusing upon behaviors in the use and management of information, regardless of the technologies used to house or transmit that information, leaving those concerns primarily to sata and IT governance. Even with this shift, it is still recognized that tight collaboration with IT is critical to the success of the program.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

Governance historically has been instituted to support regulatory and compliance needs as well as requirements from business intelligence and analytics. These are still essential aspects of Governance, but more and more programs are broadening their reach to address operational needs and helping to solve operational business challenges. Governance is therefore starting to focus more and more on business outcomes and how the practice can affect and contribute to the achievement of these.

Healthcare, like other industries, is seeing governance move into the operational world, and process owners are adopting the practice more frequently. This is likely due to the ongoing quest for containing cost and optimizing processes where healthcare organizations see governance as being able to deliver on those fronts.

Governance is becoming paramount as the use of information continues to expand across a wider variety of business needs including supporting internal processes, developing new services, providing a better patient experience, driving towards operational excellence, and adapting new business models. Implementing a governance program to support these use cases requires a focused involvement from business executives and subject matter experts in addition to the technical or regulatory staff historically associated with data governance.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

A recognition, especially among the practitioners themselves, is that effective change management is the key to successful governance. It is still an elusive and challenging function, but its placement as the critical success factor of a governance program is becoming more and more apparent.

While all of the data-as-information points so far are relevant, the governance model has little value if people don’t know how to access, how to interpret, and ultimately how to use the core data and its embedded information. This is where organizational change management (OCM) plays a key role.

The value in the data lies with people engaging with it. OCM, and its underlying methodologies, is about ensuring users and key stakeholders are ready, willing and able to work in new ways, leveraging new tools and processes appropriately. It’s important to understand that user adoption cannot simply be assumed. Just because you tell someone that you have new ways of working doesn’t equate to people actually doing what you want or to them even knowing what to do. Change is hard, and change occurs one person at a time.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.

In my previous posts I discussed trends impacting governance. In my next few posts I will cover trends in governance – the first of which is Interest from Leadership.

Governance is being discussed in the C-suite as a business imperative to the success and growth of a company. As the “Information as an Asset” takes hold, leadership is beginning to not only accept, but demand, that Governance be applied to ensure the integrity and value of this asset is maintained.

Governance often comes up whenever leadership is asked about some of the more critical capabilities that an organization must possess. This is often driven by regulatory and compliance concerns, but as analytics become more essential to business and clinical decisions – as well as the recognition of information as an asset – the need for quality, integrity, and timeliness of the information is also driving this recognition of governance’s importance.

The industry, from vendors to advisory services such as Gartner and Forrester Research, is also contributing to heightened C-suite awareness as it continues to emphasize that truly reliable information in the era of Big Data and multiple disparate source systems can only be obtained through the application of a robust governance program. However, this does not mean that the governance program’s work is done and that there is clear sailing ahead. Even though there is awareness within executive leadership, misunderstandings still persist.

To learn more about this trend and the other trends impacting healthcare governance, download our recent guide, Healthcare Governance, Trends to Watch.