{"id":3538,"date":"2024-05-13T11:00:21","date_gmt":"2024-05-13T16:00:21","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10077"},"modified":"2024-05-13T11:00:21","modified_gmt":"2024-05-13T16:00:21","slug":"how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/13\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns\/","title":{"rendered":"How to Implement Commercial Data Protection for Copilot using Infoblox DNS"},"content":{"rendered":"<p>As a commercial user of Microsoft\u2019s generative AI system, Copilot, you\u2019re likely aware of its incredible capabilities. However, with great power comes great responsibility, especially regarding data protection and privacy. In this blog post, I will explore the risks of using Copilot without proper <strong>Commercial Data Protection (CDP)<\/strong> and discuss how to address them.<\/p>\n<h3>The Risks<\/h3>\n<p><strong>Data Leakage and Privacy Concerns<\/strong><br \/>Sensitive information might be shared during conversations when interacting with Copilot. Without CDP, this data may not be adequately protected. Imagine accidentally leaking customer data, financial records, or trade secrets! Organizations must take steps to prevent data leakage and privacy breaches.<\/p>\n<p><strong>Compliance Violations<\/strong><br \/>Various industries have strict compliance requirements, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Failing to use CDP could result in legal penalties, fines, and damage to your organization\u2019s reputation.<\/p>\n<p><strong>Intellectual Property Risks<\/strong><br \/>Copilot generates code, documents, and other content based on user input. Without CDP, you may unintentionally expose your proprietary code, patented algorithms, or copyrighted material. Protecting intellectual property is crucial to maintaining a competitive advantage.<\/p>\n<p><strong>Loss of Trust and Productivity<\/strong><br \/>If Copilot inadvertently shares sensitive information, users may lose trust in its reliability. Reduced trust can impact your organization\u2019s productivity, collaboration, and overall efficiency.<\/p>\n<p><strong>Reputation Damage<\/strong><br \/>Public perception matters. A data breach or privacy violation due to Copilot could harm your organization\u2019s reputation. Negative publicity may deter potential clients, partners, or investors.<\/p>\n<h3>Enhancing Data Protection for Copilot Users: A Practical Guide<\/h3>\n<p>Enterprise customers should be sure to validate they are minimizing risks when using this tool, so let\u2019s look at the recommended steps from Microsoft to enforce commercial data protection (CDP) and prevent accidental crosstalk to the public system.<\/p>\n<p><strong>Enforcing Commercial Data Protection<\/strong><\/p>\n<p>Enable the \u2018Commercial Data Protection for Microsoft Copilot\u2019 Service Plan:<\/p>\n<ul>\n<li>Ensure that eligible users have activated this service plan.<\/li>\n<li>This step establishes the necessary boundaries for Copilot\u2019s operation within a commercial context.<\/li>\n<\/ul>\n<p><strong>Preventing Use without CDP<\/strong><\/p>\n<p>To prevent users from accessing Copilot without CDP, Microsoft suggests you update your DNS configuration:<\/p>\n<ul>\n<li>For Copilot in Bing, Edge, and Windows, Update your DNS configuration by setting the DNS entry for <a href=\"https:\/\/www.bing.com\/\" rel=\"noopener\" target=\"_blank\">www.bing.com<\/a> to be a CNAME for nochat.bing.com.<\/li>\n<li>For copilot.microsoft.com and the Copilot mobile app: Update your DNS configuration by setting the DNS entry for copilot.microsoft.com to be a CNAME for cdp.copilot.microsoft.com.<\/li>\n<\/ul>\n<p><strong>DNS configuration in Windows according to Microsoft:<\/strong><\/p>\n<p>One small issue: You can\u2019t create CNAME records out of thin air, or simply drop them in other people\u2019s domains without impacting DNS for those domains! Microsoft currently recommends the following process for their customers:<\/p>\n<p>Create DNS redirects for various Copilot entry points:<\/p>\n<ul>\n<li>For Active Directory Domain Services (AD DS): Deploy the DNS Role on a member server. On the newly deployed DNS server, create the following Forward Primary Zones:<\/li>\n<ul>\n<li>microsoft.com<\/li>\n<li>bing.com<\/li>\n<\/ul>\n<li>Create the following CNAME records in the respective zones:<\/li>\n<ul>\n<li>copilot.microsoft.com \u2014&gt; cdp.copilot.microsoft.com<\/li>\n<li><a href=\"https:\/\/www.bing.com\" rel=\"noopener\" target=\"_blank\">www.bing.com<\/a> \u2014&gt; nochat.bing.com<\/li>\n<\/ul>\n<li>On the AD DNS server, create the following Conditional Forwarders and make AD Integrated:<\/li>\n<ul>\n<li>Conditional forwarder for <a href=\"https:\/\/www.bing.com\" rel=\"noopener\" target=\"_blank\">www.bing.com<\/a> pointing to the new DNS server<\/li>\n<li>Conditional forwarder for copilot.microsoft.com pointing to the new DNS server<\/li>\n<\/ul>\n<\/ul>\n<p>That\u2019s right \u2013 turn DNS on another system, and make it authoritative for microsoft.com and bing.com, so you can punch a \u2018hole\u2019 in their DNS! <\/p>\n<p>Whew!<\/p>\n<h3>Better Techniques: DNS Firewall<\/h3>\n<p>Enterprise network deployments using Copilot should also have some layer of DNS security deployed, it\u2019s important to remember that a proper \u2018DNS Firewall\u2019 means you can not only block\/allow, but also redirect DNS!<\/p>\n<p>Let\u2019s see what creating those redirects looks like under an Infoblox NIOS system running DNS:<\/p>\n<p>DNS Firewall \/ Response Policy Zone \u2013 On-Prem:<\/p>\n<ul>\n<li>Build a redirect DNS Firewall Response Policy Zone for each target (e.g., bing.com, copilot.microsoft.com).<\/li>\n<li>Create domain redirect rules to match records and perform necessary redirects (the CNAME targets recommended by Microsoft).<\/li>\n<li>Deploy these rules to the forwarding layer DNS appliances.<\/li>\n<\/ul>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" alt=\"figure 1\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns.png?w=640&#038;ssl=1\"><\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" alt=\"figure 2\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns-1.png?w=640&#038;ssl=1\"><\/p>\n<p>If you have a cloud-based system for DNS Policy Enforcement, your instructions will be slightly different, but they will accomplish the same goal. <\/p>\n<p>For Example: <\/p>\n<p>Blox One Threat Defense in the Cloud<\/p>\n<ol type=\"a\">\n<li>Create custom redirect targets for both destinations nochat.bing.com and cdp.copilot.microsoft.com<\/li>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" alt=\"figure 3\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns-2.png?w=640&#038;ssl=1\"><\/p>\n<li>Create custom lists for <a href=\"https:\/\/www.bing.com\" rel=\"noopener\" target=\"_blank\">www.bing.com<\/a> and copilot.microsoft.com. These are used to match the query we want to redirect. <\/li>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" alt=\"figure 4\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns-3.png?w=640&#038;ssl=1\"><\/p>\n<li>Add the custom lists to your security policies, and pick the correct redirect that you created in the first step.<\/li>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" alt=\"figure 5\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns-4.png?w=640&#038;ssl=1\">\n<\/p>\n<\/ol>\n<p>By implementing these best practices, you\u2019ll enhance your security and help ensure responsible AI usage within your organization.<\/p>\n<h3>Simplifying CDP Enforcement: Leveraging DNS Policy Engines<\/h3>\n<p>I think I\u2019ve shown the most straightforward approach to enforcing the Commercial Data Protection (CDP) policy involves utilizing a DNS policy enforcement engine. This can be achieved through response policy zones in systems like BIND and BIND-based setups. This is not an option in a purely Microsoft DNS environment, as it\u2019s policy feature lacks support for a redirect option upon matching.<\/p>\n<p>By leveraging non-Microsoft DNS, we can redirect traffic that might otherwise hit the public-facing side of Copilot toward the protected Copilot environment. This redirection ensures that Commercial Data Protection is enforced without risking accidental misconfigurations that could either leak internal information or inadvertently block all of Microsoft.com or Bing.com.<\/p>\n<p>Feel free to ask if you need further clarification or have additional questions! \ud83d\ude0a<\/p>\n<h3>For Additional Information<\/h3>\n<p>Microsoft CDP Instructions<br \/><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/manage#require-commercial-data-protection-in-\" rel=\"noopener\" target=\"_blank\">https:\/\/learn.microsoft.com\/en-us\/copilot\/manage#require-commercial-data-protection-in-<\/a><\/p>\n<p>Infoblox BloxOne Threat Defense<br \/><a href=\"https:\/\/www.infoblox.com\/products\/bloxone-threat-defense\/\" rel=\"noopener\" target=\"_blank\">https:\/\/www.infoblox.com\/products\/bloxone-threat-defense\/<\/a><\/p>\n<p> <a href=\"https:\/\/blogs.infoblox.com\/security\/how-to-implement-commercial-data-protection-for-copilot-using-infoblox-dns\/\">Infoblox Original<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As a commercial user of Microsoft\u2019s generative AI system, Copilot,<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2018,2034,2036,78,1618,30,793,2035,42],"tags":[2019,2037,2039,86,870,38,803,2038,50],"class_list":["post-3538","post","type-post","status-publish","format-standard","hentry","category-bloxone-threat-defense-b1td","category-commercial-data-protection-cdp","category-copilot-security","category-cybersecurity","category-data-breach","category-dns","category-information-security","category-microsoft-copilot","category-security","tag-bloxone-threat-defense-b1td","tag-commercial-data-protection-cdp","tag-copilot-security","tag-cybersecurity","tag-data-breach","tag-dns","tag-information-security","tag-microsoft-copilot","tag-security"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Infoblox","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/infoblox\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bloxone-threat-defense-b1td\/\" rel=\"category tag\">BloxOne\u00ae Threat Defense B1TD<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commercial-data-protection-cdp\/\" rel=\"category tag\">Commercial Data Protection CDP<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/copilot-security\/\" rel=\"category tag\">CoPilot Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breach\/\" rel=\"category tag\">data breach<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns\/\" rel=\"category tag\">DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/information-security\/\" rel=\"category tag\">information security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft-copilot\/\" rel=\"category tag\">Microsoft CoPilot<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/security\/\" rel=\"category tag\">Security<\/a>","tag_info":"Security","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3538"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3538\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}