Make Copilot Safe: Fix Data Governance First

00:00:06 Mark Smith
Welcome to the MVP show. My intention is that you listen to the stories of these MVP guests and are inspired to become an MVP and bring value to the world through your skills. If you have not checked it out already, I do a YouTube series called How to Become an MVP. The link is in the show notes. With that, Let's get on with the show. Welcome back to the MVP show. Today, I'm joined by Haram from Pakistan. Haram, welcome to the show.

00:00:42 Khurram Hafeez
Thank you, sir.

00:00:44 Mark Smith
Thank you for joining me. I always like to start with food, family, and fun. What do you get up to when you're not doing IT things?

00:00:53 Khurram Hafeez
Yeah, I'm based in Pakistan. So being an Asian, actually, we like some delicious food like biryani. So that is very famous around the world as well. So some other foods like chicken gravy, we call it. So these are very famous food here. And if I talk about the fruits, we have very delicious mangoes food. And one of the quality actually we called Chonsa. That is awesome in a taste actually. We export, Pakistani export the mangoes and Pakistani brand Chonsa is very delicious.

00:01:48 Mark Smith
Interesting, interesting. And your family.

00:01:52 Khurram Hafeez
Yeah, I live with my family, my wife, my kids. And actually, in the Asian culture, our parents also live with us.

00:02:08 Mark Smith
I think that's important. I think that one of the things that the West has got wrong is separating families as they grow. My wife and I have discussed this recently as something that we want to change in our household. We won't be in a hurry to kick the kids out, but create an environment where they leave when they want to leave. It's not a forced thing. My parents are past both of them, so we don't have the elderly in the home, of course, at all. But I like that about your culture. Tell me a bit, just before we get started, I want to know a bit more about Pakistan. One of the stats I've seen recently, it's one of the highest usage of solar, as in people putting solar on their homes. And I've just put a solar system in, that's why I was researching it on my house. And I hear that Pakistan is one of those countries that have done a lot where people install their own solar systems to become energy efficient and less energy dependent on the state. Is that the case? Are you seeing a lot of solar go up around your area?

00:03:15 Khurram Hafeez
That's correct, actually. Unfortunately, actually, the electricity government provide is not cheap. They apply many taxes. So the people actually started converted to solar system due to we have four seasons in Pakistan and we have a lot of sunlight and we use solar system. Even I am also using a solar system on my house as well.

00:03:47 Mark Smith
Nice, So can just ask a little bit about it because it's such an interesting topic to me. Do you have batteries or do you just go straight to, you have batteries?

00:03:58 Khurram Hafeez
Yeah, we use, actually, we, the people actually, most of the people actually who install the solar system, they export the electricity to government. And we, We also installed lithium batteries for the backup, and they provide a very good backup. So these days, lithium batteries, combination of lithium batteries with the solar system is very efficient. And there are a few examples as well where a few houses actually build their battery bank. They completely cut off the electricity provided by the government. They actually use the solar system in a daylight and in the night they use their battery bank for the electricity backup and battery bank not only provide electricity like to for the energy bulbs are kind. We actually, we have a very hot season. We use air conditioners and other stuff as well. So few people, they build a battery bank. They completely cut off the electricity there.

00:05:19 Mark Smith
Yeah, that's the same as what I've done. Like right now, I'm, it's an overcast day, but I'm relying on my batteries and I have my batteries set to give me all my energy through the night. They charge in the day. I'm still connected to the state supplied electricity, but I virtually never take power from it. I always push power back onto it. Yeah. Yeah, I like it. I like the independence, not relying on the main supplies. Tell me a bit about your region in Pakistan that you're in.

00:05:59 Khurram Hafeez
I'm based in Lahore.

00:06:01 Mark Smith
What's it known for?

00:06:04 Khurram Hafeez
Lahore is very close to actually with the Indian border. Actually, Indian and Pakistan border connected to Lahore. I think hardly 40 kilometer away actually the Indian border is start and Indian territory start. So I'm very close to Indian border. Lahore is a big city in Pakistan. There are a few big cities, one of the big cities, the first one is Karachi, then Islamabad is our capital city and Lahore is one of the big cities and it is hub of the IT and universities as well.

00:06:52 Mark Smith
Interesting. Yeah, I was wondering that, like, was it a big high IT density? I have, you know, I use a lot of offshore labor and the person that maintains all my websites is all from Pakistan, my business.

00:07:07 Khurram Hafeez
There are many, actually, IT set up here industries that those are working outside of the country, particularly Many setups are here who support US-based customers, few UK-based customers, and many are supporting Gulf countries as well. actually, the offshore combination of onshore and offshore is much cheaper and attractive to get new projects as well. So I'm also working last 13 years with the different US-based IT consulting companies. And I'm part of a professional services team where I work with onshore resources as well. But the combination, why actually they build an offshore team and the combination due to, they want to keep actually their budget lows so that they can win the project. And for the delivery point of view, offshore, most of the time, offshore resources are engaged and they deliver the project.

00:08:17 Mark Smith
Asan, I got to ask this because you're the first person I've spoken to since the war in Iran has started. How much do you feel the closeness of that being that you share a border?

00:08:28 Khurram Hafeez
No, actually, we don't have anything regarding the Iran perspective. So though Iran is a Pakistan neighbor country, But we don't have any impact regarding the war, because Pakistan is not involved in this war, not supporting Iran, not supporting U.S. But Pakistan's sympathies certainly are with Saudi Arabia due to a Muslim country. But those sympathy doesn't mean we start attacking Iran. And so we are actually Pakistan. I think it's the right decision to keep neutral, not to engage with Iran. Though we support Saudi Arabia somehow, but we are not part of the war with Iran or any Gulf countries or so.

00:09:31 Mark Smith
I heard your leadership is trying to help broker the peace talks between the two countries.

00:09:37 Khurram Hafeez
Yes. They are trying, they are trying. It's better if it was not that bad.

00:09:42 Mark Smith
You said your alignment is with Saudi because of Muslim religion, but I thought Iran is also Muslim. So both countries are Muslim.

00:09:55 Khurram Hafeez
Both countries are Muslim, yeah.

00:09:58 Mark Smith
Yeah, interesting. Okay, okay. And you know, just bringing up a map, I didn't realize, I don't know why I always thought that Pakistan sat between India and China, not between, like I thought it was more on the western side of India, but it's actually the eastern side of India that Pakistan sits. So I didn't realize that. I just got educated.

00:10:21 Khurram Hafeez
We are on the west side of India.

00:10:25 Mark Smith
Okay, tell me about what you're doing. Your MVP is an M365 copilot. What are you mainly doing in that area? What's been your focus in the last 12 months when it comes to what you're doing in the tech landscape?

00:10:41 Khurram Hafeez
Certainly. So I'm a Microsoft MVP. Last two years, consecutively, Microsoft actually recognized my expertise in this area, and they award me the MVP Tilot and Copilot. And this year, actually, I also focusing Microsoft Purview tag as well. I am going to apply for Microsoft Purview this year. But regarding, so actually, you know, with the intro of the AI, many organizations hesitant to adopt the AI technology. There are some fear factor I observed. Actually, they don't want to expose their data. Organization don't want that. Before the AI actually, there are very organization not well organized information structured.They don't afraid their data unintentionally exposed to the user. They don't want to expose. But with the AI, actually, you just have to give a prompt, and if a user has a permissions, AI actually can reach out the data and can bring back whatever the data you are looking for, so... With the intro of the AI, the importance of the data governance compliance has much increased, and people are organizations are very focusing on before enabling the copilot, they ensure that their environment is ready, their data is protected. Unintentionally, they don't want to expose the data internal user and then external as well. So this is where actually working a lot, ensuring the environment is ready, identify the gaps if they need to be fixed before the implementation of the Copilot. So my focus area these days, Copilot, Microsoft Purview, and data governance.

00:12:55 Mark Smith
I'm interested in talking to you about Microsoft Purview. Like I've talked about it a lot from selling it to organizations, but let's just go a bit deeper. Tell me, when you implement Purview in an organization, what are the kind of steps or processes that you do? Like what do you need to understand from the customer? And then what are the kind of the layers or the steps you go through to apply Purview correctly as a governance tool around their data estate.

00:13:30 Khurram Hafeez
I will talk about the Copilot AI point of view. For the Copilot point of view, the first layer which I observed that is most restrictive is the sensitivity labels. So many organizations actually don't bother to apply the sensitivity. This solution is available for many years. But the implementation of sensitivity label, I found very few organizations. Particularly, I got experience working with the financial organization. They do. They've applied the sensitivity label. Not only Microsoft, there are third-party sensitivity label solutions also available, like I recently I worked with Veronics, sensitivity label implementation and integration with the Microsoft Purview as well. So the first defense layer that you should be apply, that is the sensitivity label. So the second layer which I recommend my customers is a data loss prevention policy. If you are keen to enable the Copilot, you must configure the data loss prevention policy to restrict the Copilot. If you want to restrict Copilot, Copilot teach, you have to implement the data loss prevention policy. So with the data loss prevention policy, standard policy actually is not sufficient these days. So standard policy can restrict Microsoft 360 Copilot. But what happens if users copy and paste or upload a sensitive file or data to third-party AI sites like ChatGPT, Gemini, a few others, DeepSeek. So the organization nowadays have to set up the data loss prevention policies to block users access or users uploading or pasting data in other AI sites as well. So in this scenario, Microsoft actually offered inline DLP policy. With the inline DLP policy, Microsoft restrict the browser access. And within the browser, if user trying to upload a file that have has any sensitivity info, Microsoft actually real time detect and block that such kind of operations?

00:16:08 Mark Smith
Just one thing, I just want to go back to the sensitivity labels. How does Copilot honor the sensitivity labels or is it more DLP is where the honoring of the restrictions put that Copilot follows when it comes to like the Microsoft Graph?

00:16:25 Khurram Hafeez
Yeah, Microsoft Copilot certainly honors the permissions the user have. And if a sensitivity label actually doesn't have the permissions, so Copilot can't actually extract the data or summarize any file. If a user tried to summarize any file within Microsoft 365 Copilot and the user doesn't have the permission to read the file, Copilot Active will not bring any data. Copilot actually can let the user know that, hey, this file has a sensitivity label and you don't have a permission to summarize this file. Yeah.

00:17:07 Mark Smith
Right. So that makes sense now. So that's the first line. DLP is more about letting third party... AI tools, as in, well, one of the things it can do, if I understand you correctly, is that you could restrict, for example, if you had deepseek and a staff member was using deepseek, you could reduce the risk of deepseek ingesting documentation out of the corporate environment. Is that right?

00:17:35 Khurram Hafeez
Yeah, that's right. That's right.

00:17:37 Mark Smith
And so if companies wanted to block something like, let's say you didn't want any of your staff to use ChatGPT in the corporate environment, would you block it at a DLP level or at a different level?

00:17:53 Khurram Hafeez
So with the ChatGPT or Deepseek, you know, these are the websites. So previously what happened actually, there are another DLP policy Microsoft use, the endpoint DLP policies. With the endpoint DLP, Microsoft push agent on the user machines. And the agent actually react, act if something is trying to upload, if a user trying to upload any sensitive information file. But inline DLP policy is one step ahead of endpoint DLP policy. So without, so with the inline DLP policy, it's Microsoft, whenever a user try to Actually, the Microsoft focus not to block something, to protect something. So the intention with the inline DLP policy is just to restrict the confidential data without blocking anything.

00:18:57 Mark Smith
Yeah, okay, that's great. And is there any other layers then that you work within? As in, so is Purview your main tool that allows you to One, manage those sensitive labels. Two, manage the data loss prevention. Anything else you'd use Purview for?

00:19:18 Khurram Hafeez
Another production layer is a network level layer as well. Microsoft provides the network level protection as well. So with Microsoft Entra Suite, it is an additional add-on license, not included in any E5 license. So with the network level, Microsoft push an agent on the end user machine. So that agent, what the agent do actually, whenever user try to reach out the internet, it redirect the traffic to Microsoft protected data center or whatever the location actually Microsoft decided. So Microsoft Entra Suite license, actually the agent on the end user machine redirect the traffic to Microsoft and Within the Microsoft data center, Microsoft real-time scan what the user is trying to access, what file they are trying to upload, either any sensitive information in the file or anything if that match with the DLP policies, Microsoft immediately kill the connection.

00:20:27 Mark Smith
Yeah, interesting. Okay, you've definitely provided me a lot more clarity.of that. And I think it's an important part of anybody implementing M365 Copilot is really to put that governance in place that, you know, Purview provides. And just with licensing of Purview, just correct me if I'm wrong. So that's included in E5 licensing or E3? Microsoft Entra Sort is not included in E5 license, so.

00:21:00 Mark Smith
But isn't Purview part of E5?

00:21:01 Khurram Hafeez
Purview is 2 kind of licensing in Microsoft Purview. So E5 license included the Purview, but there are some features that require pay as you subscription must be set up like if Yeah, pay as you use subscription for the purview. In a scenario actually where you are protecting your environment from the third party AI sites. So in that scenario, you require pay as you use subscription must be enabled for the purview portal, for the purview only. And there are Microsoft also recommend collection policies. For collection policies, that help. So with the collection policy, that help the administrator to look into what prompt user is trying to giving to the AI sites. So with the collection policy, you know, actually there are some audit requirement as well for the organization, what kind of prompts user are trying to give the other AI sites. And the organization want to capture the prompts. and the responses as well. So in this regard, Microsoft recommend collection policy. Collection policies for the Microsoft 365 within the M365 Copilot and Chat, these are covered in the ME5 license. But if you want to capture the prompt and responses, a user entered into other AI sites like ChatGPT, Gemini, In that scenario, Microsoft required Microsoft pay-as-you-go per view license must be available on your environment.

00:22:50 Mark Smith
Ram, it's been so good talking to you. I've learned so much. I hope that those listening also have gained some insights around these tools and the governance role they play, particularly in M365 Copilot estate. Thank you so much for coming on the podcast.

00:23:06 Khurram Hafeez
My pleasure. It's nice to meet you, Mark.

00:23:12 Mark Smith
Hey, thanks for listening. I'm your host, Business Application MVP Mark Smith, otherwise known as the nz365guy. If you like the show and want to be a supporter, check out buymeacoffee.com/nz365guy. Thanks again and see you next time.