How to Implement Commercial Data Protection for Copilot using Infoblox DNS

Share On Facebook
Share On Twitter
Share On Linkedin

As a commercial user of Microsoft’s generative AI system, Copilot, you’re likely aware of its incredible capabilities. However, with great power comes great responsibility, especially regarding data protection and privacy. In this blog post, I will explore the risks of using Copilot without proper Commercial Data Protection (CDP) and discuss how to address them.

The Risks

Data Leakage and Privacy Concerns
Sensitive information might be shared during conversations when interacting with Copilot. Without CDP, this data may not be adequately protected. Imagine accidentally leaking customer data, financial records, or trade secrets! Organizations must take steps to prevent data leakage and privacy breaches.

Compliance Violations
Various industries have strict compliance requirements, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Failing to use CDP could result in legal penalties, fines, and damage to your organization’s reputation.

Intellectual Property Risks
Copilot generates code, documents, and other content based on user input. Without CDP, you may unintentionally expose your proprietary code, patented algorithms, or copyrighted material. Protecting intellectual property is crucial to maintaining a competitive advantage.

Loss of Trust and Productivity
If Copilot inadvertently shares sensitive information, users may lose trust in its reliability. Reduced trust can impact your organization’s productivity, collaboration, and overall efficiency.

Reputation Damage
Public perception matters. A data breach or privacy violation due to Copilot could harm your organization’s reputation. Negative publicity may deter potential clients, partners, or investors.

Enhancing Data Protection for Copilot Users: A Practical Guide

Enterprise customers should be sure to validate they are minimizing risks when using this tool, so let’s look at the recommended steps from Microsoft to enforce commercial data protection (CDP) and prevent accidental crosstalk to the public system.

Enforcing Commercial Data Protection

Enable the ‘Commercial Data Protection for Microsoft Copilot’ Service Plan:

  • Ensure that eligible users have activated this service plan.
  • This step establishes the necessary boundaries for Copilot’s operation within a commercial context.

Preventing Use without CDP

To prevent users from accessing Copilot without CDP, Microsoft suggests you update your DNS configuration:

  • For Copilot in Bing, Edge, and Windows, Update your DNS configuration by setting the DNS entry for www.bing.com to be a CNAME for nochat.bing.com.
  • For copilot.microsoft.com and the Copilot mobile app: Update your DNS configuration by setting the DNS entry for copilot.microsoft.com to be a CNAME for cdp.copilot.microsoft.com.

DNS configuration in Windows according to Microsoft:

One small issue: You can’t create CNAME records out of thin air, or simply drop them in other people’s domains without impacting DNS for those domains! Microsoft currently recommends the following process for their customers:

Create DNS redirects for various Copilot entry points:

  • For Active Directory Domain Services (AD DS): Deploy the DNS Role on a member server. On the newly deployed DNS server, create the following Forward Primary Zones:
    • microsoft.com
    • bing.com
  • Create the following CNAME records in the respective zones:
    • copilot.microsoft.com —> cdp.copilot.microsoft.com
    • www.bing.com —> nochat.bing.com
  • On the AD DNS server, create the following Conditional Forwarders and make AD Integrated:
    • Conditional forwarder for www.bing.com pointing to the new DNS server
    • Conditional forwarder for copilot.microsoft.com pointing to the new DNS server

That’s right – turn DNS on another system, and make it authoritative for microsoft.com and bing.com, so you can punch a ‘hole’ in their DNS!

Whew!

Better Techniques: DNS Firewall

Enterprise network deployments using Copilot should also have some layer of DNS security deployed, it’s important to remember that a proper ‘DNS Firewall’ means you can not only block/allow, but also redirect DNS!

Let’s see what creating those redirects looks like under an Infoblox NIOS system running DNS:

DNS Firewall / Response Policy Zone – On-Prem:

  • Build a redirect DNS Firewall Response Policy Zone for each target (e.g., bing.com, copilot.microsoft.com).
  • Create domain redirect rules to match records and perform necessary redirects (the CNAME targets recommended by Microsoft).
  • Deploy these rules to the forwarding layer DNS appliances.

figure 1

figure 2

If you have a cloud-based system for DNS Policy Enforcement, your instructions will be slightly different, but they will accomplish the same goal.

For Example:

Blox One Threat Defense in the Cloud

  1. Create custom redirect targets for both destinations nochat.bing.com and cdp.copilot.microsoft.com

    2. figure 3

  2. Create custom lists for www.bing.com and copilot.microsoft.com. These are used to match the query we want to redirect.

    3. figure 4

  3. Add the custom lists to your security policies, and pick the correct redirect that you created in the first step.

    4. figure 5

By implementing these best practices, you’ll enhance your security and help ensure responsible AI usage within your organization.

Simplifying CDP Enforcement: Leveraging DNS Policy Engines

I think I’ve shown the most straightforward approach to enforcing the Commercial Data Protection (CDP) policy involves utilizing a DNS policy enforcement engine. This can be achieved through response policy zones in systems like BIND and BIND-based setups. This is not an option in a purely Microsoft DNS environment, as it’s policy feature lacks support for a redirect option upon matching.

By leveraging non-Microsoft DNS, we can redirect traffic that might otherwise hit the public-facing side of Copilot toward the protected Copilot environment. This redirection ensures that Commercial Data Protection is enforced without risking accidental misconfigurations that could either leak internal information or inadvertently block all of Microsoft.com or Bing.com.

Feel free to ask if you need further clarification or have additional questions! 😊

For Additional Information

Microsoft CDP Instructions
https://learn.microsoft.com/en-us/copilot/manage#require-commercial-data-protection-in-

Infoblox BloxOne Threat Defense
https://www.infoblox.com/products/bloxone-threat-defense/

Labels:

Paul Flores

Paul has been a Network and Internet Engineer since 1991, and has spent his career looking for easy buttons for technical problems! He has been at Infoblox for 7 years, and spends his time helping customers solve their DNS and Security related issues.

View All Posts

You might also be interested in

You might also be interested in

×