Use Endpoint DLP to prevent generative AI data exposure

  • 7 minutes

In today's digital landscape, where data breaches and online threats are increasingly common, understanding effective strategies for safeguarding sensitive information is critical, especially for organizations using generative AI. Microsoft Purview Endpoint Data Loss Prevention (DLP) plays a key role in this by protecting sensitive data from unintended exposure, using advanced tools designed for this purpose.

Understand endpoint DLP and browser restrictions

Endpoint DLP protects devices running Windows 10/11 and macOS by extending data protection capabilities. It monitors and safeguards sensitive information across various applications and activities, including web browsers. Endpoint DLP integrates seamlessly with Microsoft Edge for comprehensive monitoring and control. For Google Chrome and Mozilla Firefox, installing the Microsoft Purview extensions is required to enforce DLP policies effectively. These extensions enable administrators to monitor and restrict actions such as copying, pasting, and uploading sensitive data within these browsers. This approach ensures consistent data protection across different browsing environments.

Once you understand how endpoint DLP operates with browser activities, the next step is configuring these restrictions to fit your organization’s needs.

Configure data pasting and upload restrictions

Administrators can customize restrictions based on organizational needs by choosing to monitor or block data pasting and uploading actions. For example, when configuring an endpoint DLP policy, enabling the Paste to supported browsers option can prevent sensitive data from being pasted into specific web applications, reducing the risk of unauthorized data sharing. Similarly, selecting Upload to a restricted cloud service domain helps control data uploads to untrusted cloud services, ensuring that confidential information stays within approved environments.

Endpoint DLP allows administrators to apply these restrictions using the built-in Generative AI Websites service domain group, which helps streamline policy implementation and provides comprehensive coverage for most generative AI use cases, ensuring that sensitive data is protected efficiently across these platforms. For a full list of supported generative AI websites, see List of AI sites supported by Microsoft Purview AI Hub. While the built-in Generative AI Websites group provides comprehensive coverage for most use cases related to generative AI, administrators can still create custom service domain groups for additional or unique requirements as needed.

Policies can also be configured to restrict data transfer from internal documents to external websites. This helps prevent data exposure and maintains security across:

  • Generative AI websites: These platforms could process and store input data, potentially leading to unintentional data retention. Restricting data pasting and uploading helps protect sensitive information and aligns with data policies.
  • Personal email accounts: These accounts might not have the same level of encryption and authentication as your work email, and might be vulnerable to hacking or phishing.
  • Social media sites: These sites might expose your data to the public or to third parties who might misuse it for advertising or other purposes.

Blocking these actions helps organizations:

  • Prevent data exposure: Avoid accidental or intentional sharing of sensitive data with unauthorized parties or platforms.
  • Comply with data protection regulations: Follow industry rules and standards regarding data security and privacy.
  • Enhance data security: Reduce the risk of data breaches, leaks, or losses that could harm the organization or its customers.

Consider a scenario where you need to prevent sensitive customer information from being shared outside of secure environments. You configure an endpoint DLP policy to restrict pasting and uploading actions for confidential data into nonsecure websites, including generative AI tools. When a user attempts to paste or upload sensitive content to an unauthorized platform, the policy intervenes, and blocks the action. A policy tip can be configured to display This action is prohibited by your organization's data policy. Please contact your administrator for more information. This proactive measure ensures that sensitive information remains protected and aligns with data security regulations while providing users with clear guidance on policy enforcement.

Get started with endpoint DLP configuration

To configure data pasting and uploading restrictions in an endpoint DLP policy, follow these steps. Supported browsers include:

  • Microsoft Edge (works natively)
  • Google Chrome (requires Microsoft Purview extension)
  • Mozilla Firefox (requires Microsoft Purview extension)

Note

For evidence collection for file activities on devices, ensure your Antimalware Client Version is updated, as older versions might display source files with random characters. Download the file to view it correctly.

Create your DLP policy for restricting AI tools

  1. Create a DLP policy scoped to Devices. For detailed instructions, see Create and Deploy data loss prevention policies.

  2. On the Define policy settings page in the DLP policy creation flow, select Create or customize advanced DLP rules and then choose Next.

  3. On the Customize advanced DLP rules page, select Create rule.

  4. Enter a name and description for the rule.

  5. Expand Conditions, choose Add condition, and then select the Sensitive info types.

  6. Under Content Contains, scroll down and select the new sensitive information type that you previously chose or created.

  7. Scroll down to the Actions section, and choose Add an action.

  8. Select Audit or restrict activities on devices.

  9. In the Actions section, under Service domain and browser activities, select the checkbox next to Upload to a restricted cloud service domain or access from an unallowed browsers, Paste to supported browsers, or select both options, based on the restrictions you need to enforce.

    Screenshot showing the service domain and browser activity options in data loss prevention setup.

  10. Select + Choose different restrictions for sensitive service domains.

  11. In the Sensitive service domain restrictions flyout, select + Add group.

  12. On the Choose sensitive service domain groups page, select the checkbox for Generative AI Websites to apply the built-in group.

    Screenshot showing the built-in Generative AI Websites service domain group.

  13. Select Add at the bottom of the page.

  14. On the Sensitive service domain restrictions page, you can set a restriction like Audit, Block, Block with override, or Allow that applies to the selected service domain group within the policy. This step configures how the policy handles these service domains.

  15. Select Save to configure the sensitive service domain restriction.

  16. On the rule configuration page, you specify the restriction action (Audit, Block, or Block with override) that applies when the condition in the rule is met, providing more targeted enforcement based on the rule's conditions.

  17. Select Save at the bottom of the rule configuration window.

  18. Select Next on the Customize advanced DLP rules page.

  19. Select whether you want to run your policy in simulation mode, turn it on right away, or keep it off, and then select Next.

  20. Select Submit to create your endpoint DLP policy.