Securing Enterprise Copilots: A Fresh (and Agent-less) Application Security Approach
Today, we are excited to announce a significant milestone in our journey to secure enterprise copilots and low-code development platforms by launching our new product; the Zenity AI Trust Layer. This new offering provides full security and governance control for enterprise copilots, and in the first step is focused on Microsoft 365 Copilot. The use of enterprise copilots is undeniably a story in low-code application development. Low-code development platforms not only serve as the extension frameworks for enterprise copilots but also act as a tandem in representing the fundamental shift in how business gets done. It’s no longer just developers building apps and processing data; now, everyone and anyone within the organization can leverage these powerful platforms to drive innovation and efficiency. Here’s a quick timeline of how fast this market has moved in less than 11 months, and what we’ve done to innovate and support our customers’ business enablement efforts.
Timeline of Copilot Security
In November of last year, Zenity embarked on an exciting journey to support Microsoft Copilot Studio. This innovative platform empowers business users of all technical backgrounds to build their own AI apps and copilots using low-code development capabilities. However, with great power comes great responsibility. These low-code copilots and bots are prone to security misconfigurations that traditional application security (AppSec) tools, which rely on code scanning, often fail to detect.
In May 2024, we expanded our support to include extensions and plugins that these same business users could build with the announcement of our AISPM solution for Microsoft 365 Copilot. These extensions and plugins are susceptible to the same security vulnerabilities low-code applications and automations, but they are built within Copilot Studio, and present even more danger due to the curious nature of AI and the amount of access to corporate data that AI possesses.
Then, just last month, our security research team unveiled groundbreaking research that was covered extensively, showing how easily bad actors can take over Microsoft 365 Copilot via promptware and jailbreaking attacks that allow for remote copilot execution.
Today, Zenity is proud to provide agentless end-to-end security and governance control for Microsoft 365 Copilot, working tirelessly across our team to develop a product with the following capabilities:
Visibility
Now, with the AI Trust Layer, security teams can visualize how copilots and agents are being used within the enterprise and identify real-time risks. For example, business users might unknowingly expose sensitive data through their interactions with copilots that is taken off-premises, but that copilots can also return malicious information when they are taken over by bad actors.
Threat Detection & Prevention
Our agentless Threat Detection & Prevention capabilities detect malicious and suspicious activities with enterprise and custom copilots in real time. This is crucial as attackers today can exploit vulnerabilities to gain control over copilots, as highlighted in the recent research on Remote Copilot Execution (RCE) vulnerabilities.
Promptware Prevention
We are now helping enterprises take preventative measures to protect copilots and agents from promptware, disrupting attacks while maintaining file and application access. This is particularly important given the risk of prompt injection attacks, where malicious actors can manipulate copilots to execute harmful commands.
AI Security Posture Management (AI SPM)
Within the Zenity platform, customers can leverage AI SPM capabilities to identify misconfigurations and application security vulnerabilities in extensions and custom copilots and agents built in Copilot Studio. We resolve least-privileged access issues across business apps like Microsoft 365 to reduce the risk of sensitive data leakage. Our solution fully automates mitigations and manages a remediation process under SLA. This addresses the risk of misconfigurations that can lead to unauthorized access and data breaches.
Remediation
Zenity automatically responds to detected threats and mitigates vulnerabilities. Security teams can incorporate granular policy authoring and customization to fit enterprise needs. This ensures that any detected threats are promptly addressed, minimizing the impact on the organization.
Looking Ahead
The future of work is here, and it involves people building their own copilots and agents. Microsoft, along with other vendors like Salesforce with Agentforce, is enabling this through low-code offerings. As business users continue to gain more power and are given these powerful tools, it is imperative to ensure that security is not compromised. At Zenity, we are committed to ensuring that this future is secure, empowering business users to innovate without compromising on security. I am excited to be hosting a webinar on Tuesday, September 24th at 11am EST to discuss this in further detail, I hope you’ll join me!