We recently acquired 200 licenses for Claude enterprise, but we've turned off features like Skills, Code, Cowork, and the Excel add-in due to security worries. Our users are eager to utilize these tools, especially Skills and the Excel features. I'm looking for advice on how we can securely enable access to these tools without risking a security breach. Anyone found a good strategy for this?
3 Answers
The reality is, you can implement the necessary data protection and security review processes. Document the associated risks and move forward. But I wonder, is a managed Claude instance really your only concern? What other unmonitored shadow IT could be lurking around your organization?
One approach is to have users sign off on the features they wish to access. Make sure to inform them about the potential risks and document their acknowledgment. After that, you can proceed with offering those features while keeping records in case you need to reference them later.
While it's true you should document risks, there are tangible technical controls to use. For Skills, implementing Entra OAuth consent policies can help manage which app registrations users can consent to, ensuring that Claude only accesses approved scopes. We’ve set up an admin consent workflow to vet their requests thoroughly before going live. For the Excel add-in, using Purview sensitivity labels can prevent Claude from accessing files marked as Confidential or higher, which adds a layer of security.
That's a great point! Often, people fixate on one major tool while overlooking other pressing data security issues that could be less noticeable.