Azure Bot Service Baseline

In the previous article, “Azure Computer Vision Baseline”, we went over an industry-standard security baseline for the deployment of Azure Computer Vision. In this article, we’ll go over requirements and guidelines, and share an example security baseline for Azure Bot Service.

Description  

Azure Bot Service provides an integrated development environment for bot building. Its integration with Power Virtual Agents, a fully hosted low-code platform, enables developers of any technical ability to build conversational AI bots—no code needed. 

Azure Bot Service and Azure Bot Framework provides tools to build, test, deploy, and manage intelligent bots, all in one place. 

Baseline  

Baseline considerations are based on security principles that are provided by stakeholders. Every decision made in the baseline discusses a security parameter of a configuration related to the service. It informs consumers on what to do and what not to do when setting up their service.  

We’ll describe each configuration name, requirements, and guidelines.

Data Encryption

  • Encrypt sensitive information in transit. 
  • Enforce TLS 1.2 for service endpoints exposed over HTTPS. 
  • With an enforced security protocol, consumers attempting to call a Form Recognizer services endpoint should adhere to these guidelines. 

RG

  • Resource group requirements. 
  • Must use the same region for resource, resource group, and subscription. 

Firewall Configuration Requirements

  • Internet IP ranges are not allowed. 
  • Allowed IP address subnet range within the network should be reviewed and approved with the design review process. 

Ready to experience the full power of cloud technology?

Our cloud experts will speed up cloud deployment, and make your business more efficient.  

Network Type

  • Access to the service. 
  • Public access to the service is not allowed, must opt into the selected network, and configure network security for your cognitive resource. 
  • Restrict access to the applicable subnets from where you are going to access the particular required subnets. 

Encryption

  • Encryption at rest. 
  • Use customer-managed keys.

Container

  • Docker container requirements. 
  • Must use Docker Container Read OCR, as it is generally available.

Network Logging

  • Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces. 
  • Turn on NSG flow logs and enable Traffic Analytics.

Authentication/Authorization 

  • Authenticate console services and data sources using Azure native security services. 
  • Authentication to data sources should be through managed system-assigned managed identity. 

Keys

  • API keys should be stored in key vaults as secrets. 
  • Can either create your own keys or store them in a key vault, or you can use Key Vault APIs to generate keys.

Logging

  • Collect platform logs and operation logs. 
  • Logs must be stored in Gas Power Cyber approved logging destination.

UAI Tag

  • All bot services must be tagged with a valid UAI. 
  • User lowercase name and value. 

Environment Tag

  • All bot services must be tagged with a tag corresponding to the application environment. 
  • Follow the Cloud Controls Matrix document for valid environment names. 
  • Use lowercase name and value.

App name Tag

  • Applications must be tagged with application short-name where applicable. 
  • For example, your key may be called “appname”, and your value may be “ABC123”.

Naming Convention

  • Follow a standard, established naming convention. 
  • Refer to your own Naming & Tagging standards. 

Private Endpoints

  • Deny public internet access. 
  • Ensure the key vault is accessible only over the client’s private network. 

Standard Network Configuration

  • Apply a standard vnet, subnet, and NSG configuration. 
  • Refer to your own network baseline configuration. 

IAM RBAC Configuration

  • Apply standard RBAC definitions for speech services and assign them to users. 
  • Least access privilege model. 

API Key Rotation

  • Keys should be rotated periodically. 
  • Regenerate keys regularly and store keys in the key vault. 

Pricing Tier

  • Use “Standard” pricing for production use cases that require 20 calls per minute and 5,000 calls per month. 
  • For high endpoint traffic from your published app, it is recommended to upgrade to an S1 resource.

Storage

  • Use a storage account for pre-scan files. 
  • Configure CORS settings in the storage account, and secure the storage account to restrict traffic from only specific virtual networks and IP addresses. 

Backup and Recovery

  • Ensure regular automated backups.

Conclusion 

Although this is not a comprehensive list of considerations when making a baseline for any cloud resource, they are sufficient for an Azure Bot Service baseline configuration. For each resource in any business, such considerations must be made according to stakeholder security principles.

As your trusted partner, ISmile Technologies will ensure that your company’s cloud resource deployment is HIPAA-compliant and secure. For more information, Get Your Free Consultation.

Cloud Engineer

Gabriel Chutuape

A technology enthusiast passionate about automation, Gabriel Chutuape is a Cloud Engineer at ISmile Technologies. He’s part of the ISmile Technologies Cloud enablement team that help customers to design/solution/project engineering, integrating and implementing infrastructure technologies & services.

AZURE CLOUD ARCHITECT

Karthik Srinivas

Karthik Srinivas is a working Information Technology professional and part of operations. He contributes to streamlining the technology services and operational activities to meet business requirements and beyond.

Register a Free Cloud ROI Assessment Workshop

Register a Free Cloud ROI Assessment Workshop

Get a Detailed assessment report with recommendations with an assessment report

Schedule free Workshop
Register a Free Cloud ROI Assessment Workshop
Register a Free Cloud ROI Assessment Workshop

Liked what you read !

Please leave a Feedback

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments

Related articles you may would like to read

How can Docker Containerization Help in Reducing CICD Deployment Costs
0
Would love your thoughts, please comment.x
()
x
Proposals

Know the specific resource requirement for completing a specific project with us.

Blog

Keep yourself updated with the latest updates about Cloud technology, our latest offerings, security trends and much more.

Webinar

Gain insights into latest aspects of cloud productivity, security, advanced technologies and more via our Virtual events.

ISmile Technologies delivers business-specific Cloud Solutions and Managed IT Services across all major platforms maximizing your competitive advantage at an unparalleled value.

Request a Consultation