In the previous article, “Azure Computer Vision Baseline”, we went over an industry-standard security baseline for the deployment of Azure Computer Vision. In this article, we’ll go over requirements and guidelines, and share an example security baseline for Azure Bot Service.
Azure Bot Service provides an integrated development environment for bot building. Its integration with Power Virtual Agents, a fully hosted low-code platform, enables developers of any technical ability to build conversational AI bots—no code needed.
Azure Bot Service and Azure Bot Framework provides tools to build, test, deploy, and manage intelligent bots, all in one place.
Baseline considerations are based on security principles that are provided by stakeholders. Every decision made in the baseline discusses a security parameter of a configuration related to the service. It informs consumers on what to do and what not to do when setting up their service.
We’ll describe each configuration name, requirements, and guidelines.
- Encrypt sensitive information in transit.
- Enforce TLS 1.2 for service endpoints exposed over HTTPS.
- With an enforced security protocol, consumers attempting to call a Form Recognizer services endpoint should adhere to these guidelines.
- Resource group requirements.
- Must use the same region for resource, resource group, and subscription.
Firewall Configuration Requirements
- Internet IP ranges are not allowed.
- Allowed IP address subnet range within the network should be reviewed and approved with the design review process.
Ready to experience the full power of cloud technology?
Our cloud experts will speed up cloud deployment, and make your business more efficient.
- Access to the service.
- Public access to the service is not allowed, must opt into the selected network, and configure network security for your cognitive resource.
- Restrict access to the applicable subnets from where you are going to access the particular required subnets.
- Encryption at rest.
- Use customer-managed keys.
- Docker container requirements.
- Must use Docker Container Read OCR, as it is generally available.
- Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces.
- Turn on NSG flow logs and enable Traffic Analytics.
- Authenticate console services and data sources using Azure native security services.
- Authentication to data sources should be through managed system-assigned managed identity.
- API keys should be stored in key vaults as secrets.
- Can either create your own keys or store them in a key vault, or you can use Key Vault APIs to generate keys.
- Collect platform logs and operation logs.
- Logs must be stored in Gas Power Cyber approved logging destination.
- All bot services must be tagged with a valid UAI.
- User lowercase name and value.
- All bot services must be tagged with a tag corresponding to the application environment.
- Follow the Cloud Controls Matrix document for valid environment names.
- Use lowercase name and value.
App name Tag
- Applications must be tagged with application short-name where applicable.
- For example, your key may be called “appname”, and your value may be “ABC123”.
- Follow a standard, established naming convention.
- Refer to your own Naming & Tagging standards.
- Deny public internet access.
- Ensure the key vault is accessible only over the client’s private network.
Standard Network Configuration
- Apply a standard vnet, subnet, and NSG configuration.
- Refer to your own network baseline configuration.
IAM RBAC Configuration
- Apply standard RBAC definitions for speech services and assign them to users.
- Least access privilege model.
API Key Rotation
- Keys should be rotated periodically.
- Regenerate keys regularly and store keys in the key vault.
- Use “Standard” pricing for production use cases that require 20 calls per minute and 5,000 calls per month.
- For high endpoint traffic from your published app, it is recommended to upgrade to an S1 resource.
- Use a storage account for pre-scan files.
- Configure CORS settings in the storage account, and secure the storage account to restrict traffic from only specific virtual networks and IP addresses.
Backup and Recovery
- Ensure regular automated backups.
Although this is not a comprehensive list of considerations when making a baseline for any cloud resource, they are sufficient for an Azure Bot Service baseline configuration. For each resource in any business, such considerations must be made according to stakeholder security principles.
As your trusted partner, ISmile Technologies will ensure that your company’s cloud resource deployment is HIPAA-compliant and secure. For more information, Get Your Free Consultation.
A technology enthusiast passionate about automation, Gabriel Chutuape is a Cloud Engineer at ISmile Technologies. He’s part of the ISmile Technologies Cloud enablement team that help customers to design/solution/project engineering, integrating and implementing infrastructure technologies & services.
AZURE CLOUD ARCHITECT
Karthik Srinivas is a working Information Technology professional and part of operations. He contributes to streamlining the technology services and operational activities to meet business requirements and beyond.