Azure Computer Vision Baseline

In the previous article, “Azure Form Recognizer Baseline”, we went over an industry-standard security baseline for the deployment of Azure Form Recognizer. In this article, we’ll go over requirements and guidelines and share an example security baseline for Azure Computer Vision.

Description  

Azure Computer Vision can power many digital asset management (DAM) scenarios. DAM is the business process of organizing, storing, and retrieving rich media assets and managing digital rights and permissions. For example, a company may want to group and identify images based on visible logos, faces, objects, colors, and so on. 

Azure Computer Vision gives you access to advanced algorithms that process images and return information based on the visual features you’re interested in.  

Baseline  

Baseline considerations are based on security principles that are provided by stakeholders. Every decision made in the baseline discusses a security parameter of a configuration related to a service. It informs consumers on what to do and what not to do when setting up their service.  

We’ll describe each configuration name, requirements, and guidelines. 

Data Encryption

  • Encrypt sensitive information in transit. 
  • Enforce TLS 1.2 for service endpoints exposed over HTTPS. 
  • With an enforced security protocol, consumers attempting to call a Form Recognizer services endpoint should adhere to these guidelines. 

RG

  • Resource group requirements. 
  • Must use the same region for resources, resource group, and subscription. 

Firewall Configuration Requirements

  • Internet IP ranges are not allowed. 
  • Allowed IP address subnet range within a network should be reviewed and approved with the design review process. 

Network Type

  • Access to the ACV service. 
  • Public access to the service is not allowed, must opt into the selected network, and configure network security for your cognitive resource. 
  • Restrict access to the applicable subnets from where you are going to access the particular required subnets. 

Encryption

  • Encryption at rest. 
  • Use customer-managed keys.

Container

  • Docker container requirements. 
  • Must use Docker Container Read OCR, as it is generally available.

Network Logging

  • Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces. 
  • Turn on NSG flow logs and enable Traffic Analytics.

Authentication/Authorization 

  • Authenticate console services and data sources using Azure native security services. 
  • Authentication to data sources should be through managed system-assigned managed identity. 

Keys

  • API keys should be stored in key vaults as secrets. 
  • Can either create your own keys or store them in a key vault, or you can use Key Vault APIs to generate keys.

Logging

  • Collect platform logs and operation logs. 
  • Logs must be stored in Gas Power Cyber approved logging destination.

UAI Tag

  • All search services must be tagged with a valid UAI. 
  • User lowercase name and value. 

Environment Tag

  • All search services must be tagged with a tag corresponding to the application environment. 
  • Follow the Cloud Controls Matrix document for valid environment names. 
  • Use lowercase name and value.

App name Tag

  • Applications must be tagged with application short-name where applicable. 
  • For example, your key may be called “appname”, and your value may be “ABC123”.

Naming Convention

  • Follow a standard, established naming convention. 
  • Refer to your own Naming & Tagging standards. 

Private Endpoints

  • Deny public internet access. 
  • Ensure the key vault is accessible only over the client’s private network. 

Standard Network Configuration

  • Apply a standard vnet, subnet, and NSG configuration. 
  • Refer to your own network baseline configuration. 

IAM RBAC Configuration

  • Apply standard RBAC definitions for speech services and assign them to users. 
  • Least access privilege model. 

API Key Rotation

  • Keys should be rotated periodically. 
  • Regenerate keys regularly and store keys in the key vault. 

Pricing Tier

  • Use “Standard” pricing for production use cases that require 20 calls per minute and 5,000 calls per month. 
  • For high endpoint traffic from your published app, it is recommended to upgrade to an S1 resource.

Storage

  • Use a storage account for pre-scan files. 
  • Configure CORS settings in the storage account, and secure the storage account to restrict traffic from only specific virtual networks and IP addresses. 

Backup and Recovery

  • Ensure regular automated backups.

Conclusion 

Although this is not a comprehensive list of considerations when making a baseline for any cloud resource, it is sufficient for an Azure Computer Vision baseline configuration. For each resource in any business, such considerations must be made according to stakeholder security principles.

As your trusted partner, ISmile Technologies will ensure that your company’s cloud resource deployment is HIPAA-compliant and secure. For more information, Get Your Free Consultation.  

Cloud Engineer

Gabriel Chutuape

A technology enthusiast passionate about automation, Gabriel Chutuape is a Cloud Engineer at ISmile Technologies. He’s part of the ISmile Technologies Cloud enablement team that help customers to design/solution/project engineering, integrating and implementing infrastructure technologies & services.

AZURE CLOUD ARCHITECT

Karthik Srinivas

Karthik Srinivas is a working Information Technology professional and part of operations. He contributes to streamlining the technology services and operational activities to meet business requirements and beyond.

Register a Free Cloud ROI Assesment Workshop

Register a Free Cloud ROI Assesment Workshop

Get a Detailed assessment report with recommendations with an assessment report

Schedule free Workshop
Register a Free Cloud ROI Assesment Workshop
Register a Free Cloud ROI Assesment Workshop

Related articles you may would like to read

Leveraging Data Management Maturity Model to boost data management capabilities

Request a Consultation