In the previous article, “Azure Speech Translation Service Baseline,” we reviewed an industry-standard security baseline for Azure Speech Translation. This article will review requirements and guidelines and share an example security baseline for Azure Language Understanding, or Azure LUIS.
Azure Language Understanding Intelligent Service, or Azure LUIS, is a cloud-based conversational AI service that applies custom machine learning intelligence to a user’s conversational, natural language text to predict overall meaning and pull relevant detailed information.
Baseline considerations are based on security principles that stakeholders provide. Every decision made in the baseline discusses a security parameter related to service configuration. It informs consumers on what to do and what not to do when setting up their service.
We’ll describe each configuration name, requirements, and guidelines.
- Create private endpoint access to applications and predictions.
- Use private endpoints to secure access to LUIS applications and predictions via Private Link.
- Private endpoints should be used for Authoring & Prediction services.
- Collect network traffic logs and analyzing them.
- Turn on NSG flow logs and enable Traffic Analytics.
- Authenticate to console services and data sources using Azure native security services.
- Authentication to services using AAD IAM RBAC and Managed Identities. Either system assigned or user assigned.
- API keys should be stored in key vaults as secrets.
- A copy of API key 1 and key 2 keys should be stored as secrets in key vault.
- Collect platform logs and operation logs.
- Diagnostic settings and Activity Logs should be enabled and stored in centralized workspace.
- See Azure log analytics for more information.
Ready to experience the full power of cloud technology?
Our cloud experts will speed up cloud deployment, and make your business more efficient.
- All search services must be tagged with a valid UAI.
- User lowercase name and value.
- All search services must be tagged with a tag corresponding to the application environment.
- Follow Cloud Controls Matrix document for valid environment names.
- Use lowercase name and value.
- Applications must be tagged with application short-name where applicable.
- For example, your key may be called “appname”, and your value may be “ABC123”.
- Follow a standard, established naming convention.
Standard Network Configuration
- Apply a standard vnet, subnet, and NSG configuration.
IAM RBAC Configuration
- Apply standard RBAC definitions for speech service and assign them to users.
- Least access privilege model.
API Key Rotation
- Keys should be rotated periodically.
- Regenerate keys regularly and store keys in key vault.
- Use “Standard” pricing for production use cases that require 50 calls per second on prediction resource.
- For high endpoint traffic from your published app, it is recommended to upgrade to a S0 resource.
Although this is not a comprehensive list of considerations when making a baseline for any cloud resource, they are sufficient for an Azure LUIS baseline configuration. For each resource in any business, such considerations must be made according to stakeholder security principles.
As your trusted partner, ISmile Technologies will ensure that your company’s cloud resource deployment is HIPAA-compliant and secure. For more information, Get Your Free Consultation.
A technology enthusiast passionate about automation, Gabriel Chutuape is a Cloud Engineer at ISmile Technologies. He’s part of the ISmile Technologies Cloud enablement team that help customers to design/solution/project engineering, integrating and implementing infrastructure technologies & services.
AZURE CLOUD ARCHITECT
Karthik Srinivas is a working Information Technology professional and part of operations. He contributes to streamlining the technology services and operational activities to meet business requirements and beyond.