Table of Contents

Hardening Your Language Service on Azure: A Comprehensive Guide to Securing Cognitive Services

Description

Azure Cognitive Service for Language is a cloud-based service that provides Natural Language Processing 

(NLP) features for understanding and analyzing text. Use this service to help build intelligent applications using the web-based Language Studio, REST APIs, and client libraries. 

BASELINE CONFIGURATION

Config Name Description Solution GE Control ID
RG Resource Group requirement Must use same region for resource, resource group and subscription Standard EA
Name Standard Naming Convention must be followed In corporate the chat bots name that you plan to pair with Language Service Standard EA
Pricing tier Use (S0) Standard for production use cases that require 5000 calls per For high endpoint traffic from your published app, it is recommended to upgrade to a S1 resource Standard EA
Azure Search Location All data used for language service is stored with our azure subscription. Azure search indexes this data Pick the recommended location (East US) Standard EA
Data Encryption Encrypt sensitive information in transit All of the Language Service services endpoint are exposed over HTTPS enforce TLS 1.2. With an enforce security protocol, consumers attempting to call a Language Service services endpoint should adhere to these guidelines SEC 7.2
Authentication/Authorization Authenticate to console services and data sources using Azure native security services. Authenticating of services using AAD IAM RBAC
Authentication to data sources should be through managed system assigned managed identity
SEC 2.1
Logging Collect platform logs and operation logs. Logs must be stored in Gas Power Cyber approved logging destination: central analytics workspace in 328-gp-azr-ops SEC 3.11
Keys API keys stored in Key Vault as secrets. Azure Key Vault to manage you access keys, and that you regularly rotate and regenerate your keys SEC 4.1
Network logging Collect network traffic logs and analyze them Turn ON NSG flow logs and enable traffic analytics SEC 3.9
Lock Prevent accidental deletion Must have at least a delete lock enable to prevent accidental deletion of Language Service Standard EA
Firewall Configuration Firewall Configuration Required Internet IP Ranges are not allowed, Allowed IP address subnet range within GE network should be reviewed and approved with design review process SEC 1.1
Network Type Access to the service Public access to the service is not allowed,
Must opt selected network, configure network security for your cognitive resource.
Restrict access to the applicable subnets from where you are going to access the particular required subnets
SEC 1.2
Encryption Encryption at Rest Use Customer managed keys for encryption at rest SEC 7.4

Tagging Considerations

Policy Name Description Solution
UAI tag All speech services must be tagged with a valid UAI - Example: Key: uai
- Value: uai1234567
- Use lower case name and value
Env tag All speech services must be tagged with a tag corresponding to the application environment - Example: Key : env, Value: prd
- For Valid envs see item 5.2 in cloud controls document
- Use lower case name and value
Appname tag Must tagged with application short name where applicable - Example: Key: appname
- Value: ABC123

Resource Standards and Policies

Config Name Description Solution
Naming convention – Language Service Resource follow standard naming convention Apply naming standards based on the following guidelines
Naming & Tagging Standards

Ready to experience the full power of cloud technology?

Our cloud experts will speed up cloud deployment, and make your business more efficient.  

Network Considerations

Config Name Description Solution
Standard network Configuration Standard vnet, subnet, NSG configuration applied See network baseline config for more information
Approved network design baseline of Stakeholder

Note : NSGs are disabled on private endpoints
Private endpoints Deny public internet access Ensure that key vault is accessible only over Stakeholder private network

Identity and Access Management

Config Name Description Solution Mandated/Optional IAM Policy CF Template
IAM RBAC Configuration Standard RBAC roles defined for speech service and assigned to users See Stakeholder’s approved baseline configuration for more information Mandated

Operational Considerations

Config Name Description Solution
API Key rotation Keys should be rotated periodically. Generate Keys regularly and store keys in Key Vaults
Backup and Recovery Ensure Regular automated Backups Follow standards to backup

ISmile Technologies helps in bringing our managed cloud security services to your defence. We help you in reimagining cloud security by building it into your company’s foundation, so it can meet your business’s evolving needs cost-effectively as a fully managed, as-a-service model, ensuring business continuity & security. Schedule a free assessment today.

CLOUD Engineer

Gopi Krishna

I’m working as Cloud DevOps Engineer. Expertise in technologies of Kubernetes, cloud services and cloud-native services, and DevOps technologies in various clouds.

Liked what you read !

Please leave a Feedback

Leave a Reply

Your email address will not be published. Required fields are marked *

Join the sustainability movement

Is your carbon footprint leaving a heavy mark? Learn how to lighten it! ➡️

Register Now

Calculate Your DataOps ROI with Ease!

Simplify your decision-making process with the DataOps ROI Calculator, optimize your data management and analytics capabilities.

Calculator ROI Now!

Related articles you may would like to read

How To Setup An AI Center of Excellence (COE) With Use Cases And Process 
Proposals

Know the specific resource requirement for completing a specific project with us.

Blog

Keep yourself updated with the latest updates about Cloud technology, our latest offerings, security trends and much more.

Webinar

Gain insights into latest aspects of cloud productivity, security, advanced technologies and more via our Virtual events.

ISmile Technologies delivers business-specific Cloud Solutions and Managed IT Services across all major platforms maximizing your competitive advantage at an unparalleled value.

Request a Consultation