Azure Cognitive Service for Language is a cloud-based service that provides Natural Language Processing
(NLP) features for understanding and analyzing text. Use this service to help build intelligent applications using the web-based Language Studio, REST APIs, and client libraries.
|GE Control ID
|Resource Group requirement
|Must use same region for resource, resource group and subscription
|Standard Naming Convention must be followed
|In corporate the chat bots name that you plan to pair with Language Service
|Use (S0) Standard for production use cases that require 5000 calls per
|For high endpoint traffic from your published app, it is recommended to upgrade to a S1 resource
|Azure Search Location
|All data used for language service is stored with our azure subscription. Azure search indexes this data
|Pick the recommended location (East US)
|Encrypt sensitive information in transit
|All of the Language Service services endpoint are exposed over HTTPS enforce TLS 1.2. With an enforce security protocol, consumers attempting to call a Language Service services endpoint should adhere to these guidelines
|Authenticate to console services and data sources using Azure native security services.
| Authenticating of services using AAD IAM RBAC
Authentication to data sources should be through managed system assigned managed identity
|Collect platform logs and operation logs.
|Logs must be stored in Gas Power Cyber approved logging destination: central analytics workspace in 328-gp-azr-ops
|API keys stored in Key Vault as secrets.
|Azure Key Vault to manage you access keys, and that you regularly rotate and regenerate your keys
|Collect network traffic logs and analyze them
|Turn ON NSG flow logs and enable traffic analytics
|Prevent accidental deletion
|Must have at least a delete lock enable to prevent accidental deletion of Language Service
|Firewall Configuration Required
|Internet IP Ranges are not allowed, Allowed IP address subnet range within GE network should be reviewed and approved with design review process
|Access to the service
| Public access to the service is not allowed,
Must opt selected network, configure network security for your cognitive resource.
Restrict access to the applicable subnets from where you are going to access the particular required subnets
|Encryption at Rest
|Use Customer managed keys for encryption at rest
|All speech services must be tagged with a valid UAI
| - Example: Key: uai
- Value: uai1234567
- Use lower case name and value
|All speech services must be tagged with a tag corresponding to the application environment
| - Example: Key : env, Value: prd
- For Valid envs see item 5.2 in cloud controls document
- Use lower case name and value
|Must tagged with application short name where applicable
| - Example: Key: appname
- Value: ABC123
Resource Standards and Policies
|Naming convention – Language Service
|Resource follow standard naming convention
| Apply naming standards based on the following guidelines
Naming & Tagging Standards
Ready to experience the full power of cloud technology?
Our cloud experts will speed up cloud deployment, and make your business more efficient.
|Standard network Configuration
|Standard vnet, subnet, NSG configuration applied
| See network baseline config for more information
Approved network design baseline of Stakeholder
Note : NSGs are disabled on private endpoints
|Deny public internet access
|Ensure that key vault is accessible only over Stakeholder private network
Identity and Access Management
|IAM RBAC Configuration
|Standard RBAC roles defined for speech service and assigned to users
|See Stakeholder’s approved baseline configuration for more information
|API Key rotation
|Keys should be rotated periodically.
|Generate Keys regularly and store keys in Key Vaults
|Backup and Recovery
|Ensure Regular automated Backups
|Follow standards to backup
ISmile Technologies helps in bringing our managed cloud security services to your defence. We help you in reimagining cloud security by building it into your company’s foundation, so it can meet your business’s evolving needs cost-effectively as a fully managed, as-a-service model, ensuring business continuity & security. Schedule a free assessment today.
I’m working as Cloud DevOps Engineer. Expertise in technologies of Kubernetes, cloud services and cloud-native services, and DevOps technologies in various clouds.