Description
Azure Cognitive Service for Language is a cloud-based service that provides Natural Language Processing
(NLP) features for understanding and analyzing text. Use this service to help build intelligent applications using the web-based Language Studio, REST APIs, and client libraries.
BASELINE CONFIGURATION
| Config Name | Description | Solution | GE Control ID |
|---|---|---|---|
| RG | Resource Group requirement | Must use same region for resource, resource group and subscription | Standard EA |
| Name | Standard Naming Convention must be followed | In corporate the chat bots name that you plan to pair with Language Service | Standard EA |
| Pricing tier | Use (S0) Standard for production use cases that require 5000 calls per | For high endpoint traffic from your published app, it is recommended to upgrade to a S1 resource | Standard EA |
| Azure Search Location | All data used for language service is stored with our azure subscription. Azure search indexes this data | Pick the recommended location (East US) | Standard EA |
| Data Encryption | Encrypt sensitive information in transit | All of the Language Service services endpoint are exposed over HTTPS enforce TLS 1.2. With an enforce security protocol, consumers attempting to call a Language Service services endpoint should adhere to these guidelines | SEC 7.2 |
| Authentication/Authorization | Authenticate to console services and data sources using Azure native security services. |
Authenticating of services using AAD IAM RBAC
Authentication to data sources should be through managed system assigned managed identity |
SEC 2.1 |
| Logging | Collect platform logs and operation logs. | Logs must be stored in Gas Power Cyber approved logging destination: central analytics workspace in 328-gp-azr-ops | SEC 3.11 |
| Keys | API keys stored in Key Vault as secrets. | Azure Key Vault to manage you access keys, and that you regularly rotate and regenerate your keys | SEC 4.1 |
| Network logging | Collect network traffic logs and analyze them | Turn ON NSG flow logs and enable traffic analytics | SEC 3.9 |
| Lock | Prevent accidental deletion | Must have at least a delete lock enable to prevent accidental deletion of Language Service | Standard EA |
| Firewall Configuration | Firewall Configuration Required | Internet IP Ranges are not allowed, Allowed IP address subnet range within GE network should be reviewed and approved with design review process | SEC 1.1 |
| Network Type | Access to the service |
Public access to the service is not allowed,
Must opt selected network, configure network security for your cognitive resource. Restrict access to the applicable subnets from where you are going to access the particular required subnets |
SEC 1.2 |
| Encryption | Encryption at Rest | Use Customer managed keys for encryption at rest | SEC 7.4 |
Tagging Considerations
| Policy Name | Description | Solution |
|---|---|---|
| UAI tag | All speech services must be tagged with a valid UAI |
- Example: Key: uai
- Value: uai1234567 - Use lower case name and value |
| Env tag | All speech services must be tagged with a tag corresponding to the application environment |
- Example: Key : env, Value: prd
- For Valid envs see item 5.2 in cloud controls document - Use lower case name and value |
| Appname tag | Must tagged with application short name where applicable |
- Example: Key: appname
- Value: ABC123 |
Resource Standards and Policies
| Config Name | Description | Solution |
|---|---|---|
| Naming convention – Language Service | Resource follow standard naming convention |
Apply naming standards based on the following guidelines
Naming & Tagging Standards |
Ready to experience the full power of cloud technology?
Our cloud experts will speed up cloud deployment, and make your business more efficient.
Network Considerations
| Config Name | Description | Solution |
|---|---|---|
| Standard network Configuration | Standard vnet, subnet, NSG configuration applied |
See network baseline config for more information
Approved network design baseline of Stakeholder Note : NSGs are disabled on private endpoints |
| Private endpoints | Deny public internet access | Ensure that key vault is accessible only over Stakeholder private network |
Identity and Access Management
| Config Name | Description | Solution | Mandated/Optional | IAM Policy | CF Template |
|---|---|---|---|---|---|
| IAM RBAC Configuration | Standard RBAC roles defined for speech service and assigned to users | See Stakeholder’s approved baseline configuration for more information | Mandated |
Operational Considerations
| Config Name | Description | Solution |
|---|---|---|
| API Key rotation | Keys should be rotated periodically. | Generate Keys regularly and store keys in Key Vaults |
| Backup and Recovery | Ensure Regular automated Backups | Follow standards to backup |
ISmile Technologies helps in bringing our managed cloud security services to your defence. We help you in reimagining cloud security by building it into your company’s foundation, so it can meet your business’s evolving needs cost-effectively as a fully managed, as-a-service model, ensuring business continuity & security. Schedule a free assessment today.
CLOUD Engineer
Gopi Krishna
I’m working as Cloud DevOps Engineer. Expertise in technologies of Kubernetes, cloud services and cloud-native services, and DevOps technologies in various clouds.
