Hardening Your Language AI on Azure: A Comprehensive Guide to Securing Cognitive Services

Description

Azure Cognitive Service for Language is a cloud-based service that provides Natural Language Processing 

(NLP) features for understanding and analyzing text. Use this service to help build intelligent applications using the web-based Language Studio, REST APIs, and client libraries.

BASELINE CONFIGURATION

Config Name Description Solution GE Control ID
RG Resource Group Requirement Must use same region for resource, resource group & subscription Standard EA
Name Standard Naming Convention must be followed In corporate the chat bots name that you plan to pair with Language Service Standard EA
Pricing tier Use (S0) Standard for production use cases that require 5000 calls per For high endpoint traffic from your published app, it is recommended to upgrade to a S1 resource Standard EA
Azure Search Location All data used for language service is stored with our azure subscription. Azure search indexes this data Pick the recommended location (East US) Standard EA
Custom Question answering/Custom text classification/Custom Named Entity Recognition Both Custom Question answering/Custom text classification/Custom Named Entity Recognition are allowed Must use Both Custom Question answering/Custom text classification/Custom Named Entity Recognition as per requirement. Standard EA
Data Encryption Encrypt sensitive information in transit All of the Language Service services endpoint are exposed over HTTPS enforce TLS 1.2. With an enforce security protocol, consumers attempting to call a Language Service services endpoint should adhere to these guidelines SEC 7.2
Authentication/Authorization Authenticate to console services and data sources using Azure native security services Authenticating of services using AAD IAM RBAC
Authentication to data sources should be through managed system assigned managed identity
SEC 2.1
Logging Collect platform logs and operation logs. Logs must be stored in Gas Power Cyber approved logging destination : central analytics workspace in 328-gp-azr-ops SEC 3.11
Keys API keys stored in Key Vault as secrets. Azure Key Vault to manage you access keys, and that you regularly rotate and regenerate you keys SEC 4.1
Network logging Collect network traffic logs and analyze them Turn ON NSG flow logs and enable traffic analytics SEC 3.9
Lock Prevent accidental deletion Must have at least a delete lock enable to prevent accidental deletion of Language Service Standard EA
Firewall Configuration Firewall Configuration Required Internet IP Ranges are not allowed, Allowed IP address subnet range within GE network should be reviewed and approved with design review process SEC 1.1
Network Type Access to the service Public access to the service is not allowed,
Must opt selected network, configure network security for your cognitive resource.
Restrict access to the applicable subnets from where you are going to access the particular required subnets
SEC 1.2
Encryption Encryption at Rest Use Customer managed keys for encryption at rest SEC 7.4

Tagging Considerations

Policy Name Description Solution
UAI tag All speech services must be tagged with a valid UAI - Example: Key: uai
- Value: uai1234567
- Use lower case name and value
Env tag All speech services must be tagged with a tag corresponding to the application environment - Example: Key : env, Value: prd
- For Valid envs see item 5.2 in cloud controls document
- Use lower case name and value
Appname tag Must tagged with application short name where applicable - Example: Key: appname
- Value: ABC123

Ready to experience the full power of cloud technology?

Our cloud experts will speed up cloud deployment, and make your business more efficient.  

Resource Standards and Policies

Config Name Description Solution
Naming convention – Language Service Resource follow standard naming convention Apply naming standards based on the following guidelines
Naming & Tagging Standards

Network Considerations

Config Name Description Solution
Standard network Configuration Standard vnet, subnet, NSG configuration applied See network baseline config for more information
Approved network design baseline of Stakeholder

Note : NSGs are disabled on private endpoints
Private endpoints Deny public internet access Ensure that key vault is accessible only over Stakeholder private network

Identity and Access Management

Config Name Description Solution Mandated/Optional IAM Policy CF Template
IAM RBAC Configuration Standard RBAC roles defined for speech service and assigned to users See Stakeholder’s approved baseline configuration for more information Mandated

Operational Considerations

Config Name Description Solution
API Key rotation Keys should be rotated periodically. Generate Keys regularly and store keys in Key Vaults
Backup and Recovery Ensure Regular automated Backups Follow standards to backup

ISmile Technologies is a proud partner of the top public cloud providers AWS, Microsoft Azure, and Google Cloud. We can provide you with a cloud governance model and core framework to ensure your operations in the public cloud are scalable and secure. Schedule a free assessment today.

CLOUD ENGINEER

Vignesh R

Vignesh is a cloud engineer with a demonstrated history of working in multiple cloud platforms like AWS, Azure, and GCP. His expertise proves in providing and implementing solutions for the organization.

Register a Free Cloud ROI Assessment Workshop

Register a Free Cloud ROI Assessment Workshop

Get a Detailed assessment report with recommendations with an assessment report

Schedule free Workshop
Register a Free Cloud ROI Assessment Workshop
Register a Free Cloud ROI Assessment Workshop

Liked what you read !

Please leave a Feedback

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments

Related articles you may would like to read

How can Docker Containerization Help in Reducing CICD Deployment Costs
0
Would love your thoughts, please comment.x
()
x
Proposals

Know the specific resource requirement for completing a specific project with us.

Blog

Keep yourself updated with the latest updates about Cloud technology, our latest offerings, security trends and much more.

Webinar

Gain insights into latest aspects of cloud productivity, security, advanced technologies and more via our Virtual events.

ISmile Technologies delivers business-specific Cloud Solutions and Managed IT Services across all major platforms maximizing your competitive advantage at an unparalleled value.

Request a Consultation