Secure Azure AI Services

By Ashwin Venugopal -

 





Overview

Ensuring the security of Azure AI services can assist in preventing data breaches and violations of user privacy related to the data involved in the solution. Azure AI services offer several layers of security that should be taken into account when developing a solution.

Consider Authentication

By default, access to resources within Azure AI services is limited through the use of subscription keys. Managing access to these keys is a crucial aspect of ensuring security.

Regenerate Keys

Regularly updating keys is essential to mitigate the risk of unauthorized users gaining access to or sharing those keys. Key regeneration can be performed through the Azure portal or by using the Azure command-line interface (CLI) command az cognitiveservices account keys regenerate. Each AI service is provided with two keys, enabling you to regenerate keys without service interruption. To accomplish this:

  • If you're using both keys in production, change your code so that only one key is in use. For example, configure all production applications to use key 1.

  • Regenerate key 2.

  • Switch all production applications to use the newly regenerated key 2.

  • Regenerate key 1.

  • Finally, update your production code to use the new key 1.

Protect Keys With Azure Key Vault

You may safely store secrets (such passwords and keys) with Azure Key Vault. Security principals, which can be thought of as user identities that are verified with Microsoft Entra ID, are given access to the key vault.

To create a controlled identity for an application, administrators might choose a security principal (sometimes referred to as a service principal). This identity can then be used by the program to get access to the key vault and extract a secret. This method of limiting access to the secret reduces the possibility that it may be compromised by being stored in a configuration file or hard-coded in an application.

An AI services resource's subscription keys can be kept in Azure Key Vault, and client apps that require the service can be given controlled identities. Without running the danger of disclosing the key to unauthorized users, the applications can then get the key from the key vault as needed.

Conclusion

We have successfully learnt about protecting keys with Azure Key Vault. 






















































Comments

Post a Comment

Popular posts from this blog

Information Protection Scanner: Resolve Issues with Information Protection Scanner Deployment

By Ashwin Venugopal -
Image
  About If you are experiencing problems with the Microsoft Purview Information Protection scanner, check the health of your deployment by utilizing the Start-ScannerDiagnosticsPowerShell cmdlet to start the scanner diagnostic tool. The diagnostics tool checks the following details and then creates a log files with the results: Whether the database is up to date. Whether network URLs are accessible. Whether there's a valid authentication token and policy can be acquired. Whether the profile is defined in the Azure portal. Whether offline/online configuration exists and can be acquired. Whether the rules configured are valid.  The Start-ScannerDiagnostics command does not perform a comprehensive check of prerequisites. If you encounter problems with the scanner, you need to verify that your system meets the scanner's requirements, and that your scanner's configuration and installation are finished.  Verify Scanning Details Per Scanner Node and Repository Run the Get-ScanSt...
Read more

How AMI Store & Restore Works?

By Ashwin Venugopal -
Image
  CreateStoreImageTask The CreateStoreImageTask API stores an AMI as a single object in an S3 bucket. The API initiates a task that collects all the data from the AMI and its associated snapshots, subsequently using an S3 multipart upload to store this data in an S3 object. It gathers all elements of the AMI, including most of the non-Region-specific metadata and all EBS snapshots included in the AMI, and consolidates them into a single object in S3. During the upload process, the data is compressed to minimize the space utilized in S3, which means that the S3 object could be smaller than the total sizes of the snapshots in the AMI. If the account making this API call has access to AMI and snapshot tags, they will be retained. The S3 object shares the same ID as the AMI, except it has a .bin extension. Additionally, the S3 metadata tags for the object include the AMI name, AMI description, AMI registration date, AMI owner account, and a timestamp indicating when the store operation...
Read more

Create A Store Image Task

By Ashwin Venugopal -
Image
  Introduction When you save an AMI in an S3 bucket, a task for storing the image is initiated. This store image task allows you to track the progress and result of the procedure. Securing your AMIs It is crucial to verify that the S3 bucket is set up with adequate security to protect the content of the AMI and that this security is upheld for the entire duration that the AMI objects are stored in the bucket. If this cannot be achieved, it is advisable to refrain from using these APIs. Make sure that public access to the S3 bucket is prohibited. It is suggested to activate Server-side encryption for the S3 buckets where you keep the AMIs, even though it’s not mandatory. When AMI snapshots are transferred to the S3 object, they are sent over TLS connections. It is possible to save AMIs that contain encrypted snapshots; however, the snapshots will be decrypted during the storing process. Identify the source AMI used to create a new Amazon EC2 AMI You can determine the AMI that was us...
Read more