Lets learn something new

Azure, Cybersecurity, Cloud, AI

Azure Security

Microsoft Azure OpenAI Security

ByArnav Sharma

Oct 13, 2023
Azure Open AI Azure Open AI

Last Updated on September 30, 2024 by Arnav Sharma

Virtual Networks for Azure AI services 

Azure AI services offer a layered security model that allows users to restrict access to their Azure AI services accounts to specific networks. When network rules are set up, only applications that request data over the designated networks can access the account. This ensures that you can limit access to your resources using request filtering, which permits requests only from certain IP addresses, IP ranges, or from a list of subnets in Azure Virtual Networks.

Applications accessing an Azure AI services resource when network rules are active need authorization. This authorization can be achieved using Azure Active Directory (Azure AD) credentials or a valid API key. It’s crucial to note that enabling firewall rules for your Azure AI services account will block incoming data requests by default. To allow these requests, they either need to originate from a service operating within an Azure Virtual Network on the allowed subnet list of the target Azure AI services account or from an approved list of IP addresses.

To enhance the security of your Azure AI services resource, you should initially set up a rule to deny access to all networks, including internet traffic. Afterwards, you can establish rules that grant access to specific virtual networks. This setup ensures a secure network boundary for your applications. Additionally, you can set rules to allow traffic from selected public internet IP address ranges, enabling connections from specific internet or on-site clients.

Azure AI services also support private endpoints, which allow clients on a virtual network to securely access data over Azure Private Link. This private link ensures that network traffic between the clients and the resource travels only through the virtual network and a private link on the Microsoft Azure backbone network, eliminating any exposure to the public internet.

Azure OpenAI Service encryption of data at rest

Azure OpenAI ensures that your data is encrypted when it’s stored in the cloud. This encryption not only safeguards your data but also helps in fulfilling your organization’s security and compliance requirements. The article delves into the specifics of how Azure OpenAI manages the encryption of data at rest, especially focusing on training data and fine-tuned models.

Key Points:

Azure AI services encryption: Azure OpenAI, being a part of Azure AI services, encrypts and decrypts data using FIPS 140-2 compliant 256-bit AES encryption. This process is transparent, meaning that the encryption and access are managed for you. As a result, your data remains secure by default without any need for code modifications.

Encryption key management: By default, Microsoft-managed encryption keys are used. However, there’s an option to manage your subscription with your own keys, known as customer-managed keys (CMK). CMK provides more flexibility in terms of creating, rotating, disabling, and revoking access controls. It also allows for auditing of the encryption keys safeguarding your data.

Customer-managed keys with Azure Key Vault: CMK, also termed as Bring Your Own Key (BYOK), offers enhanced flexibility. These keys are stored in Azure Key Vault. You can either create your keys and store them in the vault or utilize Azure Key Vault APIs for key generation. It’s essential that the Azure AI services resource and the key vault are in the same region and Azure Active Directory (Azure AD) tenant.

Enable customer-managed keys: To activate customer-managed keys, you need to navigate to your Azure AI services resource, select Encryption, and then choose Customer Managed Keys. After enabling, you can specify a key to associate with the Azure AI services resource.

Rotate and Revoke customer-managed keys: You can rotate a customer-managed key in Key Vault based on your compliance policies. Revoking access to an active customer-managed key can impact various functionalities like downloading training data, fine-tuning new models, and deploying them.

Data Deletion: Azure OpenAI allows users to delete their training data, fine-tuned models, and deployments. The data is stored in Azure Storage, and users can delete files using the DELETE API operation.

Disable customer-managed keys: If you decide to disable customer-managed keys, your Azure AI services resource will revert to being encrypted with Microsoft-managed keys.

Azure OpenAI Service with managed identities

Azure OpenAI provides a method to authenticate to your OpenAI resource using Azure Active Directory (Azure AD). This document offers guidance on how to use Azure CLI for role assignments and obtain a bearer token to access the OpenAI resource. The primary focus is on Azure role-based access control (Azure RBAC) for more intricate security scenarios.

Key Points:

Prerequisites: To proceed, you need an Azure subscription, access to the Azure OpenAI Service in the desired Azure subscription, custom subdomain names for features like Azure AD authentication, Azure CLI, and specific Python libraries.

Azure CLI Sign-in: Users can sign into the Azure CLI using the az login command. This sign-in may need to be repeated if the session remains idle for an extended period.

Role Assignment: Users can assign themselves to the “Cognitive Services User” role, allowing them to access specific Azure AI services resources.

Acquire Azure AD Access Token: Access tokens, which expire in an hour, can be obtained to authorize API calls. The token is used to set the Authorization header value for the API call.

Authorize Access with Managed Identities: Azure OpenAI supports Azure AD authentication with managed identities for Azure resources. This feature allows applications running on Azure virtual machines (VMs), function apps, and other services to authorize access to Azure AI services resources using Azure AD credentials. This method eliminates the need to store credentials with cloud-based applications.

Enable Managed Identities on a VM: Before authorizing access to Azure AI services resources from a VM using managed identities, it’s essential to enable managed identities for Azure resources on the VM. Various methods, including the Azure portal, Azure PowerShell, Azure CLI, and Azure Resource Manager templates, can be used for this purpose.

FAQ – Azure OpenAI Service

Q: How can I get access to Azure OpenAI through Microsoft?

To get access to Azure OpenAI, you can use Azure OpenAI resources. Microsoft allows you to create an Azure OpenAI resource which gives you the ability to use advanced OpenAI models with the security and enterprise promise of Azure. Get started with Azure OpenAI by following the guidelines provided in Microsoft Learn.

Q: How do I ensure security and compliance when using Azure OpenAI?

Azure OpenAI provides security through various measures such as data encryption, data protection, and security controls. You can configure Azure to enhance security, and use Microsoft Defender for Cloud to monitor and protect your resources. Refer to the security baseline and security considerations documents to understand the security and compliance aspects.

Q: What is Azure OpenAI on Your Data?

Azure OpenAI on Your Data is a feature that allows you to upload your training data to the Azure environment. This data is not used beyond your specified purposes and ensures data security. You can use Azure Blob Storage and Azure AI Search Index as data sources. Data processing is handled securely within the Azure OpenAI service.

Q: How does Responsible AI relate to Azure OpenAI?

Responsible AI practices are integral to Azure OpenAI. Microsoft provides an overview of responsible AI practices for Azure OpenAI models to ensure ethical and fair use of AI technologies. These practices include guidelines on data usage, model deployment, and monitoring to maintain responsible AI standards.

Q: How can you securely store and manage secrets and keys in Azure?

To securely store and manage secrets, you can use Azure Key Vault. This service provides an additional layer of security for sensitive data such as keys, passwords, and certificates, which are crucial for maintaining security in your applications.

Q: What is the first step to get started with using advanced AI models in Azure?

To get started with using advanced AI models, you should begin by accessing Azure OpenAI Studio. This service gives customers advanced language AI with OpenAI models, enabling powerful AI-driven applications.

Q: How can you ensure your data is protected when using Azure OpenAI services?

Azure OpenAI security is designed to protect your customer data by using a combination of Microsoft Defender for Cloud, data loss prevention strategies, and robust encryption methods. Azure Key Vault can also be utilized to further enhance data protection.

Q: What should you configure to ensure secure access to Azure services?

You should configure Microsoft Entra ID (formerly Azure Active Directory) to ensure secure access to Azure services. This configuration helps manage identity and access, ensuring that only authorized users can access the Azure OpenAI resource’s data.

Q: How does Azure OpenAI handle customer data, and what options do users have?

The Azure OpenAI service provides customers with the option to use customer data responsibly. The service is processed within the data plane, and customers can also opt to upload their training data with confidence that data loss prevention measures are in place.

Q: What is the role of Azure AI Search in using OpenAI models?

Azure AI Search can be integrated with OpenAI service to enhance search capabilities with advanced language AI models from OpenAI. This combination enables more powerful and accurate search functionalities in applications.

Q: Where are Azure OpenAI services available, and what should you consider for compliance?

Azure OpenAI services are available in Azure regions worldwide. When using these services, it’s important to consider the data feature and regional compliance requirements to ensure that the service gives customers the appropriate level of data protection and privacy.

Q: How does Azure ensure that additional data or customer data is handled separately?

Azure implements strict policies to ensure that additional data and customer data are treated as separate data. This separation is crucial for maintaining the integrity and confidentiality of the information processed within Azure services.

Q: What tools can you use to monitor and protect your data in Azure?

Azure Monitor and Microsoft Defender for Cloud are essential tools that help you monitor your environment and protect against potential security threats, ensuring that your data is safe and secure when using Azure services.

Related Post

Azure

CAF: Azure Resource Naming

Oct 31, 2024 Arnav Sharma
Azure

Costing and Security Compute Units (SCUs) for Microsoft Copilot for Security

Oct 24, 2024 Arnav Sharma
Azure Cybersecurity

Getting Started with Microsoft Copilot for Security – Part 3

Oct 23, 2024 Arnav Sharma

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You missed

DevOps HashiCorp

Disaster Recovery with Terraform

November 2, 2024 Arnav Sharma
Azure

CAF: Azure Resource Naming

October 31, 2024 Arnav Sharma
Cybersecurity

NTLM  Authentication  Depreciation – What It Means

October 29, 2024 Arnav Sharma
Azure

Costing and Security Compute Units (SCUs) for Microsoft Copilot for Security

October 24, 2024 Arnav Sharma