Secure Cognitive Services Flashcards
Securing cognitive services can help prevent data loss and privacy violations for user data that may be part of the solution
Consider authentication:
By default access to cognitive services resources is restricted by using subscription keys. Management of access to these keys is a primary consideration for security.
Regenerate his turn on new line you should regenerate his regularly to protect against the risk of kids being shared with all access by unauthorised users.
You can regenerate his by using the visual interface in the agportal or by using the AZ cognitive services account fees regenerate AZ command line interface command
Each cognitive service is provided with two keys and a willing you to regenerate things without service interruption. To accomplish this goal on new line configure all production applications to use key 2
Regenerate key one
Switch all production applications to use the newly regenerated key one
Regenerate key 2
Protect keys with Azure key vault
Azure key vault is an azure service which you can securely store secret such as passwords and keys
Access to the keyboard is granted to security principles which you can think of user identities that are authenticated using AZ active directory.
Administrators can assign a security principal to an application in which case it is known as a service principal to define a managed identity for the application.
The application can then use this identity to access the key vault and retrieve a secret to which it has access. Controlling access to into the secret in this way minimalize is the risk of it being compromised by being hard-coded in an application or saved in a configuration file.
You can store subscription fees for cognitive services resource in act V and assign a managed identity to client applications that need to use the service will stop the applications can then retrieve the key as needed from the key vault without risk of exposing it to unauthorised users
Token-based authentication:
When using the rest interface some cognitive services support or even require token-based authentication. In these cases is the subscription fee is presented in an initial request obtain and all 13 authentication token which has a valid period of 10 minutes.
Subsequent requests must present the token to validate that the caller has been authenticated.
Tip when using an SDK the calls to obtain and present a token or handled by you for you by the SDK
AZ active directory authentication:
Some cognitive services support AZ active directory authentication and Evelyn you to grant access to specific service principles or managed identities for apps and services running in AZ
Implement network security code on uline network security is an important measure to ensure unauthorised users cannot reach the services that you are protecting.
Limiting what users can see is always a great idea since they can’t compromise what they can’t see
Apply network access restrictions:
By default cognitive services are accessible from all networks will stop some individual cognitive services resources such as text Analytics space computer Vision and others can be configured to restrict access to specific network addresses-either public internet addresses or addresses on virtual networks.
With network restrictions enabled a client trying to connect from an IP address that is not allowed will receive an access denied error.
