Securing Microsoft Azure OpenAI

KARL OTS is Global Head of Cloud Security at EPAM Systems, an engineering and consulting firm. He leads a team of experts in delivering security and compliance solutions for cloud and AI deployments for Fortune 500 enterprises in a variety of industries. He has over 15 years’ experience in tech and is a trusted advisor and thought leader. Karl is also a Microsoft Regional Director and Security MVP.

• Introduction xxiiiChapter 1 Overview of Generative Artificial Intelligence Security 1Common Use Cases for Generative AI in the Enterprise 1Generative Artificial Intelligence 1Generative AI Use Cases 2LLM Terminology 3Sample Three-Tier Application 4Presentation Tier 5Application Tier 5Data Tier 5Generative AI Application Risks 5Hallucinations 6Malicious Usage 6Shadow AI 7Unfavorable Business Decisions 8Established Risks 8Shared AI Responsibility Model 8Shared Responsibility Model for the Cloud 9Shared Responsibility Model for AI 10AI Usage 10AI Application 10AI Platform 11Applying the Shared Responsibility Model 11Regulation and Control Frameworks 12Regulation in the United States 12Regulation in the European Union 12NIST AI Risk Management Framework 14Govern 15Map 15Measure 16Manage 16Key Takeaways 16References 17Chapter 2 Security Controls for Azure OpenAI Service 19On the Importance of Selecting Appropriate Security Controls 19Risk Appetite 20Comparing OpenAI Hosting Models 21OpenAI ChatGPT 21Privacy and Compliance 21Identity and Access Management 21Data Protection and Encryption 22Audit Logging 22Network Isolation 22Data Residency 22Azure OpenAI 22Privacy and Compliance 23Identity and Access Management 23Data Protection and Encryption 23Audit Logging 23Network Isolation 23Data Residency 23Recommendation for Enterprise Usage 24Evaluating Security Controls with MCSB 24Control Domains 26Network Security 27Identity Management 28Privileged Access 28Data Protection 29Asset Management 29Logging and Threat Detection 29Incident Response 30Posture and Vulnerability Management 30Endpoint Security 31Backup and Recovery 31DevOps Security 32Governance and Strategy 32Security Baselines 33Applying Microsoft Cloud Security Baseline to Azure OpenAI 33Security Profile 34How to Approach the Security Baseline 34Data Protection 35Identity Management 36Logging and Threat Detection 37Network Security 38Asset Management 38Backup and Recovery 39Endpoint Security 40Posture and Vulnerability Management 40Privileged Access 41Selected Controls 42Mapping the Selected Controls to CIS and NIST 44Using Azure Policy to Secure Azure OpenAI at Scale 46Azure Policy 46Continuous Compliance Monitoring 47Azure Policies for Azure OpenAI 48Key Takeaways 49References 49Chapter 3 Implementing Azure OpenAI Security Controls 51OWASP Top 10 for LLM Applications 51Prompt Injection 52Insecure Output Handling 52Training Data Poisoning 53Model Denial of Service 53Supply Chain Vulnerabilities 53Sensitive Information Disclosure 54Insecure Plugin Design 54Excessive Agency 54Overreliance 55Model Theft 55Access Control 56Implementing Access Control for Azure OpenAI 56Cognitive Services OpenAI User 57Cognitive Services OpenAI Contributor 58Azure AI Administrator 59Azure AI Developer 61Azure AI Enterprise Network Connection Approver 62Azure AI Inference Deployment Operator 64Preventing Local Authentication 65Disable Local Authentication Using Bicep 66Disable Local Authentication Using Terraform 66Disable Local Authentication Using ARM Templates 67Prevent Local Authentication Using PowerShell 67Enforcing with Azure Policy 67Audit Logging 68Control Plane Audit Logging 68Data Plane Audit Logging 71Enable Data Plane Audit Logging Using Azure Portal 72Enable Data Plane Audit Logging Using Bicep 73Enable Data Plane Audit Logging Using Terraform 73Enable Data Plane Audit Logging Using ARM Templates 74Enable Data Plane Audit Logging Using PowerShell 76Enable Data Plane Audit Logging Using Azure cli 76Enforcing with Azure Policy 77Enable Logging by Category Group for Cognitive Services 77Network Isolation 82Default Network Controls 83Control Inbound Network Traffic 83Control Inbound Network Traffic Using the Azure Portal 84Control Inbound Network Traffic Using Bicep 84Control Inbound Network Traffic with Private Endpoints Using Infrastructure as Code 85Control Inbound Network Traffic Using Terraform 87Control Inbound Network Traffic with Private Endpoints Using Terraform 87Control Inbound Network Traffic Using ARM Templates 89Control Inbound Network Traffic with Private Endpoints Using ARM Templates 90Control Inbound Network Traffic Using PowerShell 93Control Inbound Network Traffic with Private Endpoints Using PowerShell 94Control Inbound Network Traffic Using Azure cli 95Control Inbound Network Traffic with Private Endpoints Using Azure cli 95Control Outbound Network Traffic 97Enable Data Loss Prevention Using REST 97Enable Data Loss Prevention Using Bicep 98Enable Data Loss Prevention Using Terraform 98Enable Data Loss Prevention Using ARM Templates 99Enforcing with Azure Policy 101Azure AI Services Resources Should Restrict Network Access 101Azure AI Services Resources Should Use Azure Private Link 103Encryption at Rest 105Implementing Azure OpenAI with CMK 106Implement CMK Using Azure Portal 106Implement CMK Using Bicep 107Implement CMK Using Terraform 109Implement CMK Using ARM Templates 111Implement CMK Using PowerShell 114Implement CMK Using the Azure cli 115Enforcing with Azure Policy 116Azure AI Services Resources Should Encrypt Data at Rest with a CMK 117Content Filtering Controls 119System Safety Prompts 119Azure AI Content Safety 120Content Filtering 120Prompt Shields 121Protected Material Detection 121Groundedness Detection 121Creating a Content Filter 121Implementing Content Filtering Programmatically 122Content Safety Input Restrictions 123Key Takeaways 123References 124Chapter 4 Securing the Entire Application 125The Three-Tier LLM Application in Azure 125Presentation Tier 126Application Tier 126Data Tier 126On Threat Modeling 126Threat Model of the Three-Tier Application 127Revised Application Architecture 129Retrieval-Augmented Generation 129RAG in Azure 130Azure AI Search 130Azure Cosmos DB 131Application Architecture with RAG 131Azure Front Door 132Security Profile 132Security Baseline 132Implementing Security Controls 133Access Control 133Audit Logging 133Network Isolation 141Encryption at Rest 152Enforcing Controls with Policies 152Azure App Service 153Security Profile 153Security Baseline 153Implementing Security Controls 155Access Control 156Audit Logging 163Network Isolation 169Encryption at Rest 176Enforcing Controls with Policies 176API Management 177Security Profile 177Security Baseline 178Implementing Security Controls 178Access Control 179Audit Logging 180Network Isolation 186Encryption at Rest 201Enforcing Controls with Policies 202Storage Account 202Security Profile 202Security Baseline 203Implementing Security Controls 204Access Control 204Audit Logging 209Network Isolation 216Encryption at Rest 225Backup and Recovery 232Discover, Classify, and Protect Sensitive Data 238Enforcing Controls with Policies 238Cosmos DB 238Security Profile 239Security Baseline 239Implementing Security Controls 241Access Control 241Audit Logging 244Network Isolation 249Encryption at Rest 256Backup and Recovery 262Enforcing Controls with Policies 266Azure AI Search 266Security Profile 266Security Baseline 267Implementing Security Controls 268Access Control 268Audit Logging 272Network Isolation 278Encryption at Rest 287Enforcing Controls with Policies 294Key Takeaways 294References 294Chapter 5 Moving to Production 297LLM Application Security Lifecycle 297Model Supply Chain 298Security Testing 299Model Safety Evaluation 299How to Use Model Safety Evaluation 300Adversarial Testing 300How to Use the Adversarial Simulator Service 301Red Teaming 304Crescendo Multiturn Attack 304Red Teaming with PyRIT 304Content Credentials 305AI Security Posture Management 307Discover and Manage Shadow AI 307Discover SaaS Applications 307Discover Generative AI Applications 309Manage Generative AI Applications 312Alert on Anomalous Activity and Applications 313Defender for Cloud AI Workloads 314Discovery 314Posture Management 314Security Alerting 314Security Posture Management 315Investigating Security Alerts 316Alert Details 317Supporting Evidence 318Take Action 319Managing Incidents 323Instrumenting Security Alert Ingestion 324Azure OpenAI Alerts 326Detected Credential Theft Attempts on an Azure OpenAI Model Deployment 327A Jailbreak Attempt on an Azure OpenAI Model Deployment Was Blocked by Azure AI Content Safety Prompt Shields 327A Jailbreak Attempt on an Azure OpenAI Model Deployment Was Detected by Azure AI Content Safety Prompt Shields 327Sensitive Data Exposure Detected in Azure OpenAI Model Deployment 327Corrupted AI Application, Model, or Data Directed a Phishing Attempt at a User 328Phishing URL Shared in an AI Application 328Phishing Attempt Detected in an AI Application 328Defender for Cloud Alerts for Other Services 328App Service Alerts 329API Management Alerts 330Storage Account Alerts 331Cosmos DB Alerts 332LLM Application in Your Cloud Security Architecture 332Cloud Security Control Domains 333Asset Management 333Incident Response 334Privileged Access 336Posture and Vulnerability Management 337Landing Zones 339About Landing Zones 339Microsoft Enterprise-Scale Landing Zones 339Microsoft Landing Zone Accelerator for OpenAI 342LLM Application in the Landing Zone 342The Sample Application in the Landing Zone 342Access Control 343Security Monitoring 343Incident Response 344Network 344Key Takeaways 345References 345Index 347