Azure How to bring BYOK for ChatGPT Open AI Service on Azure August 1, 20230 view0 Share By IG Share If you are looking to bring BYOK for ChatGPT Open AI Service on Azure, read along! In the realm of AI-driven data processing and storage, data security is a top priority for organizations. Azure OpenAI, a part of Azure AI services, addresses this concern by implementing robust data encryption mechanisms. In this technical article, we explore the intricacies of data encryption at rest in Azure OpenAI and delve into the concept of customer-managed keys (CMK). By taking advantage of CMK and Azure Key Vault, organizations can customize their encryption strategies and elevate their data security to unprecedented levels. Table of Contents Toggle Data Encryption in Azure OpenAICustomer-Managed Keys (CMK) and Their SignificanceUtilizing Azure Key Vault for CMKEnabling CMK and Key Vault PropertiesKey Limitations and ConsiderationsSystem-Managed Keys vs Customer-Managed Keys (CMK):Conclusion Data Encryption in Azure OpenAI Azure OpenAI leverages cutting-edge data encryption practices to safeguard sensitive information when it’s persisted in the cloud. The encryption process adheres to FIPS 140-2 compliant 256-bit AES encryption, ensuring the highest level of security for the data at rest. FIPS 140-2 compliant 256-bit AES encryption: Feature FIPS 140-2 Compliant 256-bit AES Encryption Encryption Standard FIPS 140-2 compliant Advanced Encryption Standard (AES) Key Size 256 bits Security Certification FIPS 140-2 certification Encryption Strength High-security level with a 256-bit key Data Protection Provides strong data protection at rest Algorithm Performance Efficient encryption and decryption process Common Usage Widely used in various industries and applications Encryption Speed Fast encryption and decryption speeds Algorithm Robustness Resistant to known attacks and vulnerabilities Regulatory Compliance Compliant with FIPS 140-2 standard Key Management Flexibility Supports both Microsoft-managed and customer-managed keys Implementation Complexity Relatively straightforward to implement Integration with Azure Used in Azure OpenAI as part of Azure AI services Data Security Assurance Provides strong assurance for data confidentiality Industry Adoption Widely adopted in the industry for data encryption Interoperability Compatible with various platforms and systems FIPS 140-2 compliant 256-bit AES encryption offers a high level of security, making it an excellent choice for protecting sensitive data at rest. It meets rigorous regulatory standards and is widely adopted across industries due to its efficiency and robustness. Organizations can choose to use Microsoft-managed keys or customer-managed keys for added flexibility in key management. Azure OpenAI leverages this encryption standard to ensure the confidentiality and integrity of data stored in the cloud. The encryption is entirely transparent, meaning the encryption and access management are abstracted from users, eliminating the need to make modifications to existing code or applications. This default encryption scheme ensures data security right from the point of entry into the Azure OpenAI platform. Customer-Managed Keys (CMK) and Their Significance While Azure OpenAI provides automatic data encryption with Microsoft-managed keys, the platform also caters to organizations seeking enhanced control over their data security. Enter customer-managed keys (CMK) or Bring Your Own Key (BYOK) mechanism, which empowers users to exercise granular control over encryption keys. CMK enables organizations to create, rotate, disable, and revoke access controls for their encryption keys. This level of control is indispensable for companies that must adhere to stringent regulatory and compliance requirements, as they can align their encryption practices with specific mandates. Utilizing Azure Key Vault for CMK To leverage customer-managed keys, Azure OpenAI mandates using Azure Key Vault – a specialized service designed to manage cryptographic keys, secrets, and certificates securely. Users can either generate their own keys and store them in the key vault or use Azure Key Vault APIs to generate keys tailored to their specific requirements. The key vault and Azure AI services resource must coexist in the same region and Azure Active Directory (Azure AD) tenant. However, they can belong to different subscriptions, enabling users to maintain the desired separation of duties and access controls. Enabling CMK and Key Vault Properties To avail of the benefits of customer-managed keys, users must submit the Azure AI services Customer-Managed Key Request Form, initiating the process of integration. The Azure team will evaluate the request, and within 3-5 business days, the user will receive a status update. Enabling both the Soft Delete and Do Not Purge properties on the key vault is essential when activating customer-managed keys. The Soft Delete property ensures that accidentally deleted keys can be recovered, while the Do Not Purge property prevents the irreversible deletion of keys, maintaining control over their lifecycle. Key Limitations and Considerations Organizations considering customer-managed keys should be aware that Azure AI services encryption only supports RSA keys of size 2048. Users must carefully evaluate their encryption requirements and align their key management practices accordingly. System-Managed Keys vs Customer-Managed Keys (CMK): Below is a comparison table between system-managed keys and customer-managed keys with Azure Key Vault: Feature System-Managed Keys Customer-Managed Keys (CMK) Key Generation and Rotation Automatically generated and rotated by Azure Users generate and manage their encryption keys Key Security and Access Control Fully managed by Azure Users have granular control over access controls Key Storage and Backup Azure handles storage and backup Users manage key storage and backup Key Deletion and Recovery Azure handles key deletion and recovery Users manage key deletion and recovery Regulatory Compliance Compliant with relevant security standards Users can align encryption practices with specific regulatory and compliance requirements Integration with Azure Services Seamlessly integrated with Azure services It can be used with various Azure services Implementation Complexity Simple and straightforward to implement Requires additional configuration and management Use Cases Ideal for basic encryption needs Suited for organizations with stringent security and compliance requirements Key Rotation Policies Rotation policies managed by Azure Users can customize key rotation policies Resource and Cost Management Less administrative overhead and cost More control over resource allocation and costs Key Auditing Limited control over key auditing Users have visibility into key usage and access Disaster Recovery Azure handles disaster recovery Users can design their disaster recovery plan In summary, system-managed keys offer a simple and automated solution for basic encryption needs, as Azure handles all aspects of key management. On the other hand, customer-managed keys (CMK) provide organizations with granular control and customization options for encryption key management, making them suitable for scenarios with stringent security and compliance requirements. The choice between system-managed keys and customer-managed keys depends on the specific security needs and level of control desired by the organization. Conclusion Azure OpenAI’s robust data encryption and the flexibility of customer-managed keys through Azure Key Vault empower organizations to establish highly tailored data security strategies. By integrating advanced encryption practices and embracing customer-managed keys, businesses can elevate their data protection measures to unprecedented levels, ensuring data confidentiality and compliance with regulatory standards. As data security remains an ever-evolving field, staying informed about the latest encryption practices and updates from Azure is essential to maintain an edge in safeguarding valuable data assets. Source: Official Microsoft Documentation Disclaimer: The Questions and Answers provided on https://www.gigxp.com are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Share What's your reaction? Excited 0 Happy 0 In Love 0 Not Sure 0 Silly 0 IG Website Twitter
Azure How to locate the Storage Key in Analysis Services Backup settings Looking to locate the Storage Key in Analysis Services Backup settings? Find out how to ...
Azure Comparing Azure Active Directory Licensing – Free vs Basic vs P1 vs P2 Azure Active Directory licensing on Microsoft Azure can be perplexing for several businesses. Microsoft continues ...
Azure SQL Server Managed Instance BYOL Hybrid Licensing & Dev/Test Options Microsoft offers SQL Server Managed Instance BYOL Hybrid Licensing for your On-Premises products and discounted ...
Azure Azure SQL Managed Instance General Purpose vs Business Critical In this article, I will try to compare the Azure SQL Managed Instance General Purpose ...