Azure OpenAI service API keys
The Azure OpenAI service itself, along with OpenAI, uses API keys for applications to access it. These API keys are generated once the initial service is created; however, as a best practice, these keys should be regenerated often to ensure older keys are removed from the system. There are always a minimum of two keys, so you can use either the first key or the second key with Azure OpenAI. Having two keys always allows you to securely rotate and regenerate keys without downtime or service outage. As a best practice, you can store these keys in a key vault, such as Azure Key Vault, and then limit access to the keys to only specific applications or services.
And yes, we can monitor and audit our key usage and rotation as well, which we’ll cover in the last section of this chapter on Auditing.
Encryption
As mentioned above, a key management system is a critical security service/control for any successful cloud deployment, including a generative AI service such as OpenAI.
Another security control or measure is the data encryption itself. It is almost absurd to think that in this day and age, we need to even mention encryption, as this should be the default for any data access and storage to prevent access to unauthorized individuals.
However, it must be stated to round out our discussion on security controls and best practices for a generative AI cloud deployment.
While cloud data itself cannot be easily read, as there are many abstraction layers to the underlying bits where the data is stored, not to mention the physical access limitations, the data access limits, such as encryption, are still a requirement. Fortunately, our cloud service providers, such as Microsoft Azure, provide encryption of our data automatically and as a default. There is a link at the end of this chapter to help you understand how Microsoft Azure provides this encryption of data at rest.
However, the authors do want to note that beyond the default cloud provider data encryption, your organization can also use its own keys to add another layer of encryption. This is known as customer-managed keys (CMK) or bring your own key (BYOK) scenarios. This is to ensure that you canfurther secure your generative AI cloud solutions or any other cloud solutions.
And yes, a key management system can securely store the service keys to decrypt the encrypted data at rest, furthering our statement about how a key management system is critical to any successful cloud service deployment, such as Azure OpenAI. For the additional CMK/BYOK solutions, using a key vault scenario is a requirement.
As we have learned in this section, content filtering, managed identities, and key management systems, such as Azure Key Vault, can provide security controls to ensure your cloud-based generative AI solution is not only secure but can also protect against harmful content. Ultimately, it is the users and organization we are trying to protect and provide with security, as they use the generative AI service you are managing. As we are on the topic of security, we must also mention privacy in the same breath. While we have learned about techniques to provide a more secure environment, how is data privacy protected? What is data privacy, and how is this privacy protected in the cloud? Let’s continue with the topic of “privacy” in the next section.
When exploring data privacy in cloud-based generative AIAs, we covered some of the security threats and potential attack vectors to a secure environment; let’s now turn our attention to another topic to be aware of as we continue our journey into generative AI for cloud solutions. In this section, we’ll delve into a very common concern raised by many when they first begin using cloud-based services such as ChatGPT, which is the topic and concern about data privacy. How is my privacy maintained,and who can see my prompts? Is there additional training carried out by a cloud provided with the prompts that I enter, or perhaps even my data?
