您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 认知服务安全性Azure Cognitive Services security

开发任何应用程序时,都应将安全性视为重中之重。Security should be considered a top priority when developing any and all applications. 随着支持人工智能的应用程序的出现,安全性变得更加重要。With the onset of artificial intelligence enabled applications, security is even more important. 本文概述了 Azure 认知服务安全性的各个方面,例如使用传输层安全性、身份验证、安全配置敏感数据以及用于客户数据访问的客户密码箱。In this article various aspects of Azure Cognitive Services security are outlined, such as the use of transport layer security, authentication, securely configuring sensitive data, and Customer Lockbox for customer data access.

传输层安全 (TLS) (Transport Layer Security) (TLS)Transport Layer Security (TLS)

通过 HTTP 公开的所有认知服务终结点都强制执行 TLS 1.2。All of the Cognitive Services endpoints exposed over HTTP enforce TLS 1.2. 使用强制执行的安全协议时,尝试调用认知服务终结点的使用者应遵循以下准则:With an enforced security protocol, consumers attempting to call a Cognitive Services endpoint should adhere to these guidelines:

  • 客户端操作系统 (OS) 需要支持 TLS 1.2The client Operating System (OS) needs to support TLS 1.2
  • 用于进行 HTTP 调用的语言(和平台)需要在请求中指定 TLS 1.2The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request
    • 根据语言和平台,TLS 的指定可以通过隐式或显式方式完成Depending on the language and platform, specifying TLS is done either implicitly or explicitly

对于 .NET 用户,请考虑传输层安全性最佳做法For .NET users, consider the Transport Layer Security best practices .

身份验证Authentication

在讨论身份验证时,存在几种常见的误解。When discussing authentication, there are several common misconceptions. 身份验证和授权常常互相混淆。Authentication and authorization are often confused for one another. 标识也是安全性的主要组件。Identity is also a major component in security. 标识是有关主体 的信息的集合。An identity is a collection of information about a principal . 标识提供者 (IdP) 为身份验证服务提供标识。Identity providers (IdP) provide identities to authentication services. 身份验证是验证用户身份的行为。Authentication is the act of verifying a user's identity. 授权指为给定身份指定对资源的访问权限和特权。Authorization is the specification of access rights and privileges to resources for a given identity. 一些认知服务产品,包括 Azure RBAC) (Azure 基于角色的访问控制。Several of the Cognitive Services offerings, include Azure role-based access control (Azure RBAC). Azure RBAC 可用于简化手动管理主体所涉及的某些工作人员。Azure RBAC could be used to simplify some of the ceremony involved with manually managing principals. 有关更多详细信息,请参阅 azure 资源的 azure 基于角色的访问控制For more details, see Azure role-based access control for Azure resources.

有关使用订阅密钥进行身份验证、访问令牌和 Azure Active Directory (AAD) 的详细信息,请参阅对Azure 认知 服务的请求进行身份验证For more information on authentication with subscription keys, access tokens and Azure Active Directory (AAD), see authenticate requests to Azure Cognitive Services.

环境变量和应用程序配置Environment variables and application configuration

环境变量是存储在特定环境中的名称/值对。Environment variables are name-value pairs, stored within a specific environment. 为敏感数据使用硬编码值的一种更安全的替代选项是使用环境变量。A more secure alternative to using hardcoded values for sensitive data, is to use environment variables. 硬编码值不安全,应避免使用。Hardcoded values are insecure and should be avoided.

注意

不要 为敏感数据使用硬编码值,此行为会导致重大安全漏洞。Do not use hardcoded values for sensitive data, doing so is a major security vulnerability.

备注

尽管环境变量以纯文本格式存储,但它们与环境隔离。While environment variables are stored in plain text, they are isolated to an environment. 如果环境受到破坏,环境中的变量也会受到破坏。If an environment is compromised, so too are the variables with the environment.

设置环境变量Set environment variable

若要设置环境变量,请使用以下命令之一(其中 ENVIRONMENT_VARIABLE_KEY 是命名键,value 是存储在环境变量中的值)。To set environment variables, use one the following commands - where the ENVIRONMENT_VARIABLE_KEY is the named key and value is the value stored in the environment variable.

在给定值的情况下,创建并分配持久化环境变量。Create and assign persisted environment variable, given the value.

:: Assigns the env var to the value
setx ENVIRONMENT_VARIABLE_KEY="value"

在命令提示符的新实例中,读取环境变量。In a new instance of the Command Prompt , read the environment variable.

:: Prints the env var value
echo %ENVIRONMENT_VARIABLE_KEY%

提示

设置环境变量后,请重启集成开发环境 (IDE),以确保新添加的环境变量可用。After setting an environment variable, restart your integrated development environment (IDE) to ensure that newly added environment variables are available.

获取环境变量Get environment variable

若要获取环境变量,必须将其读入内存。To get an environment variable, it must be read into memory. 根据使用的语言,考虑使用以下代码片段。Depending on the language you're using, consider the following code snippets. 这些代码片段演示了如何在给定 ENVIRONMENT_VARIABLE_KEY 的情况下获取环境变量并将其分配给名为 value 的变量。These code snippets demonstrate how to get environment variable given the ENVIRONMENT_VARIABLE_KEY and assign to a variable named value.

有关详细信息,请参阅 Environment.GetEnvironmentVariable For more information, see Environment.GetEnvironmentVariable .

using static System.Environment;

class Program
{
    static void Main()
    {
        // Get the named env var, and assign it to the value variable
        var value =
            GetEnvironmentVariable(
                "ENVIRONMENT_VARIABLE_KEY");
    }
}

客户密码箱Customer Lockbox

Microsoft Azure 的客户密码箱 提供了一个界面,供客户查看和批准或拒绝客户数据访问请求。Customer Lockbox for Microsoft Azure provides an interface for customers to review, and approve or reject customer data access requests. 当 Microsoft 工程师需要在支持请求期间访问客户数据时,可以使用此功能。It is used in cases where a Microsoft engineer needs to access customer data during a support request. 有关如何启动、跟踪和存储客户密码箱请求以便以后查看和审核的信息,请参阅 客户密码箱For information on how Customer Lockbox requests are initiated, tracked, and stored for later reviews and audits, see Customer Lockbox.

此认知服务提供客户密码箱:Customer Lockbox is available for this Cognitive Service:

  • 转换器Translator

对于以下服务,Microsoft 工程师将无法访问 E0 层中的任何客户数据:For the following services, Microsoft engineers will not access any customer data in the E0 tier:

  • 语言理解Language Understanding
  • 人脸Face
  • 内容审查器Content Moderator
  • 个性化体验创建服务Personalizer

重要

对于 窗体识别器 ,Microsoft 工程师将无法访问2020年7月10日之后创建的资源中的任何客户数据。For Form Recognizer , Microsoft engineers will not access any customer data in resources created after July 10, 2020.

若要请求使用 E0 SKU,请填写并提交此 请求表单To request the ability to use the E0 SKU, fill out and submit this request Form. 大约需要3-5 个工作日内就会收到请求的状态。It will take approximately 3-5 business days to hear back on the status of your request. 根据需要,你可以将置于队列中并在空间可用时进行批准。Depending on demand, you may be placed in a queue and approved as space becomes available. 批准将 E0 SKU 用于 LUIS 后,需要从 Azure 门户创建新资源,并选择 E0 作为定价层。Once approved for using the E0 SKU with LUIS, you'll need to create a new resource from the Azure portal and select E0 as the Pricing Tier. 用户无法从 F0 升级到新的 E0 SKU。Users won't be able to upgrade from the F0 to the new E0 SKU.

语音服务当前不支持客户密码箱。The Speech service doesn't currently support Customer Lockbox. 但是,可以使用 "将自己的存储 (BYOS") 来存储客户数据,从而使你能够实现与客户密码箱相似的数据控制。However, customer data can be stored using bring your own storage (BYOS), allowing you to achieve similar data controls to Customer Lockbox. 请记住,语音服务数据保持不变,并在创建语音资源的区域进行处理。Keep in mind that Speech service data stays and is processed in the region where the Speech resource was created. 这适用于任何静态数据和传输中的数据。This applies to any data at rest and data in transit. 当使用自定义功能(如自定义语音和自定义语音)时,将在你的 BYOS () 和语音服务资源所在的同一区域内传输、存储和处理所有客户数据。When using customization features, like Custom Speech and Custom Voice, all customer data is transferred, stored, and processed in the same region where your BYOS (if used) and Speech service resource reside.

重要

Microsoft 不 使用客户数据来改进其语音模型。Microsoft does not use customer data to improve its Speech models. 此外,如果禁用了终结点日志记录,并且未使用任何自定义,则不会存储任何客户数据。Additionally, if endpoint logging is disabled and no customizations are used, then no customer data is stored.

后续步骤Next steps