In this vLog I discuss some misconceptions around ChatGPT and Azure OpenAI, to include:
Who owns ChatGPT, OpenAI, and how Microsoft got involved
Security and privacy concerns about Azure OpenAI and ChatGPT
How each of the services is consumed and billed
Take a look to find out more!
ChatGPT
Azure OpenAI
Ownership
Owned by OpenAI LP a for profit arm of OpenAI the non-profit who’s mission is to development of society
Part of Azure AI offerings as APIs, and investor in OpenAI for exclusive rights to technology generated
Security
Insecure and open to the public. LLM is trained on dataset created in GPT 3 and currently only references data from 2021 and earlier. Questions and interactions are captured and can be used for further training
Secure to an Azure tenant using GPT-4, GPT 3.5, Codex and Dall-e Requires access for tenant to reduce the chances of the AI to be used for malicious purposes Data is not stored by the prompt, and model is not trained on data added
Costs
Free during preview stages, or paid for better hardware availability
Based on a consumption model like other Azure Cognitive Services. Biggest expense is re-training the model you’ve deployed for your data
If
you’re like most, security is at the forefront of your mind for your
organization. You need the right tools and the right team to keep up
with the balance of increasing number of sophisticated threats and with
security teams being inundated with requests and alerts.
Today I’d like to tell you about Microsoft’s reimagined SIEM tool Azure Sentinel.
Over the past 10 to 15 years, Security Information and Event Management
(SIEM) has become extremely popular as an aggregation solution for
security and events that happen in our network.
There are also software tools, hardware appliances and managed
service providers that can help support your corporate needs to better
understand the level of risks in real-time and over a span of time. They
do things such as log aggregation, event correlation and forensic
analysis and offer features for alerting, dashboarding and compliance
checks.
These are great resources to help secure our environment, our users and devices. But unfortunately, the reality is security
teams are being inundated with requests and alerts. Compile this with
the noteworthy shortage of security professionals in the world – an
estimated 3.5 million unfilled security jobs by 2021 – this is a major
concern.
Microsoft decided to take a different approach with Azure Sentinel. Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. It makes it easy to collect data across your entire hybrid organization on any cloud, from devices to users to applications to servers. Azure Sentinel uses the power of AI to ensure you’re quickly identifying real threats.
With this tool:
You’ll eliminate the burden of traditional SIEMs as you’re eliminating the need to spend time on setting up, maintaining and having to scale the infrastructure to support other SIEMs.
Since it’s built on Azure, it offers virtually limitless cloud scale while addressing all your security needs.
Now let’s talk cost. Traditional SIEMs have proven to be expensive to
own and operate, often requiring you to commit upfront and incur high
cost for infrastructure maintenance and data ingestion. With Sentinel, you pay for what you use with no up-front costs. Even better, because
of Microsoft’s relationships with so many enterprise vendors (and more
partners being added) it easily connects to popular solutions, including Palo Alto networks, F5 networks, Symantec and Checkpoint offerings.
Azure Sentinel integrates with Microsoft Graph Security API,
enabling you to import your own threat intelligence feeds and to
customize threat detection and alert rules. There are custom dashboards that give you a view to allow you to optimize whatever your specific use case is.
Lastly, if you’d like to try this out for free, Microsoft is
allowing you to connect to your Office 365 tenant to do some testing and
check it out in greater detail. This product is currently in
preview, so there may be some kinks but I’m looking forward to seeing
how it develops in the future, as a true enterprise-class security
solution for your environment, whether in the cloud, on premises, in
data centers or remote users or devices.
In some past blogs I’ve discussed Azure Data Box and how the Data Box family has expanded. Today I’ll talk about Azure Data Box Edge (in preview) and elaborate on the machine learning service that it provides in your premises with the power of Azure behind it.
If you don’t know, Azure Data Box Edge is a physical hardware device that sits in your environment and collects data from environment sources like IOT data and other sources where you might take advantage of the AI features offered by the device. It then takes the data and sends it to Azure for more processing, storage or reporting purposes.
Microsoft recently announced Azure Machine Learning hardware accelerated models provided by Project Brain Wave on the Data Box Edge. Because most of our data is in real world applications and used at the edge of our networks – like image and videos collected from factories, retail stores or hospitals – it can now be used for things such as manufacturing defect analysis or inventory out of stock detection in diagnostics.
By applying machine learning models to the data on Data Box Edge, it provides lower latency (and savings on bandwidth cost) as we don’t have to send all the data to Azure for analysis. But it still offers that real time insight and speed to action for critical business decisions.
You can enable data scientists to simplify and accelerate the building, training and deployment of machine learning models using the Azure Machine Learning Service which is already generally available. They can access all these capabilities in their favorite Python environment, using the latest open source frameworks such as PyTorch, TensorFlow and sci-kit-learn.
These models can run on CPUs and GPUs, but this preview expands that out to field programmable gate array processes (FPGA), which is the processor on the Data Box Edge.
The preview is currently a bit limited but, in this case, you’re able to enhance the Azure Machine Learning Service by training a TensorFlow model for image classification scenarios. So, you would containerize that model in a docker container and then deploy it to the Data Box Edge IOT hub.
A good use case for this is if you’re using AI models for quality control purposes. Let’s say you know what a finished product should look like and what the quality specs are, and you build a model defining those parameters. Then you take an image of that product as it comes off the assembly line; now you can send those images to the Data Box Edge in your environment and more quickly capture defects.
Now you’re finding the root cause of defects quicker and throwing away fewer defective products and therefore, saving money. I’m looking forward to seeing how enterprises are going to leverage this awesome technology.
How important is secure identity management to you? If you’re like most, it is a top priority. In
today’s post I’ll talk about Azure Active Directory B2C which is an
identity management service that enables you to customize and control
how users securely interact with your web, desktop, mobile or even
single applications.
Using Azure AD B2C, users can sign up, sign in, reset passwords and edit profiles for the various applications they’re using.
When implementing these policies, we’ll have two choices:
Using common identity user flows within the Azure portal or,
For the more skilled developer or if the templates in the portal
don’t support your use case, you can use XML based custom policies.
Once you make that decision, your choice will define the path of
authentication, commonly referred to as the user journey. User journeys
allow you to control behaviors by configuring some settings; things like
social accounts (like Facebook) that the user uses to sign up for the
application.
Data collected from the user as a first name or postal code would be
used for authentication. You also have multi-factor authentication
options, as well as the look and feel of how users interact with pages
and information returned to the application.
Azure Active Directory B2C supports the open ID connect and the OAuth
2 protocols for these user journeys. These protocols will help
ultimately receive a token that will allow for you to be authenticated.
The interaction of every application follows a similar high-level
pattern shown in the graphic below:
The steps here are:
1. The application directs the user to run a policy.
2. The user completes the policy according to the policy definition.
3. Then the application receives a token.
4. And then uses that token to try to a resource.
5. The resource server then validates the token to verify that access can be granted.
6. And the application will periodically refresh in the background ( there really are 5 steps but this 6th step is happening over and over).
Azure AD B2C can also work with additional identity providers such as
Amazon, Facebook and Google that will create, maintain and manage
identity information while providing authentication services to their
(and other) applications.
Typically, you would only use one identity provider in your
application but there are no restrictions for using more if your use
case calls for it.
The main value for this service is the ability to lessen the
need for username and password management for so many applications, thus
improving the user experience. Our lives have been made a bit easier
since we now have many applications, both web and desktop based, that
allow that single sign on or no sign on experience because they are
already pre-authenticated with a service like this.
We’re
all dealing with many usernames and passwords in our everyday life,
right? Today I’d like to talk about an authentication feature within
Azure Active Directory that can help you with easier, faster access.
Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO)
automatically signs users in when they are on their corporate devices
connected to their corporate network. When this is enabled, users don’t
have to type their passwords, or even their username, to sign in to
Azure Active Directory.
This feature provides users with easy access to cloud-based applications without needing any additional on premises components.
First let’s discuss how this is set up:
SSO is enabled used Azure AD Connect. The following steps will occur while enabling this feature:
A computer account representing Azure AD is created in your on premises Active Directory in each AD forest.
The computer account Kerberos decryption key is shared securely with Azure AD and then 2 Kerberos service principal names (SPNs) are created to represent 2 URLs that are used during Azure AD sign-on.
Authenticating in Browser
When doing authentication from a web browser for a web app, essentially a user navigates to a website and signs into Azure AD (see below).
Azure AD sends a Kerberos requests to on premises AD and on premises AD looks for an account related to the device you’re signing in on and a user account. If authorized, you get access.
Authenticating with Native Application
For a native client, like Outlook for instance, the process is a bit different (see below).
Here, the request is made from the device you’re using and
authenticated off Azure AD, issuing a Kerberos ticket when it is
successful.
When that ticket is authenticated off Azure AD and approved, a SAML
token is sent to the app. Then it gets sent back to AAD for OAuth-2
authentication.
Once all that checks out, access is granted.
Now let’s talk about the benefits.
First, it’s a much better user experience. Users are automatically signed in both on premises and cloud-based applications using their built-in authentication, so there’s no need for users to repeatedly reenter their passwords.
It’s also easy to deploy and administer. There are no additional components needed on premises; it synchronizes your Azure Active Directory to your AD. Plus it works with any method of cloud authentication using password hash synchronization or pass through authentication.
Additionally, it can be rolled out to only some or all of your users by using group policy.
So, this is a great way to allow users to have multiple authentications into multiple websites and applications using only one authentication tool. This will minimize the amount of administration required to set up those users once it’s in place. And it should reduce the number of password resets for your help desk team or whomever oversees that.
Security
is, or should be, a top priority; nothing is more important than making
your enterprise secure. In this post I’ll tell you 5 ways Azure makes
your enterprise more secure.
First off, Azure is a Microsoft product. When you’re one of the
world’s largest companies, there are an enormous amount of threats that
need to be evaluated every second of the day. So, obviously Microsoft is
aware of these challenges.
With that in mind, Microsoft developed centers of excellence over the past ten years in order to be ready for these attacks.
The Microsoft Threat Intelligence Center processed over 6.5 trillion
signals so they could better understand what kind of information and
what types of attack vendors there are.
Each month they block over 5 billion distinct malware
threats. And they staff over 3500 security professionals in their
defense operations centers to help thwart these attacks. Since
Active Directory is a standard for user authentication control, they
introduced Azure Active Directory years ago to extend that to their
Azure platform.
All that being said, here are 5 ways that Azure makes your enterprise more secure:
1. Minimize the requirement for password use – By
using Microsoft Authenticator and connecting to Software as a Service
applications (like Drop Box, Salesforce, etc.) The authenticator
replaces your password with a multi-factor sign in using something like
your phone and your fingerprint, face ID or a pin based on the Windows
device that you’re using.
With a 2-factor authentication when using those devices, you have a
more simplified method instead of remembering a bunch of different
passwords.
2. Security Scorecard – A while back I did a post on the Azure Secure Score and the Secure Score Center.
With this, you’re using the Azure portal for having awareness where
there are potentials for exposure or for best practices that need to be
followed which helps your organization stay better secured.
3. Microsoft Threat Protection Suite – Helps detect,
investigate and remediate issues across your organization, including
endpoints, email, documents, identity and infrastructure elements. It
also helps your security team automate many of those manual, mundane
security tasks.
4. Confidentiality – Microsoft was the first cloud
vendor to introduce confidential integrity in data while it’s in use.
So, consumers don’t worry about their data being put in the wrong hands
(like some of those other clouds vendors you may have heard of recently
in the news).
Data is always encrypted at rest and in transit. The security will
soon extend to the chip level for added security on certain Azure VMs.
Intel has built in some security measures inside their chips and now
Microsoft is going to interact directly with those chips to keep you
more secure.
5. Microsoft Information Protection Service – This
enables you to automatically discover, classify, label, protect and
monitor data no matter where it lives or travels on your Microsoft
devices.
We’re now seeing many more open source capabilities and seeing more of these applications being sent over to Macs and Linux PCs for instance. Essentially this labeling capability is built into office apps and such across all the major platforms and can add protection capability to things like PDF documents, a feature currently in preview.
But the idea is it’s going to help you protect from things such as
PII being extended. So, it’s an added level of protection to ensure
there are no security leaks.
So, it’s clear from all this that Microsoft not only has a
commitment to securing their own services and software, but also
enterprises and individuals are of critical importance when talking
about security.
If you’re concerned about security, check out some of the things I mentioned here and remember, Microsoft is making the investment and doing all they can to keep things secure.
Most of us are starting to deploy more and more cloud assets. When you think about how you deploy some assets in Azure, you basically build out a virtual network and you can set that up so it ties in with your on premises network through express route or VPN or you can run it independently in the cloud and have your virtual network set. The question is, how do you monitor and manage that virtual network, like some of the components and how the virtual machines interact? Here’s where Azure Network Watcher comes in.
Azure Network Watcher allows you to monitor, diagnose and gain insight into your network performance between various points in your network infrastructure.
Here’s a breakdown of some of the elements:
1. The Monitoring Element – You can monitor from one
endpoint to another with connection monitor to ensure connectivity
between 2 points, like a web application and a database for instance.
You’ll be alerted with potential issues such as a disconnect between
those two services.
It also monitors latency times for evaluation. When you look at those
latency times over a period, you’ll know what the average latency is
and the max and min. Then you can think about you possibly getting
better service in a different Azure region.
2. The Network Performance Monitor – Allows
monitoring between Azure and on-premises resources for hybrid scenarios
using VPN or express route. It also has some advanced detection to
traffic blackholing and routing errors – in other words, some advanced
intelligence when it comes to these network issues.
Best of all, as you add more endpoints it will develop a visual
diagram of your network with a topology tool which will look like a
visio-diagram, showing IP addresses, host names, etc.
3. Diagnostic Tools – From a diagnostic standpoint
there are several diagnostic tools that give you better insight into
your virtual network by diagnosing possible causes of traffic issues.
IP Flow – Tells you which security rule
allowed or denied traffic to or from a virtual machine in your virtual
network for further inspection or remediation.
Another tool tests communication for routing rules by letting us add a
source and destination IP, then shows the results of that route, again
to investigate further or remediate.
The Connection Troubleshooting Tool–
Enables you to test a connection between two VMs, FQDN, URI or IDP4
addresses and returns info like the Connection Monitor but only about
that point and time latency, not over a span of time.
The Packet Capture Tool – Allows traffic to
be captured to and from a virtual machine with some fine-grained
filtering to be stored inn Azure storage and further analyzing with
network encapture tools like Wire Shark, for instance.
4. Metrics Tools – There are some limitations as to
how many resources you can deploy within an Azure network which can be
based on subscriptions or regions. The Metric Tool gives you the
visibility that you need to understand exactly where you are inside of
those limitations. It shows you how many of those resources you’ve
deployed and how many are still available that you can deploy – so it
helps you set up planning for the future as you deploy more and more
resources.
5. Logging – We’ve done some interesting things with
log analytics. Log analytics provides the ability to capture data about
a bunch of Azure networking components, like network security groups,
public IP addresses, load balances, virtual networking and application
gateways, to name a few.
All these logs can be captured and stored in Azure storage and
further analyzed. Many can be fed into Operations Management Studio
(OMS). This gives you a single pane of glass experience when you want to
look at your environment at that “50,000-foot level”.
So, as you begin to deploy more and more assets into your Azure
environment, this is a helpful service to monitor and manage your
virtual network. You get a high-level overview of what that network
looks like.
Security
is a top priority for every business and we can never have enough of
it, right? But at what point does it become too much to administer and
prioritize security threats? I’m excited to tell you about a newly
announced offering called Azure Secure Score which is part of the Azure
Security Center.
If you’re unfamiliar, the Azure Security Center is a centralized
place where you can get security recommendations based on the workloads
you’ve deployed. In September at Ignite, Microsoft announced Secure
Score as a security analytics tool that provides visibility of your
organization’s security posture, as well as help you understand how
secure your workloads are by assigning them a score.
The new Secure Score helps you prioritize and triage your response to
security recommendations. It takes into consideration the severity and
impact of the recommendation and based on that info it assigns a
numerical value to show how fixing the recommendation can improve your
security posture.
Once you implement a recommendation, the score and the overall Secure Score updates.
The main goals of Secure Score are:
To provide the capabilities that allow you to visualize the security posture.
Quickly triage and make suggestions to provide impactful actions that increase your security posture.
Measures the workload of the security over time.
So, how does Azure Security Center and Secure Score work?
Azure Security Center constantly reviews your active recommendations and calculates your Secure Score based on these.
The score of a recommendation is derived from its severity and
security best practices that will affect your workload security over
time.
It looks at your security and where you sit over a period. It’s not
an immediate result and it won’t immediately change but it’s going to
help you build up your score as you implement any recommendations and
then you can silence them.
The Secure Score is calculated based on the ratio between your
healthy resources and your total resources. If the number of healthy
resources is equal to your total resources, you get the highest score
value.
The overall score is an accumulation of all your recommendations.
You can view your overall Secure Score across your subscriptions or
management groups depending on the scope you select. The score will also
vary based on the subscriptions selected and the active recommendations
on them.
Remember, this is a marathon, not a sprint. It takes time to do the
remediation, whether it be patching machines or closing ports or
shutting off services. There are so many remedies offered that will make
you more secure down the road. With this offering, you get a
‘scorecard’ for yourself and a look at what’s most imperative to
implement first.
Be sure to check out the Azure Security Center. There are a lot of free options there as well as options to add additional services at a cost.
In
the digital world we live in today, it’s getting harder to verify
identity in industries such as banking. We now do less and less
transactions in person. No longer do we go into banks with passbook in
hand and make deposits or withdrawals face to face with a bank teller.
Many of us have moved from ATM transactions to digital banking.
With this move, banks have tried many approaches of 2-factor
authentication, some better than others and obviously the need is there
for secure forms of authentication for the users. Let me tell you how
Azure is driving identity security in banking using biometric
identification. By combining biometrics with artificial intelligence,
banks are now able to take new approaches at verifying the digital
identity of their customers and prospects.
If you don’t know, biometrics is the process of uniquely identifying a
person’s physical and personal traits. These are then recorded into a
database and those images or features are captured into an electronic
device and are used as a unique form of identification. Some methods we
use biometrics are fingerprint and facial recognition, hand geometry,
iris or eye scan and even odor or scents.
Because of their uniqueness, these are much more reliable in
confirming a person’s identity than a password or access card. So, how
do you verify a person is who they say they are if they’re not in
person? Microsoft partners are now leveraging some of the Azure platform
offerings to do this—things such as Cognitive Service’s Vision API and
Azure Machine Learning tools for performing multi-factor authentication
in the banking industry.
The way this works is the user provides a government issued ID (a
license or passport for example) and they validate it against standards
provided by the ID issuer, so they’re building an algorithm for
verification of that ID and putting that into a database. So, when
someone submits an ID from a particular state, we know what that ID is
supposed to look like and we look for all the distinguishing features of
that ID.
To take this a step further, the second factor is they’re using
facial recognition software on things like your phone or computer, like
Face ID for the iPhone. It will take your photo, but it will also take a
video of you and force you to move your head in certain motions in
order validate that is it you – you’re not wearing a mask or something –
and that you’re alive.
It takes a picture of your ID and matches it to your facial
constructions and compares them side by side; this becomes your digital
signature. This is considered extremely secure as now you have two forms
of verification and you’re using biometrics. Crazy stuff when you think
about it but in the digital world we live in, you must go to these
lengths to verify someone’s identity when they are not right in front
you.
This is still in the early phase of what we’ll see but it’s cool to
see how it’s being used and will be interesting to see how it progresses
in the future. We’ve got great consultants working with Cognitive
Services and Machine Learning. Anything data or Azure related, we’re
doing it.
So,
what do you know about Azure Automation? In this post, I’ll fill you in
on this cool, cloud-based automation service that provides you the
ability to configure process automation, update management and system
configuration, which is managed across your on-premises resources, as
well as your Azure cloud-based resources.
Azure Automation provides complete control of deployment operation and decommissions of workloads and resources for your hybrid environment. So, we can have a single pane of glass for managing all our resources through automation.
Some features I’d like to point out are:
It allows you to automate those mundane, error-prone activities that you perform as part of your system configuration and maintenance.
You can create Runbooks in PowerShell or Python that help you reduce the chance for misconfiguration errors. And it will help lower operational costs for the maintenance of those systems, as you can script it out to do it when you need instead of manually.
The Runbooks can be developed for on-premises or Azure resources and they use Web Hooks that allow you to trigger automation from things such as ITSM, Dev Ops and monitoring systems. So, you can run these remotely and trigger them from wherever you need to.
On configuration management side, you can build these desired state configurations for your enterprise environment. This will help you to set a baseline for how your systems will operate and will identify when there’s a variance from the initial system configuration, alerting you of any anomalies that could be problematic.
It has a rich reporting back end and alerting interface for full visibility into what’s happening in your Windows and Linux systems – on-premises and in Azure.
Gives you update management aspects (in Windows and Linux) to help you define the aspects of how updates are applied, and it helps administrators to specify which updates will be deployed, as well as successful or unsuccessful deployments and the ability to specify which updates should not be deployed to systems, all done through PowerShell or Python scripts.
It can share capabilities, so when you’re using multiple resources or building those Runbooks for automation, it allows you to share the resources to simplify management. You can build multiple scripts but use the same resources over and over as references for things like role-based access control, variables, credentials, certificates, connections, schedules and access to source control and PowerShell modules. You can check these in and out of source control like any kind of code-based project.
Lastly, and one of the coolest features in my opinion, where these are templates you’re deploying out in your systems, everyone has some similar challenges. There’s a community gallery where you can go and download templates others have created or upload ones you’ve created to share. With a few basic configuration tweaks and review to make sure they’re secure, this is a great option for making the process faster by finding an existing script and cleaning it up and deploying it in your systems and environment.
So, there’s a lot you can do with this service and I think it’s worth
checking out as it can make your maintenance and management much
simpler.