Azure 认知服务安全性Azure Cognitive Services security

开发任何应用程序时,都应将安全性视为重中之重。Security should be considered a top priority when developing any and all applications. 随着支持人工智能的应用程序的出现,安全性变得更加重要。With the onset of artificial intelligence enabled applications, security is even more important. 本文概述了 Azure 认知服务安全性的各个方面,例如使用传输层安全性、身份验证、安全配置敏感数据以及用于客户数据访问的客户密码箱。In this article various aspects of Azure Cognitive Services security are outlined, such as the use of transport layer security, authentication, securely configuring sensitive data, and Customer Lockbox for customer data access.

传输层安全 (TLS) (Transport Layer Security) (TLS)Transport Layer Security (TLS)

通过 HTTP 公开的所有认知服务终结点都强制执行 TLS 1.2。All of the Cognitive Services endpoints exposed over HTTP enforce TLS 1.2. 使用强制执行的安全协议时,尝试调用认知服务终结点的使用者应遵循以下准则:With an enforced security protocol, consumers attempting to call a Cognitive Services endpoint should adhere to these guidelines:

  • 客户端操作系统 (OS) 需要支持 TLS 1.2The client Operating System (OS) needs to support TLS 1.2
  • 用于进行 HTTP 调用的语言(和平台)需要在请求中指定 TLS 1.2The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request
    • 根据语言和平台,TLS 的指定可以通过隐式或显式方式完成Depending on the language and platform, specifying TLS is done either implicitly or explicitly

对于 .NET 用户,请考虑传输层安全性最佳做法For .NET users, consider the Transport Layer Security best practices .

身份验证Authentication

在讨论身份验证时,存在几种常见的误解。When discussing authentication, there are several common misconceptions. 身份验证和授权常常互相混淆。Authentication and authorization are often confused for one another. 标识也是安全性的主要组件。Identity is also a major component in security. 标识是有关主体的信息的集合。An identity is a collection of information about a principal. 标识提供者 (IdP) 为身份验证服务提供标识。Identity providers (IdP) provide identities to authentication services. 身份验证是验证用户身份的行为。Authentication is the act of verifying a user's identity. 授权指为给定身份指定对资源的访问权限和特权。Authorization is the specification of access rights and privileges to resources for a given identity. 有多种认知服务产品/服务,包括 Azure 基于角色的访问控制 (Azure RBAC)。Several of the Cognitive Services offerings, include Azure role-based access control (Azure RBAC). Azure RBAC 可用于简化与人工管理主体有关的一些仪式。Azure RBAC could be used to simplify some of the ceremony involved with manually managing principals. 有关更多详细信息,请参阅 Azure 资源的 Azure 基于角色的访问控制For more details, see Azure role-based access control for Azure resources.

若要详细了解如何使用订阅密钥、访问令牌和 Azure Active Directory (AAD) 进行身份验证,请参阅对 Azure 认知服务请求进行身份验证For more information on authentication with subscription keys, access tokens and Azure Active Directory (AAD), see authenticate requests to Azure Cognitive Services.

环境变量和应用程序配置Environment variables and application configuration

环境变量是存储在特定环境中的名称/值对。Environment variables are name-value pairs, stored within a specific environment. 为敏感数据使用硬编码值的一种更安全的替代选项是使用环境变量。A more secure alternative to using hardcoded values for sensitive data, is to use environment variables. 硬编码值不安全,应避免使用。Hardcoded values are insecure and should be avoided.

注意

不要 为敏感数据使用硬编码值,此行为会导致重大安全漏洞。Do not use hardcoded values for sensitive data, doing so is a major security vulnerability.

备注

尽管环境变量以纯文本格式存储,但它们与环境隔离。While environment variables are stored in plain text, they are isolated to an environment. 如果环境受到破坏,环境中的变量也会受到破坏。If an environment is compromised, so too are the variables with the environment.

设置环境变量Set environment variable

若要设置环境变量,请使用以下命令之一(其中 ENVIRONMENT_VARIABLE_KEY 是命名键,value 是存储在环境变量中的值)。To set environment variables, use one the following commands - where the ENVIRONMENT_VARIABLE_KEY is the named key and value is the value stored in the environment variable.

在给定值的情况下,创建并分配持久化环境变量。Create and assign persisted environment variable, given the value.

:: Assigns the env var to the value
setx ENVIRONMENT_VARIABLE_KEY="value"

在命令提示符的新实例中,读取环境变量。In a new instance of the Command Prompt, read the environment variable.

:: Prints the env var value
echo %ENVIRONMENT_VARIABLE_KEY%

提示

设置环境变量后,请重启集成开发环境 (IDE),以确保新添加的环境变量可用。After setting an environment variable, restart your integrated development environment (IDE) to ensure that newly added environment variables are available.

获取环境变量Get environment variable

若要获取环境变量,必须将其读入内存。To get an environment variable, it must be read into memory. 根据使用的语言,考虑使用以下代码片段。Depending on the language you're using, consider the following code snippets. 这些代码片段演示了如何在给定 ENVIRONMENT_VARIABLE_KEY 的情况下获取环境变量并将其分配给名为 value 的变量。These code snippets demonstrate how to get environment variable given the ENVIRONMENT_VARIABLE_KEY and assign to a variable named value.

有关详细信息,请参阅 Environment.GetEnvironmentVariable For more information, see Environment.GetEnvironmentVariable .

using static System.Environment;

class Program
{
    static void Main()
    {
        // Get the named env var, and assign it to the value variable
        var value =
            GetEnvironmentVariable(
                "ENVIRONMENT_VARIABLE_KEY");
    }
}

后续步骤Next steps