Merge pull request #284297 from eric-urban/eur/use-key-vault

discourage environment variables for API key

Author: Stacyrch140

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-csharp-multivariate.md

@@ -72,6 +72,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-csharp.md

@@ -76,6 +76,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD
@@ -185,8 +187,7 @@ namespace anomaly_detector_quickstart
 
 ```
 
-> [!IMPORTANT]
-> For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](/azure/key-vault/general/overview). For more information about credential security, see the Azure AI services [security](../../../security-features.md) article.
+Run the application with the following command:
 
 ```cmd
 dotnet run program.cs

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-javascript.md

@@ -25,9 +25,7 @@ Use the Anomaly Detector client library for JavaScript to:
 
 * An Azure subscription - <a href="https://azure.microsoft.com/free/cognitive-services" target="_blank">Create one for free</a>
 * The current version of <a href="https://nodejs.org/" target="_blank">Node.js</a>
-* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector"  title="Create an Anomaly Detector resource"  target="_blank">create an Anomaly Detector resource </a> in the Azure portal to get your key and endpoint. Wait for it to deploy and select the **Go to resource** button.
-    * You'll need the key and endpoint from the resource you create to connect your application to the Anomaly Detector API. You'll use the key and endpoint to create environment variables.
-    You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production.
+* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector"  title="Create an Anomaly Detector resource"  target="_blank">create an Anomaly Detector resource </a> in the Azure portal to get your key and endpoint. Wait for it to deploy and select the **Go to resource** button. You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production.
 
 ## Set up
 
@@ -76,6 +74,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD
@@ -130,7 +130,7 @@ const { AzureKeyCredential } = require("@azure/core-auth");
 const { parse } = require("csv-parse/sync");
 const fs = require("fs");
 
-// You will need to set this environment variables or edit the following values
+// Retrieve the endpoint and key from the environment variables.
 const apiKey = process.env["ANOMALY_DETECTOR_API_KEY"] || "";
 const endpoint = process.env["ANOMALY_DETECTOR_ENDPOINT"] || "";
 const timeSeriesDataPath = "./request-data.csv";

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-python-multivariate.md

@@ -76,6 +76,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-python.md

@@ -52,6 +52,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD

articles/ai-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-rest-api.md

@@ -32,6 +32,8 @@ Go to your resource in the Azure portal. The **Endpoint and Keys** can be found
 
 Create and assign persistent environment variables for your key and endpoint.
 
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+
 # [Command Line](#tab/command-line)
 
 ```CMD

articles/ai-services/TOC.yml

@@ -76,6 +76,8 @@ items:
       href: authentication.md
     - name: Disable local authentication
       href: disable-local-auth.md
+    - name: Use Azure key vault
+      href: use-key-vault.md
     - name: Rotate keys
       href: rotate-keys.md
     - name: Use environment variables
@@ -84,8 +86,6 @@ items:
       href: ./encryption/cognitive-services-encryption-keys-portal.md
     - name: Use virtual networks
       href: cognitive-services-virtual-networks.md
-    - name: Use Azure key vault
-      href: use-key-vault.md
     - name: Configure data loss prevention
       href: cognitive-services-data-loss-prevention.md
     - name: Security baseline

articles/ai-services/authentication.md

@@ -251,7 +251,7 @@ In this sample, a password is used to authenticate the service principal. The to
    ```
 
    > [!NOTE]
-   > Anytime you use passwords in a script, the most secure option is to use the PowerShell Secrets Management module and integrate with a solution such as Azure KeyVault.
+   > Anytime you use passwords in a script, the most secure option is to use the PowerShell Secrets Management module and integrate with a solution such as Azure Key Vault.
   
 3. Call the Computer Vision API:
    ```powershell-interactive

articles/ai-services/cognitive-services-environment-variables.md

@@ -1,19 +1,20 @@
 ---
 title: Use environment variables with Azure AI services
 titleSuffix: Azure AI services
-description: "This guide shows you how to set and retrieve environment variables to handle your Azure AI services subscription credentials in a more secure way when you test out applications."
-#services: cognitive-services
-author: PatrickFarley
+description: This guide shows you how to set and retrieve environment variables for your Azure AI services credentials when you test applications.
+author: eric-urban
 manager: nitinme
 ms.service: azure-ai-services
 ms.topic: how-to
-ms.date: 01/20/2024
-ms.author: pafarley
+ms.date: 8/11/2024
+ms.author: eur
 ---
 
 # Use environment variables with Azure AI services
 
-This guide shows you how to set and retrieve environment variables to handle your Azure AI services subscription credentials in a more secure way when you test out applications.
+This guide shows you how to set and retrieve environment variables for your Azure AI services credentials when you test applications.
+
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
 
 ## Set an environment variable
 

articles/ai-services/security-features.md

@@ -2,35 +2,34 @@
 title: Azure AI services security
 titleSuffix: Azure AI services
 description: Learn about the security considerations for Azure AI services usage.
-#services: cognitive-services
-author: PatrickFarley
+author: eric-urban
 manager: nitinme
 ms.service: azure-ai-services
 ms.topic: conceptual
-ms.date: 01/20/2024
-ms.author: pafarley
+ms.date: 8/11/2024
+ms.author: eur
 ms.custom: devx-track-csharp
 ---
 
 # Azure AI services security
 
 Security should be considered a top priority in the development of all applications, and with the growth of artificial intelligence enabled applications, security is even more important. This article outlines various security features available for Azure AI services. Each feature addresses a specific liability, so multiple features can be used in the same workflow.
 
-For a comprehensive list of Azure service security recommendations see the [Azure AI services security baseline](/security/benchmark/azure/baselines/cognitive-services-security-baseline?toc=%2Fazure%2Fcognitive-services%2FTOC.json) article.
+For a comprehensive list of Azure service security recommendations, see the [Azure AI services security baseline](/security/benchmark/azure/baselines/cognitive-services-security-baseline?toc=%2Fazure%2Fcognitive-services%2FTOC.json) article.
 
 ## Security features
 
 |Feature | Description |
 |:---|:---|
 | [Transport Layer Security (TLS)](/dotnet/framework/network-programming/tls) | All of the Azure AI services endpoints exposed over HTTP enforce the TLS 1.2 protocol. With an enforced security protocol, consumers attempting to call an Azure AI services endpoint should follow these guidelines:<ul><li>The client operating system (OS) needs to support TLS 1.2.</li><li>The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request. Depending on the language and platform, specifying TLS is done either implicitly or explicitly.</li><li>For .NET users, consider the [Transport Layer Security best practices](/dotnet/framework/network-programming/tls)</li></ul> |
-| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Microsoft Entra ID. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md). |
-| [Key rotation](./authentication.md)| Each Azure AI services resource has two API keys to enable secret rotation. This is a security precaution that lets you regularly change the keys that can access your service, protecting the privacy of your service in the event that a key gets leaked. To learn about this and other authentication options, see [Rotate keys](./rotate-keys.md). |
-| [Environment variables](cognitive-services-environment-variables.md) | Environment variables are name-value pairs that are stored within a specific development environment. You can store your credentials in this way as a more secure alternative to using hardcoded values in your code. However, if your environment is compromised, the environment variables are compromised as well, so this is not the most secure approach.</br></br> For instructions on how to use environment variables in your code, see the [Environment variables guide](cognitive-services-environment-variables.md). |
-| [Customer-managed keys (CMK)](./encryption/cognitive-services-encryption-keys-portal.md) | This feature is for services that store customer data at rest (longer than 48 hours). While this data is already double-encrypted on Azure servers, users can get extra security by adding another layer of encryption, with keys they manage themselves. You can link your service to Azure Key Vault and manage your data encryption keys there. </br></br>Only some services can use CMK; look for your service on the [Customer-managed keys](./encryption/cognitive-services-encryption-keys-portal.md) page.|
+| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.<br/><br/>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Microsoft Entra ID. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md).|
+| [Key rotation](./authentication.md)| Each Azure AI services resource has two API keys to enable secret rotation. This is a security precaution that lets you regularly change the keys that can access your service, protecting the privacy of your service if a key gets leaked. To learn about this and other authentication options, see [Rotate keys](./rotate-keys.md). |
+| [Environment variables](cognitive-services-environment-variables.md) | Environment variables are name-value pairs that are stored within a specific development environment. Environment variables are more secure than using hardcoded values in your code. For instructions on how to use environment variables in your code, see the [Environment variables guide](cognitive-services-environment-variables.md).<br/><br/>However, if your environment is compromised, the environment variables are compromised as well, so this isn't the most secure approach. The most secure authentication method is to use managed roles in Microsoft Entra ID. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md).|
+| [Customer-managed keys (CMK)](./encryption/cognitive-services-encryption-keys-portal.md) | This feature is for services that store customer data at rest (longer than 48 hours). While this data is already double-encrypted on Azure servers, users can get extra security by adding another layer of encryption, with keys they manage themselves. You can link your service to Azure Key Vault and manage your data encryption keys there.<br/><br/>Check to see if CMK is supported by the service that you want to use in the [Customer-managed keys](./encryption/cognitive-services-encryption-keys-portal.md) documentation.|
 | [Virtual networks](./cognitive-services-virtual-networks.md) | Virtual networks allow you to specify which endpoints can make API calls to your resource. The Azure service will reject API calls from devices outside of your network. You can set a formula-based definition of the allowed network, or you can define an exhaustive list of endpoints to allow. This is another layer of security that can be used in combination with others. |
 | [Data loss prevention](./cognitive-services-data-loss-prevention.md) | The data loss prevention feature lets an administrator decide what types of URIs their Azure resource can take as inputs (for those API calls that take URIs as input). This can be done to prevent the possible exfiltration of sensitive company data: If a company stores sensitive information (such as a customer's private data) in URL parameters, a bad actor inside that company could submit the sensitive URLs to an Azure service, which surfaces that data outside the company. Data loss prevention lets you configure the service to reject certain URI forms on arrival.|
-| [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md) |The Customer Lockbox feature provides an interface for customers to review and approve or reject data access requests. It's used in cases where a Microsoft engineer needs to access customer data during a support request. For information on how Customer Lockbox requests are initiated, tracked, and stored for later reviews and audits, see the [Customer Lockbox guide](../security/fundamentals/customer-lockbox-overview.md).</br></br>Customer Lockbox is available for the following services:<ul><li>Azure OpenAI</li><li>Translator</li><li>Conversational language understanding</li><li>Custom text classification</li><li>Custom named entity recognition</li><li>Orchestration workflow</li></ul>|
-| [Bring your own storage (BYOS)](./speech-service/speech-encryption-of-data-at-rest.md)| The Speech service doesn't currently support Customer Lockbox. However, you can arrange for your service-specific data to be stored in your own storage resource using bring-your-own-storage (BYOS). BYOS allows you to achieve similar data controls to Customer Lockbox. Keep in mind that Speech service data stays and is processed in the Azure region where the Speech resource was created. This applies to any data at rest and data in transit. For customization features like Custom Speech and Custom Voice, all customer data is transferred, stored, and processed in the same region where the Speech service resource and BYOS resource (if used) reside. </br></br>To use BYOS with Speech, follow the [Speech encryption of data at rest](./speech-service/speech-encryption-of-data-at-rest.md) guide.</br></br> Microsoft does not use customer data to improve its Speech models. Additionally, if endpoint logging is disabled and no customizations are used, then no customer data is stored by Speech. |
+| [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md) |The Customer Lockbox feature provides an interface for customers to review and approve or reject data access requests. It's used in cases where a Microsoft engineer needs to access customer data during a support request. For information on how Customer Lockbox requests are initiated, tracked, and stored for later reviews and audits, see the [Customer Lockbox guide](../security/fundamentals/customer-lockbox-overview.md).<br/><br/>Customer Lockbox is available for the following services:<ul><li>Azure OpenAI</li><li>Translator</li><li>Conversational language understanding</li><li>Custom text classification</li><li>Custom named entity recognition</li><li>Orchestration workflow</li></ul>|
+| [Bring your own storage (BYOS)](./speech-service/speech-encryption-of-data-at-rest.md)| The Speech service doesn't currently support Customer Lockbox. However, you can arrange for your service-specific data to be stored in your own storage resource using bring-your-own-storage (BYOS). BYOS allows you to achieve similar data controls to Customer Lockbox. Keep in mind that Speech service data stays and is processed in the Azure region where the Speech resource was created. This applies to any data at rest and data in transit. For customization features like Custom Speech and Custom Voice, all customer data is transferred, stored, and processed in the same region where the Speech service resource and BYOS resource (if used) reside.<br/><br/>To use BYOS with Speech, follow the [Speech encryption of data at rest](./speech-service/speech-encryption-of-data-at-rest.md) guide.<br/><br/>Microsoft doesn't use customer data to improve its Speech models. Additionally, if endpoint logging is disabled and no customizations are used, then no customer data is stored by Speech. |
 
 ## Next steps