Friday, October 27, 2023

Securing compute for azure machine learning workspace:

 

Securing compute for azure machine learning workspace:

An Azure machine learning compute instance is a managed cloud-based workstation dedicated to a single owner usually for data analysis. It serves as a fully configured and managed development environment or as a compute target for training of models and inference. Models can be build and deployed using integrated notebooks and tools. A compute instance differs from a compute cluster in that it has a single node.

IT administrators prefer this compute for enterprise readiness capabilities. They leverage IaC or resource manager templates to create instances for users. Using advanced settings or security settings, they can further lockdown the instance such as enabling or disabling the ssh or specifying the subnet for the compute instance. They might also require to prevent users from creating compute themselves. In all these cases, some control is necessary.

One option is to list the operations available on the resource and then setting up role-based access control limiting some of those. This approach is favored because users can be switched between roles without affecting the resource or its deployment. It also works for groups and users can be added or removed from both groups and roles. Listing the operations enumerates the associated permissions all of which begin with the provider as the prefix. This listing is thorough and covers all aspects of working with the resources. The custom-role is described in terms of permitted ‘actions’, ‘data-actions’ and ‘not-actions’ where the first two correspond to control and data plane associated actions and the last one corresponds to deny set that takes precedence over control and data plane actions. By appropriately selecting the necessary action privileges and listing them under a specific category without the categories overlapping, we create the custom role with just the minimum number of privileges needed to complete a set of selected tasks.

Another option is to supply an init script with the associated resource, so that as other users start using it, the init script will set the predefined configuration that they must work with. This allows for some degree of control on sub resources and associated containers necessary for an action to complete so that by virtue of removing those resources, an action even if permitted by a role on a resource type, may not be permitted on a specific resource. 

These are some techniques to secure the compute instance for azure machine learning workspace.

 

No comments:

Post a Comment