Securing compute for azure machine learning
workspace:
An Azure machine learning compute instance is a
managed cloud-based workstation dedicated to a single owner usually for data
analysis. It serves as a fully configured and managed development environment
or as a compute target for training of models and inference. Models can be
build and deployed using integrated notebooks and tools. A compute instance
differs from a compute cluster in that it has a single node.
IT administrators prefer this compute for
enterprise readiness capabilities. They leverage IaC or resource manager
templates to create instances for users. Using advanced settings or security
settings, they can further lockdown the instance such as enabling or disabling
the ssh or specifying the subnet for the compute instance. They might also
require to prevent users from creating compute themselves. In all these cases,
some control is necessary.
One option is to list the operations available on
the resource and then setting up role-based access control limiting some of
those. This approach is favored because users can be switched between roles
without affecting the resource or its deployment. It also works for groups and
users can be added or removed from both groups and roles. Listing the
operations enumerates the associated permissions all of which begin with the
provider as the prefix. This listing is thorough and covers all aspects of
working with the resources. The custom-role is described in terms of permitted
‘actions’, ‘data-actions’ and ‘not-actions’ where the first two correspond to
control and data plane associated actions and the last one corresponds to deny
set that takes precedence over control and data plane actions. By appropriately
selecting the necessary action privileges and listing them under a specific
category without the categories overlapping, we create the custom role with
just the minimum number of privileges needed to complete a set of selected
tasks.
Another option is to supply an init script with
the associated resource, so that as other users start using it, the init script
will set the predefined configuration that they must work with. This allows for
some degree of control on sub resources and associated containers necessary for
an action to complete so that by virtue of removing those resources, an action
even if permitted by a role on a resource type, may not be permitted on a
specific resource.
These are some techniques to secure the compute
instance for azure machine learning workspace.
No comments:
Post a Comment