Security Model¶
Security Controls Mapping¶
| Control Domain | Control | Implementation | Status |
|---|---|---|---|
| Identity | Centralized identity provider | Microsoft Entra ID | Enforced |
| Managed identity for services | System-assigned on OpenAI, AKS | Enforced | |
| No shared keys | local_auth_enabled = false on OpenAI, AI Search |
Enforced | |
| RBAC authorization | Key Vault RBAC mode | Default | |
| Entra ID database auth | PostgreSQL Entra auth | Default (password auth disabled) | |
| Network | Private connectivity | Private endpoints for OpenAI, Key Vault, AI Search, Cosmos DB | Enforced |
| No public ingress | public_network_access_enabled = false |
Default | |
| Network segmentation | VNet with dedicated subnets (PE, compute, management, data) | Enforced | |
| NSG enforcement | NSGs attached to all subnets | Enforced | |
| DNS internalization | Private DNS zones for all Private Link services | Enforced | |
| Key Vault network ACLs | Default action: Deny, bypass: None | Default (configurable) | |
| Encryption | Encryption at rest | Azure-managed keys (default) | Enforced |
| Customer-managed keys | Optional CMK via Key Vault | Configurable | |
| Encryption in transit | TLS enforced on all services | Enforced | |
| Data Protection | Key Vault soft delete | 90-day retention | Default |
| Key Vault purge protection | Enabled | Default | |
| Cosmos DB backup | Configurable periodic/continuous backup | Default (periodic) | |
| PostgreSQL backup | Configurable retention (default: 14 days) | Default | |
| Governance | Location restriction | Azure Policy: allowed locations | Default |
| Private endpoint audit | Azure Policy: require private endpoints | Default | |
| Public PaaS denial | Azure Policy: deny public network access | Default | |
| Observability | Centralized logging | Diagnostic settings to Log Analytics | Enforced |
| Configurable retention | Log Analytics retention period | Configurable | |
| Audit trail | All service operations logged | Enforced | |
| Model Governance | Parameterized deployments | Model name, version, capacity as variables | Enforced |
| No anonymous model access | Local auth disabled on OpenAI | Enforced | |
| Configurable quotas | Capacity units per deployment | Configurable |
Identity¶
- Microsoft Entra ID is the control-plane identity authority
- System-assigned managed identities are enabled for OpenAI and AKS
- Key Vault uses RBAC authorization mode by default
- PostgreSQL supports Entra ID authentication (password auth disabled by default)
- No shared keys in the application layer
- No secret-based application access
Network Security¶
- Public network access disabled on services where supported
- Private endpoint connectivity for OpenAI, Key Vault, AI Search, and Cosmos DB
- PostgreSQL Flexible Server is deployed in private access mode via delegated subnet
- NSGs are attached to all subnets with deny-by-default Azure platform baselines
- Key Vault network ACLs default to Deny with no bypass (configurable)
- Private endpoints are managed at the composition layer (root stack), not inside modules
Secrets and Keys¶
- Key Vault soft delete and purge protection are enabled by default
- Optional CMK key can be provisioned in Key Vault for downstream encryption patterns
- CMK creation is gated on private endpoint availability (dependency enforced in root stack)
Data Governance¶
- Cosmos DB: configurable consistency level, backup type, and retention policy
- PostgreSQL: private access only, TLS enforced, Entra ID authentication
- All data services are accessible only through private endpoints or delegated subnets
Model Governance¶
- OpenAI model deployments are parameterized (name, model, version, capacity)
- Local authentication disabled on OpenAI — managed identity required
- Quotas configurable per deployment
Logging and Audit¶
- Diagnostic settings stream logs and metrics to Log Analytics
- Log retention is configurable per workspace
- Policy baseline can enforce allowed locations and deny public exposure on selected services
Policy Controls¶
- Allowed locations enforcement
- Private endpoint audit policy
- Deny public PaaS access policy
- All policy assignments are configurable and can be disabled
Exit Plan¶
- Terraform state remains customer-owned
- Resource ownership is fully within customer subscription(s)
- No dependency on external hosted control plane