AI Security
Zero‑Trust File Handling for AI Summaries with Azure OpenAI and Blob Storage
TL;DR: Store raw documents in an Azure Blob container encrypted with customer‑managed keys, grant the Azure OpenAI resource a short‑lived, read‑only SAS token, process the file in an isolated Azure Function, encrypt the summary before writing it back, and delete the original blob immediately after a successful run. Log every step to Azure Monitor for auditability.
What are the primary risks when feeding documents to an AI summarizer?
Even though Azure OpenAI does not retain user data by default, the data in transit and at rest can be exposed if the surrounding infrastructure is mis‑configured. The main attack vectors are:
- Unauthorized read access to the raw file before it reaches the model.
- Man‑in‑the‑middle interception during upload or download.
- Retention leakage when blobs are left in storage after processing.
- Privilege escalation if the AI service is granted broader permissions than needed.
Applying a Zero‑Trust mindset—verify every request, limit privileges, and encrypt data end‑to‑end—mitigates these risks.
How should I store the original document before sending it to Azure OpenAI?
Use an Azure Blob Storage container that meets the following criteria:
- Enable
Microsoft-managed keysor, preferably,customer‑managed keys (CMK)via Azure Key Vault. This ensures the data is encrypted at rest with a key you control. - Set the container’s public access level to
Privateso no anonymous reads are possible. - Apply a
Network ACLthat restricts traffic to your VNet or specific IP ranges. - Assign a dedicated
Storage Blob Data Readerrole to a service principal that will generate short‑lived SAS tokens for the summarization step.
When a user uploads a document, the web front‑end should write it directly to this container using a SAS token that expires in 5 minutes.
How can I give Azure OpenAI temporary access without over‑privileging it?
Azure OpenAI cannot be granted direct storage permissions. Instead, create a one‑time SAS URL that:
- Allows
Readon the specific blob only. - Expires after the expected processing time (e.g., 10 minutes).
- Is generated by an Azure Function that runs with a managed identity having
Storage Blob Data Readerrights.
The function passes the SAS URL to the OpenAI ChatCompletion request via the file parameter (or via a prompt that includes the URL). Because the token is short‑lived and scoped to a single blob, the model can only fetch that file and nothing else.
How should I protect the summary output?
Once Azure OpenAI returns the summary, treat it as sensitive as the original document:
- Encrypt the summary with a separate CMK before writing it back to a
summariescontainer. - Store the encrypted summary in a blob whose name includes a UUID, making it hard to guess.
- Set the
Content‑Typetoapplication/octet-streamto avoid accidental rendering in browsers.
If downstream systems need the plain text, they must request decryption through a controlled API that checks the caller’s role and logs the request.
When and how should I delete the original document?
After the Azure Function confirms a successful summary write, it should:
- Issue a
Deleteoperation on the original blob. - Verify deletion by attempting a
GetPropertiescall; if the blob still exists, raise an alert. - Optionally enable
soft deletewith a retention period of 1 day, then purge it after verification.
This guarantees that raw data does not linger in storage longer than necessary.
How can I audit and monitor the entire workflow?
Leverage Azure Monitor and Azure Log Analytics:
- Log every SAS token creation with the requestor’s identity, blob name, and expiration time.
- Log the Azure Function start/end timestamps, success/failure status, and any exception details.
- Enable diagnostic settings on the storage account to capture
Read,Write, andDeleteoperations. - Set up an alert rule for any
Deleteoperation that does not originate from the approved function.
Export these logs to a Log Analytics workspace where you can query for anomalies, such as repeated reads of the same blob or SAS tokens that never expire.
Where does AISecAll fit into this workflow?
If you need a quick security review of your Azure OpenAI integration, AISecAll offers a free architecture assessment that checks encryption settings, role assignments, and logging completeness.
FAQ
- Do I need to encrypt the summary if it contains only public information? Yes. Treat every output as potentially sensitive because the model may retain context internally during the request.
- Can I reuse the same SAS token for multiple documents? No. Generate a unique token per document to enforce least‑privilege access.
- What if the Azure Function fails after the model has read the file? The original blob remains; you can retry the summarization or manually delete it after confirming no further processing is needed.
- Is customer‑managed key encryption mandatory? It is not required by Azure, but it gives you full control over key rotation and revocation, which is essential for Zero‑Trust compliance.
- How do I prove compliance to auditors? Export the Log Analytics query results showing SAS creation, blob reads, and deletions; these logs are tamper‑evident when stored in a separate retention‑locked workspace.
Need a practical AI security review?
AISecAll reviews prompts, tool permissions, document flows, and agent behavior so small teams can use AI without guessing where the risk sits.