MLSEC-08: Secure governed ML environment

Protect ML operations environments using managed services with best practices including: detective and preventive guardrails, monitoring, security, and incident management. Explore data in a managed and secure development environment. Centrally manage the configuration of development environments and enable self-service provisioning for the users.

Implementation plan

• Break out ML workloads by organizational unit access patterns. This will enable delegating required access to each group, such as administrators or data analysts.

• Use guardrails and service control policies (SCPs) to enforce best practices for each environment type. Limit infrastructure management access to administrators.

• Verify all sensitive data has access through restricted, isolated environments. Ensure network isolation, dedicated resources, and check service dependencies.

• Secure ML algorithm implementation using a restricted development environment. Secure model training and hosting containers by following the security processes required for your organization.

Documents

• Security in Amazon SageMaker

• Build a secure enterprise machine learning platform on AWS

• Use Amazon SageMaker Notebook Instances

• Amazon SageMaker with Guardrails on AWS

Blogs

• Setting up secure, well-governed machine learning environments on AWS

• Securing Amazon SageMaker Studio Connectivity using a private VPC

• Enable self-service, secured data science using Amazon SageMaker notebooks and AWS Service Catalog

• Accelerating Machine Learning Development with Data Science as a Service from Change Healthcare