Security and Compliance
253 Ideas
Vote
Microsoft
12 years ago
Enable Security Event Logs Collection
currently the Diagnostics Module does nott support collecting Security Event Logs.This could be helpful in monitoring and real-time alerting of security events such as multiple log-in retries through RDP endpoint by a malware that's trying to hack into the VM, trying to invoke secure methods on the server and could help identify security breaches in our roles.There should be some API that will enable the Diagnostics Agent collect Security Event Logs
Planned
All IdeasPlanned
Microsoft
Company Response
Hello. The engineering team is working on some updated guidance about security logs, but in the mean time there is an article on MSDN that may help: http://blogs.msdn.com/b/ericgolpe/archive/2012/04/30/the-easy-way-of-collecting-security-logs-from-your-windows-azure-roles.aspx.We don�t currently have a firm date for the new documentation, but will update this forum as soon as it is published. Thanks!
Vote
Mike Harry Schaefer
3 years ago
Enterprise Subscription with “feature opt-in” and "secure by default"
The Azure Cloud platform is constantly evolving and new features and settings occur on a regular basis.
Evolution is highly appreciated, but automatic activation of features challenges companies in respect to keeping their data safe, secure and compliant.
We really need a managed "opt-in" model to intentionally activate new features instead of activating those by default by the platform provider and leaving customers "surprised".
In addition, we need secure and restrictive default settings following a least privilege paradigm.
Examples:
- Azure disk introduced the feature "Disk export" - default setting "Networking: Public endpoint (all networks)" [instead of "Deny all"]
- Azure storage accounts are now featuring "Allow cross-tenant replication" - default ON [instead of "OFF"]
- CosmosDB introduced Jupyter Notebooks - they were silently activated on EXISTING resources - leading to the "ChaosDB" vulnerability (https://chaosdb.wiz.io/)
Our Requirements:
- Please introduce an Enterprise Subsciption model following least privilege security settings and an explicit Opt-In concept for new features.
We perfectly understand, that DevTest-Lab subscriptions are following other principles to enable "exploration" and "convenience"
(Hint: you already maintain different subscription models like EA-subscriptions, CSP-subscriptions, DevTest Labs)
- Don't touch existing resources
There must be an explicit Opt-in or upgrade process for new functionality on existing resources
(Hint: you might freeze the API version associated to a resource)
- Enforce network isolation by default - don't expose service instances towards the public internet by default!
Any kind of management interface needs support for network isolation.
We don't require a frozen functionality of the platform - you still might integrate new features into the code base.
BUT: we need an explicit opt-in and new features must be disabled for existing resources until an intentional update is triggered.
Tooling is already there: different subscription types (EA, CSP, DevTest Lab), versioned APIs, policies and RBAC (versioning of these artefacts might help)
Large scale enterprises with platform management teams and strong security and compliance requirements really need it to avoid an explosion of platform management efforts.
New
New
Vote
Débora Lúcio
1 year ago
Make available the schedule of future changes and updates on the TLS certificates
We use the "Microsoft Azure TLS Issuing CA" certificares (available here) to connect the Azure Date Lake from a closed server.
Last month, Microsoft changed from Microsoft Azure TLS Issuing CA 2 to Microsoft Azure TLS Issuing CA 5 without any waining.
<ns0:StackTrace>Job-59787 Error in [BusinessDomain/MSPF/BusinessResources/Processes/ADLS/DirectoryList.process/[HTTP GET] LISTSTATUS]
An IOException was thrown while trying to execute the Http method
at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.run(Unknown Source)
at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(Unknown Source)
caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: com.tibco.security.AXSecurityException: CA certificate with issuer CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US and serial number 0D7B EDE9 7D82 0996 7A52 631B 8BDD 18BD is not a trusted certificate
And this caused our application to stop working unexpectedly and had a very negative impact in our system. Once whe changed the certificate, the connection was working again.
We request for a schedule with the future changes in the the certificates to be available online, so that we can prepare for any change.
New
All IdeasNew
Vote
Microsoft
11 years ago
Really, really need to clarify the PCI Compliance documentation.
Make it simple on yourselves and your customers.The PCI compliance center says: Scope: The Information Security Management System (ISMS) for Windows Azure, including infrastructure, development, operations and support for Compute, Data Services, App Services and Network Services are in scope for the PCI DSS Attestation of Compliance.Which would seem to indicate that Azure is PCI compliant. The problem is that Azure encompasses at least 20 different services and not all of them are PCI compliant. For example Azure Web Sites ARE NOT PCI compliant because you can't turn off FTP. Information Security Management System (ISMS) for Windows Azure is meaningless to me as a customer, because i don't pay for Information Security Management System (ISMS) for Windows Azure, I pay for Websites or VMs or Storage or Service Bus or whatever. I need to know if those things are PCI compliant.A simple table with each service and a checkbox would be infinitely better than the current, misleading, 1 sentence you have about it now. And that 1 sentence is technically wrong because Compute(claimed to be compliant) includes Web Sites, which are NOT compliant.I had to open a support ticket to find out for sure about Web Sites.Love working with Azure services, but there are way, way too many instances where MS refers to Azure when they actually mean some subset of Azure services and it is really freakin' confusing.Thanks
Planned
All IdeasPlanned
Microsoft
Company Response
Hi (name)! Thanks for bringing this issue to our attention. We have recently published updates to the Microsoft Azure Trust Center [http://azure.microsoft.com/en-us/support/trust-center/compliance/], and we are planning on releasing updated guidance specifically covering PCI compliance. Keep an eye on the Trust Center Resources page for the latest information, as well as the Azure Security and Compliance blog at http://azure.microsoft.com/blog. Thank you for your patience! Best regards,�(name)
Vote
Tony LoMonaco
2 years ago
Spreadsheet of all available Azure services
It would be very useful for Microsoft to make an official spreadsheet available to the public that is kept up to date that contains all of Azure's current (or also upcomming) services. This would provide a structured data format that mirrors the Azure products directory but in this format could be more easily used for things like our Cloud Security/GRC efforts.
Please see the following Microsoft thread for supporting information: https://docs.microsoft.com/en-us/answers/questions/762503/list-of-all-available-azure-services-in-spreadshee.html
As a huge bonus, it would be amazing if more information about all of the services could be included in the spreadsheet beyond "Service Area", "Service", and "Service Description". For instance, please see the following reddit post I made asking about identifying all of the Azure services that offer any capability to be publically accessible and/or internet facing: https://www.reddit.com/r/AZURE/comments/vi99l9/how_can_i_identify_all_azure_servicesproducts/
Any other additional info that could help with Cloud Security/GRC efforts would be immensibly useful, along with other data points like if the service is free or not. Please let me know if you have any other questions regarding this suggestion.
Thanks,
Tony
New
All IdeasNew