Security and Compliance

  1. PKI as a Azure Service

    Certificate Services (ADCS/PKI/CA) should be offered as a service in Azure at least for infrastructure purpose such as machine certificates for MFM, Wi-Fi access and
    for user web authentication e.g. to Azure itself. CA Private keys can be store in Azure Key Vault to be secured.
    A hybrid client should be provided to support autoenrollment to Windows 7 and better clients to simulate a onprem Enterprise CA. The web interface should be in Azure and support other platforms than Windows.
    I am willing to spend time and effort to be part of a user group, think tank, beta test group…

    720 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enable Security Event Logs Collection

    currently the Diagnostics Module does nott support collecting Security Event Logs.

    This could be helpful in monitoring and real-time alerting of security events such as multiple log-in retries through RDP endpoint by a malware that's trying to hack into the VM, trying to invoke secure methods on the server and could help identify security breaches in our roles.

    There should be some API that will enable the Diagnostics Agent collect Security Event Logs

    461 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. 450 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    13 comments  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

  4. Provide a dynamic security dashboard indicating how my Azure instances and services are protected.

    Look at each role/endpoint and determine whether they are secure and if so, what type of security is used.

    295 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

  5. ECC support for Azure Key Vault

    Give Azure Key Vault the option to perform Encrypt/Decrypt/Sign/Verify functions using ECC keypairs instead of using RSA keypairs.

    This allows Azure Key Vault to create digital signatures which are far smaller to transmit and faster to verify than their RSA counterparts. This is an extremely useful function for many scenarios, such as deferring to Azure Key Vault for signing (and potentially verifying) JWT tokens for use as API access tokens.

    119 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    10 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Key Vault: Support ACME protocol (Let's Encrypt)

    Key Vault currently supports automated management of PKI (TLS) certs via "approved" CAs. Please add support for the ACME protocol so that Key Vault can manage certs issued by Let's Encrypt. And/or an Azure-based ACME-compliant Microsoft CA.

    In other words: The days of having to pay for certs. are over. Please support free certs.

    Thanks!

    103 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. 99 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  8. CIS compliance check on Azure

    Would be great if Azure would create the CIS benchmarks for Azure and in images as long as the checks to make sure compliance is reached.

    Also these checks cloud be integrated in security center or available via API.

    https://benchmarks.cisecurity.org/downloads/latest/

    91 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Really, really need to clarify the PCI Compliance documentation.

    Make it simple on yourselves and your customers.

    The PCI compliance center says: Scope: The Information Security Management System (ISMS) for Windows Azure, including infrastructure, development, operations and support for Compute, Data Services, App Services and Network Services are in scope for the PCI DSS Attestation of Compliance.

    Which would seem to indicate that Azure is PCI compliant. The problem is that Azure encompasses at least 20 different services and not all of them are PCI compliant. For example Azure Web Sites ARE NOT PCI compliant because you can't turn off FTP. "Information Security Management System (ISMS) for Windows Azure"…

    58 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Joseph! Thanks for bringing this issue to our attention. We have recently published updates to the Microsoft Azure Trust Center [http://azure.microsoft.com/en-us/support/trust-center/compliance/], and we are planning on releasing updated guidance specifically covering PCI compliance. Keep an eye on the Trust Center Resources page for the latest information, as well as the Azure Security and Compliance blog at http://azure.microsoft.com/blog. Thank you for your patience! Best regards,

    —Joel

  10. Certificate-Based Authentication and App Passwords in Exchange Online PowerShell Module

    Add the ability to use certificate-based authentication (CBA) and App passwords to authenticate to Exchange Online using the Microsoft Exchange Online PowerShell module. Currently, using the PowerShell module the only authentication option is to use credentials of an Office 365 user account. However, this authentication method is recommended by Microsoft only if multi-factor authentication is enabled for the account. The problem is that when the module is used in a batch job, or an operating system service running in the background, MFA authentication cannot be used. For scenarios when user interaction is not possible, the Exchange Online PowerShell module should…

    53 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide an updated Azure Customer PCI guide for version 3.0

    The current documentation is for version 2, but Azure is now 3.0 compliant.

    41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Key Vault Policy Scope : Allow a Policy per Secret or Certificate for Azure Key Vault

    Hi,

    Key Vault is a key service today, mandatory.
    The limitation with key vault is that we can't create access policies per Secret/certificate, only Vault's wide policies are supported. This leads us to create a Key Vault for each entity, something very inconvenient.
    Example : I have an application, within that application we have many entities that wants to store and access secrets within Key Vault.
    With the Policy covering the whole keyvault, if an entity have "get" permissions on secrets, it can read all the secrets. Something not suitable if we have different purposes. I would like to be…

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. List the features of Azure that are FIPS 140-2 compliant. Currently, the Trust Center does not list them.

    Specifically, in this case we need to know if Azure SQL Database is FIPS 140-2 compliant, but having all of the features that are compliant listed would be very helpful.

    27 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Multiple Azure AD tenants and subscriptions support for Azure Sentinel

    I know Sentinel has only been released in preview yesterday but we were sort of waiting for a SIEM tool that was native integrated into Azure.

    We do have a question however which the documentation does not seem to cover. Is it possible to integrate Sentinel with multiple tenants and subscriptions over multiple tenants?

    The idea of a SIEM is to use it as a glue for all environments and resources. This means that every resource or solution needs to be able to integrate log data with the SIEM tool.

    What we have found so far is that Sentinel can…

    27 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Cover DocumentDB with HIPAA compliance

    Hello,
    we were looking forward to utilize the new DocumentDb service, if it had HIPAA compliance, to store some medical data.

    If it is possible we would like to know if the feature is already planned or in development.

    Moreover, i know the service is "new" in azure, if you can specify it on the trust center page with a new line, I imagine it should not be considered under SQL or Storage

    http://azure.microsoft.com/en-us/support/trust-center/services/

    Thanks

    27 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. FIPS compliant Azure PowerShell & AzCopy

    You cannot authenticate via Azure PowerShell (Add-AzureAccount) on a machine with FIPS compliance as a Local Security policy (encryption used is not strong enough). Furthermore, AzCopy does not function between its encryption is not sufficient. It'd be great if these tools worked in our FedRAMP approved environment.

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Build-In support for letsencrypt certificate generation and renewal.

    It would be extremely useful to have build-in support for letsencryot certs but the option to request new ones and auto-renewal. LetEncrypt support is increasing and Azure should support it if possible.

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add Timestamp Service to keyvault

    Most HSMs provide the ablity to timesamp according to RFC standards. Please expose this ability via the Azure API.

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide Better Developer Integration Experience for Azure Key Vault / Reduce Surface Area for Attacks

    Currently Azure developers have to wrestle with how to protect the data that they would like to protect and retrieve with Azure Key Vault. Developers work in source control, and the data that they have to provide in app.config can be considered secret and/or sensitive. App.config can be checked into source control and can even be available as an open source project in GitHub for the whole world to see.

    Even if a developer chooses to use a client ID and a certificate, the developer still has to provide a REST-based URL within the code base as well, and this…

    20 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Key vault: Get latest version of certificate in template

    In templates it requires a certificate url to be set for cert install. It would be great if we wouldn't have to give explicitely the version hash, but to have the latest certificate with the /latest version or when no version hash is defined it would be the latest default.

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Security and Compliance

Categories

Feedback and Knowledge Base