Security and Compliance

How can we improve Windows Azure security and compliance?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Enable Security Event Logs Collection

    currently the Diagnostics Module does nott support collecting Security Event Logs.

    This could be helpful in monitoring and real-time alerting of security events such as multiple log-in retries through RDP endpoint by a malware that's trying to hack into the VM, trying to invoke secure methods on the server and could help identify security breaches in our roles.

    There should be some API that will enable the Diagnostics Agent collect Security Event Logs

    451 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Flag idea as inappropriate…  ·  Admin →
    • 321 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        9 comments  ·  Flag idea as inappropriate…  ·  Admin →
        under review  ·  Anonymous responded

        Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

      • PKI as a Azure Service

        Certificate Services (ADCS/PKI/CA) should be offered as a service in Azure at least for infrastructure purpose such as machine certificates for MFM, Wi-Fi access and
        for user web authentication e.g. to Azure itself. CA Private keys can be store in Azure Key Vault to be secured.
        A hybrid client should be provided to support autoenrollment to Windows 7 and better clients to simulate a onprem Enterprise CA. The web interface should be in Azure and support other platforms than Windows.
        I am willing to spend time and effort to be part of a user group, think tank, beta test group…

        312 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          5 comments  ·  Flag idea as inappropriate…  ·  Admin →
        • Provide a dynamic security dashboard indicating how my Azure instances and services are protected.

          Look at each role/endpoint and determine whether they are secure and if so, what type of security is used.

          292 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
            under review  ·  Anonymous responded

            Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

          • ECC support for Azure Key Vault

            Give Azure Key Vault the option to perform Encrypt/Decrypt/Sign/Verify functions using ECC keypairs instead of using RSA keypairs.

            This allows Azure Key Vault to create digital signatures which are far smaller to transmit and faster to verify than their RSA counterparts. This is an extremely useful function for many scenarios, such as deferring to Azure Key Vault for signing (and potentially verifying) JWT tokens for use as API access tokens.

            87 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              7 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • CIS compliance check on Azure

              Would be great if Azure would create the CIS benchmarks for Azure and in images as long as the checks to make sure compliance is reached.

              Also these checks cloud be integrated in security center or available via API.

              https://benchmarks.cisecurity.org/downloads/latest/

              67 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                7 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • Really, really need to clarify the PCI Compliance documentation.

                Make it simple on yourselves and your customers.

                The PCI compliance center says: Scope: The Information Security Management System (ISMS) for Windows Azure, including infrastructure, development, operations and support for Compute, Data Services, App Services and Network Services are in scope for the PCI DSS Attestation of Compliance.

                Which would seem to indicate that Azure is PCI compliant. The problem is that Azure encompasses at least 20 different services and not all of them are PCI compliant. For example Azure Web Sites ARE NOT PCI compliant because you can't turn off FTP. "Information Security Management System (ISMS) for Windows Azure"…

                52 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  8 comments  ·  Flag idea as inappropriate…  ·  Admin →

                  Hi Joseph! Thanks for bringing this issue to our attention. We have recently published updates to the Microsoft Azure Trust Center [http://azure.microsoft.com/en-us/support/trust-center/compliance/], and we are planning on releasing updated guidance specifically covering PCI compliance. Keep an eye on the Trust Center Resources page for the latest information, as well as the Azure Security and Compliance blog at http://azure.microsoft.com/blog. Thank you for your patience! Best regards,

                  —Joel

                • Key Vault: Support ACME protocol (Let's Encrypt)

                  Key Vault currently supports automated management of PKI (TLS) certs via "approved" CAs. Please add support for the ACME protocol so that Key Vault can manage certs issued by Let's Encrypt. And/or an Azure-based ACME-compliant Microsoft CA.

                  In other words: The days of having to pay for certs. are over. Please support free certs.

                  Thanks!

                  43 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                  • Provide an updated Azure Customer PCI guide for version 3.0

                    The current documentation is for version 2, but Azure is now 3.0 compliant.

                    41 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                    • Cover DocumentDB with HIPAA compliance

                      Hello,
                      we were looking forward to utilize the new DocumentDb service, if it had HIPAA compliance, to store some medical data.

                      If it is possible we would like to know if the feature is already planned or in development.

                      Moreover, i know the service is "new" in azure, if you can specify it on the trust center page with a new line, I imagine it should not be considered under SQL or Storage

                      http://azure.microsoft.com/en-us/support/trust-center/services/

                      Thanks

                      27 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        2 comments  ·  Flag idea as inappropriate…  ·  Admin →
                      • FIPS compliant Azure PowerShell & AzCopy

                        You cannot authenticate via Azure PowerShell (Add-AzureAccount) on a machine with FIPS compliance as a Local Security policy (encryption used is not strong enough). Furthermore, AzCopy does not function between its encryption is not sufficient. It'd be great if these tools worked in our FedRAMP approved environment.

                        22 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          2 comments  ·  Flag idea as inappropriate…  ·  Admin →
                        • Provide Better Developer Integration Experience for Azure Key Vault / Reduce Surface Area for Attacks

                          Currently Azure developers have to wrestle with how to protect the data that they would like to protect and retrieve with Azure Key Vault. Developers work in source control, and the data that they have to provide in app.config can be considered secret and/or sensitive. App.config can be checked into source control and can even be available as an open source project in GitHub for the whole world to see.

                          Even if a developer chooses to use a client ID and a certificate, the developer still has to provide a REST-based URL within the code base as well, and this…

                          20 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                          • Allow more finegrained control of baseline rules in security center.

                            At the moment you have to either disable or enable all the Baseline Rules.

                            This is bad. There are certain rules that a base installation with some services trigger. A good example is CCE-10274-9, this is trigger with a basic installation of ASP.NET - because all the ASP.NET accounts get added, which the baseline rule assumes to be a problem.

                            15 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add Timestamp Service to keyvault

                              Most HSMs provide the ablity to timesamp according to RFC standards. Please expose this ability via the Azure API.

                              15 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                              • Key Vault: add signing input (hash) to audit logs

                                Currently Key Vault log does not contain the hash which was signed meanwhile a signing operation.

                                Adding the hash to log could make the audit log cryptographically auditable which would be a great improvement over the current situation.

                                Here is our use-case and my rationale why adding this information is important:

                                If you are running an online service which needs to sign data, one of your options is to sign directly on that machine with a private key. The problem with this solution is if your server is hacked then the hacker can steal the private key and sign anything…

                                14 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                • Azure should enable Remote Access Services (RAS) with Smart Cards for customers who want it.

                                  Smart cards allow for a very high level of security. This is why Microsoft uses it for employees who need remote access to the Microsoft network. It’s difficult for an external computer to log onto the Microsoft network without a smart card. A user name and password is not enough.

                                  A smart card would give some corporate customers confidence if they could give their employees a more secure way for logging onto their applications than standard credentials.

                                  External consumers might want it too, to safeguard their identity. Such customers would have a choice of either the standard login or enhanced…

                                  12 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                                    under review  ·  Anonymous responded

                                    Thank you bringing up this idea. As it happens, Smart Card access was covered in a TechNet blog post in October 2013: http://blogs.technet.com/b/kevinremde/archive/2013/10/01/windows-azure-and-smartcards-so-many-questions-so-little-time-part-47.aspx.

                                    In addition, the new Windows Azure Multi-Factor Authentication capability provides further options for securing remote access. You can learn more about MFA and other Windows Azure Active Directory services here: http://www.windowsazure.com/en-us/solutions/identity/.

                                  • List the features of Azure that are FIPS 140-2 compliant. Currently, the Trust Center does not list them.

                                    Specifically, in this case we need to know if Azure SQL Database is FIPS 140-2 compliant, but having all of the features that are compliant listed would be very helpful.

                                    11 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Key vault: Get latest version of certificate in template

                                      In templates it requires a certificate url to be set for cert install. It would be great if we wouldn't have to give explicitely the version hash, but to have the latest certificate with the /latest version or when no version hash is defined it would be the latest default.

                                      9 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Remember Multi-Factor Authentication for devices that users trust for the On-Premise MFA Server

                                        We have users that access company resources externally using our on premise MFA Server. Can we duplicate the feature: "Remember Multi-Factor Authentication for remembered devices and browsers" that is included in the Azure Multi-Factor Authentication"?

                                        We like to have this same feature that is not only found in Azure, but also in other areas including Online banking, credit card account access and so on.

                                        8 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Enable notification of Security Support Team without requiring Support Plan

                                          Azure support recently helped us address an issue we believe related to a series of malicious HTTP requests. Support suggested that we notify the Security Support Team in a new ticket - a good idea, however we found out that a paid support plan is required to do this.

                                          In this case we're not requesting assistance, only attempting to make a notification which could be used to improve security in general.

                                          It would be beneficial to the Azure platform in general if the Security Support Team could be notified without requiring a paid plan.

                                          7 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Security and Compliance

                                          Feedback and Knowledge Base