Security and Compliance

  1. 538 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    14 comments  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

  2. Enable Security Event Logs Collection

    currently the Diagnostics Module does nott support collecting Security Event Logs.

    This could be helpful in monitoring and real-time alerting of security events such as multiple log-in retries through RDP endpoint by a malware that's trying to hack into the VM, trying to invoke secure methods on the server and could help identify security breaches in our roles.

    There should be some API that will enable the Diagnostics Agent collect Security Event Logs

    465 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Provide a dynamic security dashboard indicating how my Azure instances and services are protected.

    Look at each role/endpoint and determine whether they are secure and if so, what type of security is used.

    298 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Thank you for this suggestion! It has been escalated to the Windows Azure engineering team for further evaluation. We will post here to gather additional information as-appropriate.

  4. Really, really need to clarify the PCI Compliance documentation.

    Make it simple on yourselves and your customers.

    The PCI compliance center says: Scope: The Information Security Management System (ISMS) for Windows Azure, including infrastructure, development, operations and support for Compute, Data Services, App Services and Network Services are in scope for the PCI DSS Attestation of Compliance.

    Which would seem to indicate that Azure is PCI compliant. The problem is that Azure encompasses at least 20 different services and not all of them are PCI compliant. For example Azure Web Sites ARE NOT PCI compliant because you can't turn off FTP. "Information Security Management System (ISMS) for Windows Azure"…

    59 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Joseph! Thanks for bringing this issue to our attention. We have recently published updates to the Microsoft Azure Trust Center [http://azure.microsoft.com/en-us/support/trust-center/compliance/], and we are planning on releasing updated guidance specifically covering PCI compliance. Keep an eye on the Trust Center Resources page for the latest information, as well as the Azure Security and Compliance blog at http://azure.microsoft.com/blog. Thank you for your patience! Best regards,

    —Joel

  5. cad

    Add support for CAD drawings in unified labeling in Sensitivity labels.
    o DraftSight / Autocad
    o .dwg
    o .dxf
    o .dwt
    o .dws
    o .iges
    o .stl

    o SolidWorks
    o .dwg
    o .sldprt
    o .sldasm
    o .iges
    o .stl

    o Inventor
    o .dwg
    o .ipt
    o .iam
    o .iges
    o .stl

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. List the features of Azure that are FIPS 140-2 compliant. Currently, the Trust Center does not list them.

    Specifically, in this case we need to know if Azure SQL Database is FIPS 140-2 compliant, but having all of the features that are compliant listed would be very helpful.

    31 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Multiple Azure AD tenants and subscriptions support for Azure Sentinel

    I know Sentinel has only been released in preview yesterday but we were sort of waiting for a SIEM tool that was native integrated into Azure.

    We do have a question however which the documentation does not seem to cover. Is it possible to integrate Sentinel with multiple tenants and subscriptions over multiple tenants?

    The idea of a SIEM is to use it as a glue for all environments and resources. This means that every resource or solution needs to be able to integrate log data with the SIEM tool.

    What we have found so far is that Sentinel can…

    30 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Key vault: Get latest version of certificate in template

    In templates it requires a certificate url to be set for cert install. It would be great if we wouldn't have to give explicitely the version hash, but to have the latest certificate with the /latest version or when no version hash is defined it would be the latest default.

    27 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Cover DocumentDB with HIPAA compliance

    Hello,
    we were looking forward to utilize the new DocumentDb service, if it had HIPAA compliance, to store some medical data.

    If it is possible we would like to know if the feature is already planned or in development.

    Moreover, i know the service is "new" in azure, if you can specify it on the trust center page with a new line, I imagine it should not be considered under SQL or Storage

    http://azure.microsoft.com/en-us/support/trust-center/services/

    Thanks

    27 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Build-In support for letsencrypt certificate generation and renewal.

    It would be extremely useful to have build-in support for letsencryot certs but the option to request new ones and auto-renewal. LetEncrypt support is increasing and Azure should support it if possible.

    24 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  11. FIPS compliant Azure PowerShell & AzCopy

    You cannot authenticate via Azure PowerShell (Add-AzureAccount) on a machine with FIPS compliance as a Local Security policy (encryption used is not strong enough). Furthermore, AzCopy does not function between its encryption is not sufficient. It'd be great if these tools worked in our FedRAMP approved environment.

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add Timestamp Service to keyvault

    Most HSMs provide the ablity to timesamp according to RFC standards. Please expose this ability via the Azure API.

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide Better Developer Integration Experience for Azure Key Vault / Reduce Surface Area for Attacks

    Currently Azure developers have to wrestle with how to protect the data that they would like to protect and retrieve with Azure Key Vault. Developers work in source control, and the data that they have to provide in app.config can be considered secret and/or sensitive. App.config can be checked into source control and can even be available as an open source project in GitHub for the whole world to see.

    Even if a developer chooses to use a client ID and a certificate, the developer still has to provide a REST-based URL within the code base as well, and this…

    20 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Key Vault: add signing input (hash) to audit logs

    Currently Key Vault log does not contain the hash which was signed meanwhile a signing operation.

    Adding the hash to log could make the audit log cryptographically auditable which would be a great improvement over the current situation.

    Here is our use-case and my rationale why adding this information is important:

    If you are running an online service which needs to sign data, one of your options is to sign directly on that machine with a private key. The problem with this solution is if your server is hacked then the hacker can steal the private key and sign anything…

    20 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow more finegrained control of baseline rules in security center.

    At the moment you have to either disable or enable all the Baseline Rules.

    This is bad. There are certain rules that a base installation with some services trigger. A good example is CCE-10274-9, this is trigger with a basic installation of ASP.NET - because all the ASP.NET accounts get added, which the baseline rule assumes to be a problem.

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Real time alerts risky sign ins

    As it stands we are only able to have weekly Digests sent with Risky Sign ins, At risk accounts.

    To me this is not good enough, support says pin it to your dashboard and log on and look? I do but cant log on every minute of every day.

    Real-time email alerts or at worst daily email alerts must be implemented for risky sign ins and users at risk.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. BUG - Azure Policy to check Tags is not Case Sensitive but actual Tags are

    If you require Tags by using Azure Policy (inbuilt or via custom Policy) then it does not check on case sensitivity of the Tags. E.g. "CostCenter", "costCenter" and "costcenter" are considered 3 different tags in Azure. But if you try to enforce anyone then the validation will succeed for other two as well (which it should not). Therefore the Azure Policy for Tags is not case sensitive right now but the Tags in Azure are case sensitive. This is a bug and needs to be fixed.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure should enable Remote Access Services (RAS) with Smart Cards for customers who want it.

    Smart cards allow for a very high level of security. This is why Microsoft uses it for employees who need remote access to the Microsoft network. It’s difficult for an external computer to log onto the Microsoft network without a smart card. A user name and password is not enough.

    A smart card would give some corporate customers confidence if they could give their employees a more secure way for logging onto their applications than standard credentials.

    External consumers might want it too, to safeguard their identity. Such customers would have a choice of either the standard login or enhanced…

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide GUI for creating/administering Network Security Groups (NSG)

    As above.

    Maintaining this using a cache of powershell scripts becomes unmanageable very quickly.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Fix the Azure Identity Protection so that admins can see WHO resolved or dismissed a risk event.

    Currently, you cannot see who dismissed a risk event. That, in itself, is a major security risk that needs to be fixed.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Security and Compliance

Categories

Feedback and Knowledge Base