I suggest you ...

Let Web Apps to be PCI compliance

Despite that PCI compliance is promoted at Azure, a Web App created at Azure is non compliant by default, and cannot be set-up appropriately.

I understand that a Web App is not as isolated as an ASE (that still is not compliance by default, needs advanced set-up), with instances sharing system level settings with other clients (so cannot be changed independently), and I understand some set-up changes that apply to all clients, even ones that do not require PCI, can lead to problems to some of them.

I propose an option to opt-in to PCI compliance at Web App level; enable it can put the instance inside a system with appropriated set-up, shared with other clients that had enabled the option too. Alternatively (if that's not possible), a new 'PCI Web App' service, that has all Web App features plus the PCI compliance by default and keep up to date; on this case, an easy way to migrate existent Web App into this one will be useful.

As an example, a PCI Web App will disable TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS1.0, both enabled at Web App right now and not compliant.

24 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Iago shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base