question

SteveRice-1805 avatar image
0 Votes"
SteveRice-1805 asked SteveRice-1805 answered

Is the Security Center recommendation for enabling encryption in Translate service invalid?

In the Azure "Security Center" we are receiving several recommendations regarding our Cognitive Services "translate" (free tier) service including:

  • Cognitive Services accounts should enable data encryption

  • Cognitive Services accounts should use customer owned storage or enable data encryption

  • Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)

The instructions on how to remediate these issues talk about going to the "Encryption" option in the service, however this option is not present for us. Reading the https://docs.microsoft.com/en-us/azure/cognitive-services/translator/encrypt-data-at-rest article it states that "For subscriptions that only support Microsoft-managed encryption keys, you will not have an Encryption section", furthermore, it also sates "By default, your subscription uses Microsoft-managed encryption keys. If you are using a pricing tier that supports Customer-managed keys, you can see the encryption settings for your resource in the Encryption section of the Azure portal" suggesting that either (1) we have a subscription that does not support this or (2) the free tier does not support this. Furthermore, this page also states that encryption is enabled by default anyway ("Data is encrypted and decrypted using FIPS 140-2 compliant 256-bit AES encryption.").

So, to me the Security Center warnings are false positives or even invalid, is this correct?

azure-security-centerazure-translator
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SteveRice-1805 avatar image
1 Vote"
SteveRice-1805 answered

For those reading this post - After a fairly lengthy communication thread with the Azure support team it was agreed that the Azure Security Center "Cognitive Services" recommendations were incorrect and need to be adjusted (with an rough ETA of September 2021).

As per Microsoft's advice we have put in place an exemption for the irrelevant "Cognitive Services" recommendations.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered SteveRice-1805 commented

@SteveRice-1805
Thank you for such a detailed post!

You're correct - your data is secure by default and you don't need to modify your code or applications to take advantage of encryption. However, if the encryption option within the portal is not available, as you stated, that most likely means you aren't in a pricing tier that supports this.
90088-image.png

When it comes to Azure Security Center's recommendations, these are based on the Azure Security Benchmark. Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks.

In some cases, if you recently deployed your Translation service ASC should clear those recommendations over time. However, if you're still experiencing issues with the recommendations, and would like to work closer with our support team on this, please let me know.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (92.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for your reply.

The Cognitive Services "translate" (free tier "F0") service we are using has been in place for several months now, so I would have expected this is more than enough time for the recommendations to have reflected it, if they can.

Since it is not possible for us to resolve the recommendation could there be some sort of indication that this is the case in ASC so we can correctly, and safely, ignore the recommendation? I am aware we can mark the recommendation as "Exempt", however, from a compliance perspective we are not that happy to do so. The bottom line is that there is a recommendation we can't do anything about and when we have an audit process underway they may require an explanation of why we have not implemented this.

Thank you.

0 Votes 0 ·

@SteveRice-1805
Thank you for the quick and detailed response!

Would you be able to share some screenshots of the recommendation you're seeing? Additionally, I've reached out to our ASC team regarding these recommendations to get their inputs on them.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

I have had problems pasting the multiple images here so I paste one big image with the information...

90717-translator-issues.png

0 Votes 0 ·
translator-issues.png (214.9 KiB)