Share via

Is the Security Center recommendation for enabling encryption in Translate service invalid?

Stephen Rice 101 Reputation points
2021-04-20T13:54:43.777+00:00

In the Azure "Security Center" we are receiving several recommendations regarding our Cognitive Services "translate" (free tier) service including:

  • Cognitive Services accounts should enable data encryption
  • Cognitive Services accounts should use customer owned storage or enable data encryption
  • Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)

The instructions on how to remediate these issues talk about going to the "Encryption" option in the service, however this option is not present for us. Reading the https://learn.microsoft.com/en-us/azure/cognitive-services/translator/encrypt-data-at-rest article it states that "For subscriptions that only support Microsoft-managed encryption keys, you will not have an Encryption section", furthermore, it also sates "By default, your subscription uses Microsoft-managed encryption keys. If you are using a pricing tier that supports Customer-managed keys, you can see the encryption settings for your resource in the Encryption section of the Azure portal" suggesting that either (1) we have a subscription that does not support this or (2) the free tier does not support this. Furthermore, this page also states that encryption is enabled by default anyway ("Data is encrypted and decrypted using FIPS 140-2 compliant 256-bit AES encryption.").

So, to me the Security Center warnings are false positives or even invalid, is this correct?

Azure AI Translator
Azure AI Translator
An Azure service to easily conduct machine translation with a simple REST API call.
485 questions
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments
Accepted answer
  1. Stephen Rice 101 Reputation points
    2021-07-29T11:07:32.82+00:00

    For those reading this post - After a fairly lengthy communication thread with the Azure support team it was agreed that the Azure Security Center "Cognitive Services" recommendations were incorrect and need to be adjusted (with an rough ETA of September 2021).

    As per Microsoft's advice we have put in place an exemption for the irrelevant "Cognitive Services" recommendations.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2021-04-21T22:16:02.267+00:00

    @Stephen Rice
    Thank you for such a detailed post!

    You're correct - your data is secure by default and you don't need to modify your code or applications to take advantage of encryption. However, if the encryption option within the portal is not available, as you stated, that most likely means you aren't in a pricing tier that supports this.
    90088-image.png

    When it comes to Azure Security Center's recommendations, these are based on the Azure Security Benchmark. Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks.

    In some cases, if you recently deployed your Translation service ASC should clear those recommendations over time. However, if you're still experiencing issues with the recommendations, and would like to work closer with our support team on this, please let me know.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.