NSAuditor AI EE 0.13.2 Ships First Dedicated Azure Auditor: Plugin 1220 Brings AWS-Grade Encryption Depth to Azure Storage Across Five Dimensions

Las Vegas, NV — May 26, 2026 — Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.13.2, the platform’s “Move C-2” cycle — the first dedicated Azure auditor since the multi-purpose Azure scanner shipped, and the closest the product line has come to evidence parity between Azure and the deep AWS auditor stack.

The release adds a single new plugin, 1220 azure-storage-hardening-auditor, taking the total Enterprise Edition plugin count from 25 to 26 (cloud-audit subset 24 → 25). It is the 34th consecutive trio-publish in the institutionalized EE / Community Edition / agent-skill cadence — restricted-access EE 0.13.2 is paired with public Community Edition 0.1.77 and public nsauditor-ai-agent-skill 0.1.44.

All six supported compliance coverage matrices — SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Critical Security Controls v8 — remain unchanged at 10/4/33, 7/3/45, 13/10/83, 20/8/39, 17/14/62, and 17/22/114 respectively. The 0.13.2 release is positioned explicitly as substrate-depth uplift on already-covered transit, authentication, and at-rest controls, not as coverage expansion.

The Azure parity gap the cycle closes

Before 0.13.2, Azure storage evidence was generated by a single multi-purpose scanner (plugin 1022) whose storage dimension read only two of the six data-protection signals that matter on an Azure Storage Account — leaving plaintext-HTTP-allowed, TLS 1.0, Shared-Key authorization, and missing infrastructure encryption to a manual auditor walkthrough. Compare to AWS, where S3 has been audited from two angles for several cycles (plugin 1020 scanner + plugin 1120 lifecycle/replication). EE 0.13.2 mirrors that two-plugin pattern on Azure.

The five dimensions Plugin 1220 owns

Plugin 1220 audits the Azure Storage Account encryption-at-rest, encryption-in-transit, and authorization-mode surface across five dimensions:

• HTTPS-only transit via enableHttpsTrafficOnly — HIGH severity on plaintext HTTP allowed; routes to SOC 2 CC6.7, HIPAA §164.312(e)(1), NIST CSF 2.0 PR.DS-02, PCI DSS 4.2.1, ISO/IEC 27001:2022 A.8.24, and CIS Controls v8 3.10.
• Minimum TLS version — anything below TLS 1.2 is treated as downgrade-attackable.
• Shared Key authorization via allowSharedKeyAccess — a long-lived shared secret that bypasses Azure AD identity and per-principal audit. Absent fields are treated as ENABLED per Azure’s documented default, never as a silent PASS.
• Infrastructure (double) encryption via requireInfrastructureEncryption, routing to Confidentiality C1.1 and equivalents.
• Encryption key source including customer-managed-key reachability and rotation via encryption.keyVaultProperties. A CMK reference is credited only when the key is currently resolvable AND auto-rotating; a disabled, revoked, soft-deleted, or version-pinned CMK degrades rather than silently passing.

Plugin 1220 is deliberately non-overlapping with plugin 1022’s network-exposure dimensions (network-ACL default-action and public-blob-access) — no double-emission, no scope confusion when a finding lands on an auditor’s desk.

Encryption is a key-access question, not a key-existence question

The defining design point of this cycle is the customer-managed-key fold. The plugin shipped through the platform’s audit-cloud-plugin-false-negatives adversarial review lens — a dedicated red-team perspective on the misconfigurations a cloud scanner can silently PASS over. The independent review surfaced a HIGH-severity false-clean class: the original 1220 PASS path trusted keySource alone, which would credit a CMK reference even when the underlying key was disabled, revoked, soft-deleted, or version-pinned. The shipped plugin folds that finding — the PASS now verifies key reachability and rotation rather than treating a CMK pointer as custody.

Two additional folds shipped same-session: blob recoverability (soft-delete, versioning, point-in-time-restore) is surfaced as an explicit stated scope gap rather than an implied clean, and single-subscription scope appears as an evidence row so other subscriptions are never an implied clean.

False-negative discipline across the 14-class taxonomy

Every PASS path in the plugin was pressure-tested against the 14-class false-negative taxonomy: Azure field-default discipline (absent allowSharedKeyAccess is ENABLED, per Azure’s documented default), enum case-normalization, indeterminate-field becomes an evidence-gap finding with a verification prompt, an AccessDenied response becomes an evidence-gap finding (never a fabricated clean), for await pagination runs to exhaustion, and an explicit single-subscription scope evidence row makes the boundary visible to the auditor.

Regression and live smoke

The full Enterprise Edition test suite runs 6,445 tests across 1,056 suites and passes 6,445 of them — a +15 net increase on the EE 0.13.1 baseline of 6,430, and the 80th consecutive session preserving the 100% green streak. Live Azure hexa-framework smoke testing confirmed plugin 1220 fires on all three storage fixtures with the fixture tag-oracle matching field-for-field: a leaky configuration produced a HIGH plaintext-HTTP finding plus MEDIUM TLS 1.0 plus MEDIUM Shared-Key plus LOW no-infrastructure-encryption plus LOW Microsoft-managed-key. The compliant fixture passed the substrate (HTTPS, TLS 1.2, Azure AD only, infrastructure-encryption on) while still surfacing a stricter-than-oracle key-custody LOW for Microsoft-managed-key (the design choice that custody is an access question, not an existence question). The baseline fixture produced MEDIUM shared-key plus LOW no-infrastructure-encryption.

An AWS regression smoke run on the same release confirmed every existing matrix and every existing plugin behaves identically — the 1220 addition is additive-only.

Cross-framework routing — all matrices unchanged

Plugin 1220’s findings route across every supported framework, all to already-covered controls so coverage matrices do not move. SOC 2 picks up at CC6.7 / CC6.1 / C1.1; HIPAA at §164.312(e)(1) / (d) / (a)(2)(iv); NIST CSF 2.0 at PR.DS-02 / PR.AA-03 / PR.DS-01; PCI DSS v4.0.1 at 4.2.1 / 8.3.1 / 3.5.1; ISO/IEC 27001:2022 at A.8.24 / A.8.5; and CIS Controls v8 at 3.10 / 5.4 / 3.11. The framework-anchor-drift test suite is green: the new azure-storage-hardening-auditor (source, titlePattern) pairs inherit cleanly from soc2.json per the platform’s inheritance contract.

Availability

NSAuditor AI EE 0.13.2 is recommended for every existing customer auditing Azure workloads under --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — the hexa-framework one-scan workflow produces six separate auditor-ready evidence packs from a single scan. The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.1, Community Edition 0.1.76, and agent-skill 0.1.43 are deprecated on this publish with paired-pointer messages.

Install (Enterprise Edition; restricted npm token required):

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

For trial requests, enterprise pricing, and pre-audit readiness reviews against Azure storage workloads, contact enterprise@nsasoft.us. The full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices live at nsauditor.com/ai/docs; a synthetic-fixture sample scan demonstrating the new plugin-1220 finding shape is published at nsauditor.com/ai/docs/sample-scan.

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us. Enterprise sales: enterprise@nsasoft.us.

]]>