备份的 Azure 安全基线Azure Security Baseline for Backup

备份的 Azure 安全基线包含可帮助你改善部署安全态势的建议。The Azure Security Baseline for Backup contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:** 网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:不适用;不能将虚拟网络、子网或网络安全组与恢复服务保管库相关联。Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. 备份 Azure 虚拟机时,数据通过 Azure 主干网传输。When backing up an Azure virtual machine, data is transferred over the Azure backbone. 从本地计算机进行备份时,将在 Azure 中创建具有特定终结点的加密隧道,并使用凭据对数据进行预加密,然后再通过加密隧道发送数据。When backing up from an on-premises machine, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:不适用;不能将虚拟网络、子网或网络安全组与恢复服务保管库相关联。Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. 备份 Azure 虚拟机时,数据通过 Azure 主干网传输。When backing up an Azure virtual machine, data is transferred over the Azure backbone. 从本地计算机进行备份时,将在 Azure 中创建具有特定终结点的加密隧道,并使用凭据对数据进行预加密,然后再通过加密隧道发送数据。When backing up from an on-premises machine, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:Azure 备份使用的终结点(包括 Azure 恢复服务代理)均由 Microsoft 管理。Guidance: The endpoints used by Azure Backup (including the Azure Recovery Services agent) are all managed by Microsoft. 你负责管理要部署到本地系统的其他所有控件。You are responsible for any additional controls you wish to deploy to your on-premises systems.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:不适用;不能将虚拟网络、子网或网络安全组与恢复服务保管库相关联。Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. 备份 Azure 虚拟机时,数据通过 Azure 主干网传输。When backing up an Azure virtual machine, data is transferred over the Azure backbone. 从本地计算机进行备份时,将在 Azure 中创建具有特定终结点的加密隧道,并使用凭据对数据进行预加密,然后再通过加密隧道发送数据。When backing up from an on-premises machines, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel..

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:Azure 备份使用的终结点(包括 Azure 恢复服务代理)均由 Microsoft 管理。Guidance: The endpoints used by Azure Backup (including the Azure Recovery Services agent) are all managed by Microsoft. 你负责管理要部署到本地系统的其他所有控件。You are responsible for any additional controls you wish to deploy to your on-premises systems.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:如果在 Azure 虚拟机上使用 MARS 代理,请在 NSG 或 Azure 防火墙上使用 AzureBackup 服务标记,以允许对 Azure 备份进行出站访问。Guidance: If you are using the MARS agent on an Azure Virtual Machine, use the AzureBackup service tag on your NSG or Azure Firewall to allow outbound access to Azure Backup.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:不适用;Azure 备份使用的终结点(包括 Azure 恢复服务代理)均由 Microsoft 管理。Guidance: Not applicable; the endpoints used by Azure Backup (including the Azure Recovery Services agent) are all managed by Microsoft.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:如果在 Azure 虚拟机上使用 MARS 代理,请将该 VM 与网络安全组相关联,并使用描述来指定该规则的业务需求Guidance: If you are using the MARS agent on an Azure Virtual Machine, associate that VM with a network security group use the description to specify the business need for the rule

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:如果在受 NSG 或 Azure 防火墙保护的 Azure 虚拟机上使用 MARS 代理,请使用 Azure 活动日志来监视 NSG 或防火墙的配置。Guidance: If you are using the MARS agent on an Azure Virtual Machine that is being protected by an NSG or Azure Firewall, use Azure Activity Log to monitor configuration of the NSG or Firewall. 可以在 Azure Monitor 中创建当这些资源发生更改时触发的警报。You may create alerts within Azure Monitor that will trigger when changes to these resources take place.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:** 日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:不适用;Microsoft 会为日志中的时间戳维护用于 Azure 备份等 Azure 资源的时间源。Guidance: Not applicable; Microsoft maintains the time source used for Azure resources, such as Azure Backup, for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:对于控制平面审核日志记录,请启用 Azure 活动日志诊断设置,并将日志发送到 Log Aalytics 工作区、Azure 事件中心或 Azure 存储帐户进行存档。Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. 使用 Azure 活动日志数据,可以确定在控制平面级别针对 Azure 资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure resources.

此外,通过 Azure Monitor 引入日志来聚合 Azure 备份生成的安全数据。Also, ingest logs via Azure Monitor to aggregate security data generated by Azure Backup. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用存储帐户进行长期/存档存储。Within the Azure Monitor, use Log Analytics workspace(s) to query and perform analytics, and use storage accounts for long-term/archival storage. 或者,可以启用数据并将其加入 Azure Sentinel 或第三方安全事件和事件管理 (SIEM)。Alternatively, you may enable, and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM).

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:对于控制平面审核日志记录,请启用 Azure 活动日志诊断设置,并将日志发送到 Log Aalytics 工作区、Azure 事件中心或 Azure 存储帐户进行存档。Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. 使用 Azure 活动日志数据,可以确定在控制平面级别针对 Azure 资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure resources.

此外,Azure 备份还发送诊断事件,可以收集这些事件并使用它们来实现分析、警报和报告目的。Additionally, Azure Backup sends diagnostics events that can be collected and used for the purposes of analysis, alerting and reporting. 可以通过 Azure 门户配置恢复服务保管库的诊断设置。You can configure diagnostics settings for a Recovery Services Vault via the Azure portal. 可以将一个或多个诊断事件发送到存储帐户、事件中心或 Log Analytics 工作区。You can send one or more diagnostics events to a Storage Account, Event Hub, or a Log Analytics workspace.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,根据组织的符合性规定,为与 Azure 恢复服务保管库关联的 Log Analytics 工作区设置日志保留期。Guidance: In Azure Monitor, set log retention period for Log Analytics workspaces associated with your Azure Recovery Services vaults according to your organization's compliance regulations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:Azure 备份在恢复服务保管库中提供内置的监视和警报功能。Guidance: Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. 无需配置任何附加的管理基础结构即可使用这些功能。These capabilities are available without any additional management infrastructure. 还可以使用 Azure Monitor 提高监视和报告的规模。You can also increase the scale of your monitoring and reporting by using Azure Monitor.

启用 Azure 活动日志诊断设置,并将日志发送到 Log Analytics 工作区。Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. 在 Log Analytics 中执行查询,以搜索字词、识别趋势、分析模式,并根据可能已为恢复服务保管库收集的活动日志数据提供许多其他见解。Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the Activity Log Data that may have been collected for Recovery Services vaults.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activity

指导:Azure 备份在恢复服务保管库中提供内置的监视和警报功能。Guidance: Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. 无需配置任何附加的管理基础结构即可使用这些功能。These capabilities are available without any additional management infrastructure. 还可以使用 Azure Monitor 提高监视和报告的规模。You can also increase the scale of your monitoring and reporting by using Azure Monitor.

警报主要用于通知用户,让他们采取相关的措施。Alerts are primarily scenarios where users are notified so that they can take relevant action. “备份警报”部分显示 Azure 备份服务生成的警报。The Backup Alerts section shows alerts generated by Azure Backup service. 这些警报由服务定义,你无法自定义创建任何警报。These alerts are defined by the service and you cannot custom create any alerts.

还可以将 Log Analytics 工作区加入 Azure Sentinel,因为它提供了安全业务流程自动化响应 (SOAR) 解决方案。You can also onboard a Log Analytics workspace to Azure Sentinel as it provides a security orchestration automated response (SOAR) solution. 这样便可以创建 playbook(自动化解决方案)并将其用于修正安全问题。This allows for playbooks (automated solutions) to be created and used to remediate security issues. 此外,还可以使用 Azure Monitor 在 Log Analytics 工作区中创建自定义日志警报。Additionally, you can create custom log alerts in your Log Analytics workspace using Azure Monitor.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;Azure 备份不会处理或生成与反恶意软件相关的日志。Guidance: Not applicable; Azure Backup does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;Azure 备份不会处理或生成与 DNS 相关的日志。Guidance: Not applicable; Azure Backup does not process or produce DNS-related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:** 标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:Azure Active Directory (AD) 具有必须显式分配且可查询的内置角色。Guidance: Azure Active Directory (AD) has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

支持性文档:Supporting documentation:

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure AD 没有默认密码。Guidance: Azure AD does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度的密码,该长度因服务而异。Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third-party applications and marketplace services that may use default passwords.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:应该为你的订阅分配多个所有者 应从订阅中删除拥有所有者权限的已弃用帐户 应从订阅中删除拥有所有者权限的外部帐户Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as: There should be more than one owner assigned to your subscription Deprecated accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:使用 Azure 应用注册(服务主体)来检索令牌,该令牌可用于通过 API 调用与恢复服务保管库进行交互。Guidance: Use an Azure app registration (service principal) to retrieve a token that can be used to interact with your Recovery Services vaults via API calls.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:在 Azure 备份中执行关键操作时,必须输入 Azure 门户中提供的安全 PIN。Guidance: When you perform critical operations in Azure Backup, you have to enter a security PIN, available on the Azure portal. 启用 Azure 多重身份验证相当于增加了一个安全层。Enabling Azure Multi-Factor Authentication adds a layer of security. 只有获得授权、具有有效 Azure 凭据且通过第二台设备进行身份验证的用户能够访问 Azure 门户。Only authorized users with valid Azure credentials, and authenticated from a second device, can access the Azure portal.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了 Azure 多重身份验证 (MFA) 的特权访问工作站 (PAW) 来登录和配置启用了 Azure 备份的资源。Guidance: Use a Privileged Access Workstation (PAW) with Azure Multi-Factor Authentication (MFA) configured to log into and configure your Azure Backup-enabled resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

此外,还可使用 Azure AD 风险检测来查看警报和报告有风险的用户行为。In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组访问 Azure 门户。Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (AD) 作为 Azure 备份实例的中心身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Azure Backup instances. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (AD) 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory (AD) provides logs to help you discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视访问已停用帐户的企图3.11: Monitor attempts to access deactivated accounts

指导:使用 Azure Active Directory (AD) 作为 Azure 备份实例的中心身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Azure Backup instances. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

你可以访问 Azure AD 登录活动、审核和风险事件日志源,以便与 Azure Sentinel 或第三方 SIEM 集成。You have access to Azure AD sign-in activity, audit and risk event log sources, which allow you to integrate with Azure Sentinel or a third-party SIEM.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 可以在 Log Analytics 中配置所需的日志警报。You can configure desired log alerts within Log Analytics.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account login behavior deviation

指导:使用 Azure Active Directory (AD) 作为恢复服务保管库的中心身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Recovery Services vaults. 对于控制平面(Azure 门户)中帐户登录行为的偏差,可使用 Azure AD 标识保护和风险检测功能进行配置,使其在检测到与用户标识相关的可疑操作时自动进行响应。For account login behavior deviation on the control plane (the Azure portal), use Azure AD Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities. 还可将数据引入 Azure Sentinel 以做进一步调查。You can also ingest data into Azure Sentinel for further investigation.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:目前不适用;Azure 备份尚不支持客户密码箱。Guidance: Currently not available; Customer Lockbox is not yet supported for Azure Backup.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:** 数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:备份 Azure IaaS VM 时,Azure 备份提供独立且隔离的备份,可以防范原始数据的意外破坏。Guidance: When backing up Azure IaaS VMs, Azure Backup provides independent and isolated backups to guard against accidental destruction of original data. 备份存储在提供恢复点内置管理的恢复服务保管库中。Backups are stored in a Recovery Services vault with built-in management of recovery points.

为开发、测试和生产恢复服务保管库实施单独的订阅和/或管理组。Implement separate subscriptions and/or management groups for development, test, and production Recovery Services Vaults. 资源应当按 VNet/子网进行分隔,相应地进行标记,并由 NSG 或 Azure 防火墙提供保护。Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. 存储或处理敏感数据的资源应当充分隔离。Resources storing or processing sensitive data should be sufficiently isolated. 对于存储或处理敏感数据的虚拟机,请实施相应的策略和过程,以在不使用这些虚拟机时将其关闭。For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.

支持性文档:Supporting documentation:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:目前不适用;数据标识、分类和丢失防护功能尚不适用于 Azure 备份。Guidance: Currently not available; data identification, classification, and loss prevention features are not yet available for Azure Backup.

Microsoft 管理 Azure 备份的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:从服务器到恢复服务保管库的备份流量通过安全的 HTTPS 链接进行传输,并在存储在保管库中时使用高级加密标准 (AES) 256 进行加密。Guidance: Backup traffic from servers to the Recovery Services vault is transferred over a secure HTTPS link and encrypted using Advanced Encryption Standard (AES) 256 when stored in the vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:目前不适用;数据标识、分类和丢失防护功能尚不适用于 Azure 备份。Guidance: Currently not available; data identification, classification, and loss prevention features are not yet available for Azure Backup.

Microsoft 管理 Azure 备份的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:目前不可用Responsibility: Currently not available

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:Azure 基于角色的访问控制 (RBAC) 可用于对 Azure 进行细致的访问管理。Guidance: Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. 使用 RBAC,可以在团队中对职责进行分配,仅向用户授予执行作业所需的访问权限。Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

Azure 备份提供三个用于控制备份管理操作的内置角色:备份参与者、备份操作员和备份读取者。Azure Backup provides three built-in roles to control backup management operations: Backup Contributor, Backup Operator, and Backup Reader. 可以将备份内置角色映射到各种备份管理操作。You can map Backup built-in roles to various backup management actions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources. Microsoft 管理 Azure 备份的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:Azure 备份支持加密静态数据。Guidance: Azure Backup supports encryption for at-rest data. 对于本地备份,使用在备份到 Azure 时提供的密码提供静态加密。For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. 对于云工作负荷,使用存储服务加密 (SSE) 对数据进行静态加密。For cloud workloads, data is encrypted-at-rest using Storage Service Encryption (SSE). Microsoft 不会解密任何位置的备份数据。Microsoft does not decrypt the backup data at any point.

使用 MARS 代理进行备份或使用通过客户托管密钥加密的恢复服务保管库时,只有你才能访问加密密钥。When backing up with the MARS agent or using a Recovery Services vault encrypted with a customer-managed key, only you have access to the encryption key. Microsoft 不保留副本,且没有访问该密钥的权限。Microsoft never maintains a copy and doesn't have access to the key. 如果客户丢失了密钥,Microsoft 无法恢复备份数据。If the key is misplaced, Microsoft can't recover the backup data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建当生产 Azure 恢复服务保管库以及其他关键或相关资源发生更改时触发的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production Azure Recovery Services vaults as well as other critical or related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:** 漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:暂不适用;Azure 安全中心的漏洞评估暂不适用于 Azure 备份。Guidance: Not yet available; vulnerability assessment in Azure Security Center is not yet available for Azure Backup.

Microsoft 对基础平台进行了扫描和修补。Underlying platform scanned and patched by Microsoft. 查看 Microsoft Azure 备份可用的安全控制,以减少与服务配置相关的漏洞。Review security controls available for Azure Backup to reduce service configuration related vulnerabilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:目前不适用;Azure 安全中心尚不支持 Azure 备份的安全配置。Guidance: Currently not available; security configurations for Azure Backup are not yet supported in Azure Security Center.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:** 清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:不允许的资源类型 允许的资源类型In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions: Not allowed resource types Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指导:为计算资源定义已批准的 Azure 资源和软件。Guidance: Define approved Azure resources and approved software for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

使用 Azure Resource Graph 查询/发现订阅中的资源。Use Azure Resource Graph to query/discover resources within their subscription(s). 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:不允许的资源类型 允许的资源类型Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions: Not allowed resource types Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:6.11:
限制用户通过脚本与 Azure 资源管理器进行交互的能力Limit users' ability to interact with Azure Resource Manager via scripts

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:** 安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 为恢复服务保管库定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your Recovery Services vault with Azure Policy. 在“Microsoft.RecoveryServices”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施恢复服务保管库的配置。Use Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to audit or enforce the configuration of your Recovery Services vaults.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果使用自定义的 Azure Policy 定义,请使用 Azure DevOps 或 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:在“Microsoft.RecoveryServices”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:在“Microsoft.RecoveryServices”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”自动强制实施 Azure 资源的配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:设置 MARS 代理时,将加密密码存储在 Azure 密钥保管库中。Guidance: When setting up the MARS agent, store your encryption passphrase within Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:不适用;Azure 备份不支持托管标识。Guidance: Not applicable; Managed Identities not supported for Azure Backup.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指导:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:** 恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导:不适用;此建议适用于计算资源。在支持 Azure 服务(例如 Azure 备份)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Guidance: Not applicable; this recommendation is intended for compute resources.Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Backup), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务(例如 Azure 备份)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对你的内容运行。Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure Backup), however it does not run on your content.

预扫描任何上传到非计算 Azure 资源(例如应用服务、Data Lake Storage、Blob 存储等)的文件。Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, etc.

使用 Azure 安全中心的数据服务威胁检测来检测上传到存储帐户的恶意软件。Use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:** 数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:不适用;此建议适用于要备份的资源,而不是 Azure 备份本身。Guidance: Not applicable; this recommendation is intended for resources being backed up and not Azure Backup itself.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

指导:本地冗余存储 (LRS) 将数据中心的存储缩放单元中的数据复制三次(创建三个数据副本)。Guidance: Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a storage scale unit in a datacenter. 数据的所有副本存在于同一区域。All copies of the data exist within the same region. LRS 是一种低成本选项,用于保护数据免受本地硬件故障的影响。异地冗余存储 (GRS) 是默认的和推荐的复制选项。LRS is a low-cost option for protecting your data from local hardware failures.Geo-redundant storage (GRS) is the default and recommended replication option. GRS 将数据复制到离源数据主位置数英里之外的次要区域中。GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS 的成本比 LRS 的高,但 GRS 提供更高的数据持久度,即使出现区域性服务中断也是如此。GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there's a regional outage.

在 Azure 密钥保管库中备份客户托管的密钥。Backup customer managed keys within Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:测试已备份客户托管密钥的还原。Guidance: Test restoration of backed up customer managed keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:对于本地备份,使用在备份到 Azure 时提供的密码提供静态加密。Guidance: For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. 对于 Azure VM,使用存储服务加密 (SSE) 对数据进行静态加密。For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). 可以在密钥保管库中启用软删除,以防止意外删除或恶意删除密钥。You may enable soft-delete in Key Vault to protect keys against accidental or malicious deletion.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:** 事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Microsoft 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Sentinel。You may use the Azure Security Center data connector to stream the alerts Sentinel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:** 渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导遵循 Microsoft 互动规则,确保你的渗透测试不违反 Microsoft 政策Guidance: - Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps