认知服务的 Azure 安全基线Azure security baseline for Cognitive Services

认知服务的 Azure 安全基线包含可帮助你改进部署安全状况的建议。The Azure Security Baseline for Cognitive Services contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see the Azure security baselines overview.

网络安全性Network security

有关详细信息,请参阅安全控制:网络安全For more information, see Security control: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导:Azure 认知服务提供了分层的安全模型。Guidance: Azure Cognitive Services provides a layered security model. 借助此模型,可保护认知服务帐户,使其可供网络的特定子集访问。This model enables you to secure your Cognitive Services accounts to a specific subset of networks. 配置网络规则后,仅通过指定网络集请求数据的应用程序才能访问帐户。When network rules are configured, only applications requesting data over the specified set of networks can access the account. 可使用请求筛选来限制对资源的访问,仅允许源自指定 IP 地址、IP 范围或 Azure 虚拟网络中部分子网的请求。You can limit access to your resources with request filtering, allowing only requests that originate from specified IP addresses, IP ranges, or from a list of subnets in Azure Virtual Networks.

认知服务的虚拟网络和服务终结点支持仅限于一组特定的区域。Virtual network and service endpoint support for Cognitive Services is limited to a specific set of regions.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导:虚拟机部署到 Azure 认知服务容器所在的同一虚拟网络中后,可使用网络安全组 (NSG) 来降低数据外泄的风险。Guidance: When Virtual Machines are deployed in the same virtual network as your Azure Cognitive Services container, you can use network security groups (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到 Azure 存储帐户以进行流量审核。Enable NSG flow logs and send logs into an Azure Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:如果在容器中使用认知服务,则可使用前置 Web 应用程序防火墙解决方案来增强容器部署,该解决方案可过滤恶意流量并支持端到端 TLS 加密,使容器终结点保持私密和安全。Guidance: If you are using Cognitive Services within a container, you may augment your container deployment with a front-facing web-application firewall solution that filters malicious traffic and supports end-to-end TLS encryption, keeping the container endpoint private and secure.

请记住,需要使用认知服务容器来提交计费所需的计量信息。Bear in mind that Cognitive Services containers are required to submit metering information for billing purposes. 唯一例外是脱机容器,因为后者遵循不同的计费方法。The only exception, is Offline containers as they follow a different billing methodology. 如果无法允许列出认知服务容器依赖的各种网络通道,则容器不能正常运行。Failure to allow list various network channels that the Cognitive Services containers rely on will prevent the container from working. 主机应该允许列出端口 443 和以下域:The host should allow list port 443 and the following domains:

  • *.cognitive.microsoft.com*.cognitive.microsoft.com
  • *.cognitiveservices.azure.cn*.cognitiveservices.azure.cn

另请注意,必须在认知服务容器创建给 Microsoft 服务器的安全通道上禁用防火墙解决方案的深度数据包检查。Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. 如果不能这样做,则容器无法正常运行。Failure to do so will prevent the container from functioning correctly.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:当虚拟机部署在与 Azure 认知服务容器相同的虚拟网络中时,使用 Azure Policy 定义并实现相关网络资源的标准安全配置。Guidance: When virtual machines are deployed in the same virtual network as your Azure Cognitive Services container, define and implement standard security configurations for related network resources with Azure Policy. 使用“Microsoft.CognitiveServices”和“Microsoft.Network”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Cache for Redis 实例的网络配置。Use Azure Policy aliases in the "Microsoft.CognitiveServices" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Cache for Redis instances. 还可以利用内置策略定义,例如:You may also make use of built-in policy definitions such as:

  • 应启用 DDoS 防护标准版DDoS Protection Standard should be enabled

还可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、Azure 基于角色的访问控制 (Azure RBAC) 和策略)来简化大规模的 Azure 部署。You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure role-based access control (Azure RBAC), and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅和环境,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and environments, and fine-tune control and management through versioning.

如果在容器中使用认知服务,则可使用前置 Web 应用程序防火墙解决方案来增强容器部署,该解决方案可过滤恶意流量并支持端到端 TLS 加密,使容器终结点保持私密和安全。If you are using Cognitive Services within a container, you may augment your container deployment with a front-facing web-application firewall solution that filters malicious traffic and supports end-to-end TLS encryption, keeping the container endpoint private and secure.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包1.5: Record network packets

指导:虚拟机部署到 Azure 认知服务容器所在的同一虚拟网络中后,可使用网络安全组 (NSG) 来降低数据外泄的风险。Guidance: When virtual machines are deployed in the same virtual network as your Azure Cognitive Services container, you can use network security groups (NSG) to reduce the risk of data exfiltration. 启用 NSG 流日志,并将日志发送到 Azure 存储帐户以进行流量审核。Enable NSG flow logs and send logs into an Azure Storage Account for traffic audit. 还可以将 NSG 流日志发送到 Log Analytics 工作区,并使用流量分析来提供对 Azure 云中的流量流的见解。You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:如果在容器中使用认知服务,则可使用前置 Web 应用程序防火墙解决方案来增强容器部署,该解决方案可过滤恶意流量并支持端到端 TLS 加密,使容器终结点保持私密和安全。Guidance: If using Cognitive Services within a container, you may augment your container deployment with a front-facing web-application firewall solution that filters malicious traffic and supports end-to-end TLS encryption, keeping the container endpoint private and secure. 可从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含禁用有效负载检查功能的 IDS/IPS 功能。You can select an offer from the Azure Marketplace that supports IDS/IPS functionality with the ability to disable payload inspection.

请记住,需要使用认知服务容器来提交计费所需的计量信息。Bear in mind that Cognitive Services containers are required to submit metering information for billing purposes. 唯一例外是脱机容器,它们采用不同的计费方法。The only exception is Offline containers as they follow a different billing methodology. 如果无法允许列出认知服务容器依赖的各种网络通道,则容器不能正常运行。Failure to allow list various network channels that the Cognitive Services containers rely on will prevent the container from working. 主机应该允许列出端口 443 和以下域:The host should allow list port 443 and the following domains:

  • *.cognitive.microsoft.com*.cognitive.microsoft.com
  • *.cognitiveservices.azure.cn*.cognitiveservices.azure.cn

另请注意,必须在认知服务容器创建给 Microsoft 服务器的安全通道上禁用防火墙解决方案的深度数据包检查。Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. 如果不能这样做,则容器无法正常运行。Failure to do so will prevent the container from functioning correctly.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:如果在容器中使用认知服务,则可使用前置 Web 应用程序防火墙解决方案来增强容器部署,该解决方案可过滤恶意流量并支持端到端 TLS 加密,使容器终结点保持私密和安全。Guidance: If using Cognitive Services within a container, you may augment your container deployment with a front-facing web-application firewall solution that filters malicious traffic and supports end-to-end TLS encryption, keeping the container endpoint private and secure.

请记住,需要使用认知服务容器来提交计费所需的计量信息。Bear in mind that Cognitive Services containers are required to submit metering information for billing purposes. 唯一例外是脱机容器,因为后者遵循不同的计费方法。The only exception, is Offline containers as they follow a different billing methodology. 如果无法允许列出认知服务容器依赖的各种网络通道,则容器不能正常运行。Failure to allow list various network channels that the Cognitive Services containers rely on will prevent the container from working. 主机应该允许列出端口 443 和以下域:The host should allow list port 443 and the following domains:

  • *.cognitive.microsoft.com*.cognitive.microsoft.com
  • *.cognitiveservices.azure.cn*.cognitiveservices.azure.cn

另请注意,必须在认知服务容器创建给 Microsoft 服务器的安全通道上禁用防火墙解决方案的深度数据包检查。Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. 如果不能这样做,则容器无法正常运行。Failure to do so will prevent the container from functioning correctly.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:在网络安全组 (NSG) 或 Azure 防火墙中使用虚拟网络服务标记来定义网络访问控制。Guidance: Use virtual network service tags to define network access controls on network security groups (NSG) or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

还可使用应用程序安全组 (ASG) 来帮助简化复杂的安全配置。You may also use application security groups (ASG) to help simplify complex security configuration. 借助 ASG,可将网络安全性配置为应用程序结构的固有扩展,从而可基于这些组对虚拟机进行分组并定义网络安全策略。ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:使用 Azure Policy 为与 Azure 认知服务容器相关的网络资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for network resources related to your Azure Cognitive Services container with Azure Policy. 使用“Microsoft.CognitiveServices”和“Microsoft.Network”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Cache for Redis 实例的网络配置。Use Azure Policy aliases in the "Microsoft.CognitiveServices" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Cache for Redis instances.

还可使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、Azure 基于角色的访问控制 (Azure RBAC) 和策略)来简化大规模的 Azure 部署。You can also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure role-based access control (Azure RBAC), and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅和环境,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and environments, and fine-tune control and management through versioning.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 Azure 认知服务容器关联的网络资源使用标记,以便按逻辑将这些资源整理到分类中。Guidance: Use tags for network resources associated with your Azure Cognitive Services container in order to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure 认知服务容器相关的网络资源的更改。Guidance: Use the Azure Activity log to monitor network resource configurations and detect changes for network resources related to your Azure Cognitive Services container. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security control: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:针对日志中的时间戳,Microsoft 会维护用于 Azure 资源(例如 Azure 认知服务)的时间源。Guidance: Microsoft maintains the time source used for Azure resources such as Azure Cognitive Services for timestamps in the logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指南:启用 Azure 活动日志诊断设置,并将日志发送到 Log Aalytics 工作区、Azure 事件中心或 Azure 存储帐户进行存档。Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. 活动日志提供有关在控制平面级别对 Azure 认知服务容器执行的操作的见解。Activity logs provide insight into the operations that were performed on your Azure Cognitive Services container at the control plane level. 通过 Azure 活动日志数据,可确定在控制平面级别针对 Azure Cache for Redis 实例执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure Cache for Redis instances.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:对于控制平面审核日志记录,请启用 Azure 活动日志诊断设置,并将日志发送到 Log Aalytics 工作区、Azure 事件中心或 Azure 存储帐户进行存档。Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. 使用 Azure 活动日志数据,可以确定在控制平面级别针对 Azure 资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure resources.

此外,Azure 认知服务还发送诊断事件,可收集这些事件并使用它们来实现分析、警报和报告目的。Additionally, Azure Cognitive Services sends diagnostics events that can be collected and used for the purposes of analysis, alerting and reporting. 可通过 Azure 门户配置认知服务容器的诊断设置。You can configure diagnostics settings for a Cognitive Services container via the Azure portal. 可将一个或多个诊断事件发送到存储帐户、事件中心或 Log Analytics 工作区。You can send one or more diagnostics events to a Storage Account, Event Hub, or a Log Analytics workspace.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期。Guidance: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage accounts for long-term/archival storage.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:启用 Azure 活动日志诊断设置,并将日志发送到 Log Analytics 工作区。Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. 这些日志提供频繁生成的有关资源操作的丰富数据用于识别问题和调试。These logs provide rich, frequent data about the operation of a resource that are used for issue identification and debugging. 在 Log Analytics 中执行查询以搜索字词、识别趋势和分析模式,并根据可能已为 Azure 认知服务收集的活动日志数据提供许多其他见解。Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the Activity Log Data that may have been collected for Azure Cognitive Services.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:可转到 Azure Monitor 中的“警报 & 指标”部分,对 Azure 认知服务中支持的指标发出警报。Guidance: You can raise alerts on supported metrics in Azure Cognitive Services by going to the Alerts & Metrics section in Azure Monitor.

配置 Azure 认知服务容器的诊断设置,并将日志发送到 Log Analytics 工作区。Configure diagnostic settings for your Cognitive Services container and send logs to a Log Analytics workspace. 在 Log Analytics 工作区中,配置发生一组预定义的条件时要触发的警报。Within your Log Analytics workspace, configure alerts to take place for when a pre-defined set of conditions takes place.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;Azure 认知服务不会处理或生成与反恶意软件相关的日志。Guidance: Not applicable; Azure Cognitive Services does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用;Azure 认知服务不会处理或生成与 DNS 相关的日志。Guidance: Not applicable; Azure Cognitive Services does not process or produce DNS related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:Azure Active Directory (AD) 具有必须显式分配且可查询的内置角色。Guidance: Azure Active Directory (AD) has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:通过 Azure Active Directory (AD) 控制对 Azure 认知服务的控制平面访问。Guidance: Control plane access to Azure Cognitive Services is controlled through Azure Active Directory (AD). Azure AD 没有默认密码。Azure AD does not have the concept of default passwords.

对 Azure 认知服务的数据平面访问通过访问密钥进行控制。Data plane access to Azure Cognitive Services is controlled through access keys. 这些密钥由连接到缓存的客户端使用,可随时重新生成。These keys are used by the clients connecting to your cache and can be regenerated at any time.

建议不要将默认密码构建到应用程序中。It is not recommended that you build default passwords into your application. 相反,可将密码存储在 Azure Key Vault 中,然后使用 Azure Active Directory 检索它们。Instead, you can store your passwords in Azure Key Vault and then use Azure Active Directory to retrieve them.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription
  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription
  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:Azure 认知服务使用访问密钥对用户进行身份验证,且不支持数据平面级别的单一登录 (SSO)。Guidance: Azure Cognitive Services uses access keys to authenticate users and does not support single sign-on (SSO) at the data plane level. 通过 REST API 可访问 Azure 认知服务的控制平面,并支持 SSO。Access to the control plane for Azure Cognitive Services is available via REST API and supports SSO. 若要进行身份验证,请将请求的授权标头设置为从 Azure Active Directory (AAD) 获取的 JSON Web 令牌。To authenticate, set the Authorization header for your requests to a JSON Web Token that you obtain from Azure Active Directory.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指南:启用 Azure Active Directory (AD) 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory (AD) Multi-Factor Authentication (MFA) and follow Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指南:使用配置了多重身份验证 (MFA) 的特权访问工作站 (PAW) 来登录并配置 Azure 资源。Guidance: Use privileged access workstations (PAW) with Multi-Factor Authentication (MFA) configured to log into and configure Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

此外,还可使用 Azure AD 风险检测来查看警报和报告有风险的用户行为。In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:在 Azure Active Directory (AD) 条件访问中配置命名位置,以允许仅从 IP 地址范围或国家/地区的特定逻辑组进行访问。Guidance: Configure named locations in Azure Active Directory (AD) Conditional Access to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指南:使用 Azure Active Directory (AD) 作为中央身份验证和授权系统。Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system. Azure AD 通过对静态数据和传输中的数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials. 如果你的用例支持 AD 身份验证,请使用 Azure AD 对认知服务 API 的请求进行身份验证。If your use case supports AD authentication, use Azure AD to authenticate requests to your Cognitive Services API.

目前,只有计算机视觉 API、人脸 API、文本分析 API、沉浸式阅读器、表单识别器、异常检测器和所有必应服务(必应自定义搜索除外)支持使用 Azure AD 进行身份验证。Currently, only the Computer Vision API, Face API, Text Analytics API, Immersive Reader, Form Recognizer, Anomaly Detector, and all Bing services except Bing Custom Search support authentication using Azure AD.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南:Azure AD 提供日志来帮助发现过时的帐户。Guidance: Azure AD provides logs to help discover stale accounts. 此外,客户要使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, customer to utilize Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right Users have continued access.

客户要维护 API 管理用户帐户的清单并根据需要协调访问。Customer to maintain inventory of API Management user accounts, reconcile access as needed. 在 API 管理中,开发人员是使用 API 管理公开的 API 的用户。In API Management, developers are the users of the APIs that you expose using API Management. 默认情况下,新创建的开发人员帐户处于“活动”状态,并且与“开发人员”组相关联。By default, newly created developer accounts are Active, and associated with the Developers group. 处于“活动”状态的开发人员帐户可用于访问他们具有订阅的所有 API。Developer accounts that are in an active state can be used to access all of the APIs for which they have subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:你有权访问 Azure Active Directory (AD) 登录活动、审核和风险事件日志源,以便与第三方 SIEM 集成。Guidance: You have access to Azure Active Directory (AD) sign-in activity, audit and risk event log sources, which allow you to integrate with a third-party SIEM.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 可以在 Log Analytics 中配置所需的日志警报。You can configure desired log alerts within Log Analytics.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account login behavior deviation

指导:对于控制平面上的帐户登录行为偏差,请使用 Azure Active Directory (AD) 标识保护和风险检测功能来配置对检测到的与用户标识相关的可疑操作的自动响应。Guidance: For account login behavior deviation on the control plane, use Azure Active Directory (AD) Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:尚不适用;Azure 认知服务尚不支持客户密码箱。Guidance: Not yet available; Customer Lockbox is not yet supported for Azure Cognitive Services.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:目前不可用Responsibility: Currently not available

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实现单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 资源应当按 VNet/子网进行分隔,相应地进行标记,并由 NSG 或 Azure 防火墙提供保护。Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. 存储或处理敏感数据的资源应当充分隔离。Resources storing or processing sensitive data should be sufficiently isolated. 对于存储或处理敏感数据的虚拟机,请实施相应的策略和过程,以在不使用这些虚拟机时将其关闭。For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:尚不适用;数据标识、分类和丢失防护功能尚不适用于 Azure 认知服务。Guidance: Not yet available; data identification, classification, and loss prevention features are not yet available for Azure Cognitive Services.

Microsoft 会管理 Azure 认知服务的底层基础结构,并实施严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Cognitive Services and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:目前不可用Responsibility: Currently not available

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:通过 HTTP 公开的所有认知服务终结点都强制执行 TLS 1.2。Guidance: All of the Cognitive Services endpoints exposed over HTTP enforce TLS 1.2. 使用强制执行的安全协议时,尝试调用认知服务终结点的使用者应遵循以下准则:With an enforced security protocol, consumers attempting to call a Cognitive Services endpoint should adhere to these guidelines:

  • 客户端操作系统 (OS) 需要支持 TLS 1.2。The client Operating System (OS) needs to support TLS 1.2.
  • 用于进行 HTTP 调用的语言(和平台)需要在请求中指定 TLS 1.2。The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request. (可通过隐式或显式方式完成 TLS 的指定,具体取决于语言和平台。)(Depending on the language and platform, specifying TLS is done either implicitly or explicitly.)

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Azure 认知服务。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Cognitive Services. 同样地,标记包含敏感信息的实例;如果出于合规性目的需要,请实施第三方解决方案。Tag instances containing sensitive information as such and implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 实施并维护了一套可靠的数据保护控制措施和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对 Azure 认知服务控制平面(即 Azure 门户)的访问。Guidance: Use Azure role-based access control (Azure RBAC) to control access to the Azure Cognitive Services control plane (i.e. Azure portal).

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 会管理 Azure 认知服务的底层基础结构,并实施严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Cognitive Services and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:认知服务的静态加密由正在使用的特定服务而定。Guidance: Encryption at rest for Cognitive Services is dependent on the specific service being used. 在大多数情况下,数据将使用符合 FIPS 140-2 的 256 位 AES 加密法进行加密和解密。In most cases, data is encrypted and decrypted using FIPS 140-2 compliant 256-bit AES encryption. 加密和解密都是透明的,这意味着将替你管理加密和访问。Encryption and decryption are transparent, meaning encryption and access are managed for you. 你的数据默认情况下就是安全的,你无需修改代码或应用程序即可利用加密。Your data is secure by default and you don’t need to modify your code or applications to take advantage of encryption.

还可使用 Azure Key Vault 来存储客户管理的密钥。You may also use Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在 Azure 认知服务的生产实例和其他关键资源或相关资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure Cognitive Services and other critical or related resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅安全控制:漏洞管理For more information, see Security control: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:Microsoft 对支持 Azure 认知服务的基础系统执行漏洞管理。Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Cognitive Services.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:MicrosoftResponsibility: Microsoft

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:Microsoft 对支持 Azure 认知服务的基础系统执行漏洞管理。Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Cognitive Services.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated Asset Discovery solution

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独订阅(若适用)来整理和跟踪 Azure Cache for Redis 实例及相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Cache for Redis instances and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已获批 Azure 资源的清单6.4: Define and Maintain an inventory of approved Azure resources

指导:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use Azure Resource Graph to query/discover resources within the subscription(s).

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security control: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 为 Azure 认知服务容器定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your Azure Cognitive Services container with Azure Policy. 使用“Microsoft.CognitiveServices”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Cache for Redis 实例的配置。Use Azure Policy aliases in the "Microsoft.CognitiveServices" namespace to create custom policies to audit or enforce the configuration of your Azure Cache for Redis instances.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果要对 Azure 认知服务容器及相关资源使用自定义 Azure Policy 定义或 Azure 资源管理器模板,请使用 Azure Repos 安全地存储和管理代码。Guidance: If you are using custom Azure Policy definitions or Azure Resource Manager templates for your Azure Cognitive Services containers and related resources, use Azure Repos to securely store and manage your code.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用“Microsoft.Cache”命名空间中的 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并设置相关警报。Guidance: Use Azure Policy aliases in the "Microsoft.Cache" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用“Microsoft.CognitiveServices”命名空间中的 Azure Policy 别名创建自定义 Azure Policy 定义,以审核、强制实施系统配置并设置相关警报。Guidance: Use Azure Policy aliases in the "Microsoft.CognitiveServices" namespace to create custom Azure Policy definitions to alert, audit, and enforce system configurations. 使用 Azure Policy [审核]、[拒绝] 和 [不存在时部署] 为 Azure Cache for Redis 实例及相关资源自动强制实施配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Cache for Redis instances and related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:对于在 Azure 应用服务上运行的用于访问 Azure 认知服务 API 的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 认知服务密钥管理。Guidance: For Azure virtual machines or web applications running on Azure App Service being used to access your Azure Cognitive Services API, use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure Azure Cognitive Services key management. 请确保启用 Key Vault 软删除。Ensure Key Vault soft delete is enabled.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:对于在 Azure 应用服务上运行的用于访问 Azure 认知服务 API 的 Azure 虚拟机或 Web 应用程序,请将托管服务标识与 Azure Key Vault 结合使用,以简化和保护 Azure 认知服务密钥管理。Guidance: For Azure virtual machines or web applications running on Azure App Service being used to access your Azure Cognitive Services API, use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure Azure Cognitive Services key management. 确保启用 Key Vault 软删除。Ensure Key Vault Soft Delete is enabled.

使用托管标识在 Azure Active Directory 中为 Azure 服务提供一个自动托管标识。Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Azure Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Azure Key Vault, without any credentials in your code.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security control: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure 认知服务)的基础主机上启用,但它不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Cognitive Services), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure Cache for Redis)的基础主机上启用,但它不会针对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Cache for Redis), however it does not run on customer content.

预扫描要上传到非计算 Azure 资源的任何内容,例如应用服务、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Microsoft 无法访问这些实例中的数据。Pre-scan any content being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Microsoft cannot access your data in these instances.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure 认知服务)的基础主机上启用,但它不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Cognitive Services), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security control: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:始终自动复制 Azure 存储帐户中的数据,确保持久性和高可用性。Guidance: The data in your Azure storage account is always automatically replicated to ensure durability and high availability. Azure 存储功能会复制数据,以防范各种计划内和计划外的事件,包括暂时性的硬件故障、网络中断或断电、大范围自然灾害等。Azure Storage copies your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. 可以选择在同一数据中心中、跨同一区域中的局域数据中心或跨地理上隔离的区域复制数据。You can choose to replicate your data within the same data center, across zonal data centers within the same region, or across geographically separated regions.

还可以使用生命周期管理功能将数据备份到存档层。You can also use lifecycle management feature to backup data to the Archive tier. 此外,为存储在存储帐户中的备份启用软删除。Additionally, enable soft delete for your backups stored in Storage account.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:使用 Azure 资源管理器部署认知服务及相关资源。Guidance: Use Azure Resource Manager to deploy Cognitive Services and related resources. Azure 资源管理器提供导出模板的功能,这样你能在整个开发生命周期内重新部署解决方案,确保以一致的状态部署资源。Azure Resource Manager provides the ability to export templates, which allows you to redeploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state. 使用 Azure 自动化定期调用 Azure 资源管理器模板导出 API。Use Azure Automation to call the Azure Resource Manager template export API on a regular basis. 在 Azure Key Vault 中备份预共享密钥。Backup pre-shared keys within Azure Key Vault.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:确保能够定期将 Azure 资源管理器模板的部署定期执行到隔离订阅(如果需要)。Guidance: Ensure ability to periodically perform deployment of Azure Resource Manager templates on a regular basis to an isolated subscription if required. 测试对备份的预共享密钥进行的还原。Test restoration of backed up pre-shared keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:使用 Azure DevOps 安全地存储和管理 Azure 资源管理器模板。Guidance: Use Azure DevOps to securely store and manage your Azure Resource Manager templates. 若要保护在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。To protect resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS. 使用 Azure 基于角色的访问控制保护客户管理的密钥。Use Azure role-based access control to protect customer managed keys. 在密钥保管库中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅安全控制:事件响应For more information, see Security control: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指南:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Microsoft 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security control: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指南:*遵循 Microsoft Rules of Engagement,确保渗透测试不违反 Microsoft 政策Guidance: * Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps