数据资源管理器的 Azure 安全基线Azure Security Baseline for Data Explorer

数据资源管理器的 Azure 安全基线包含可帮助你改善部署安全态势的建议。The Azure Security Baseline for Data Explorer contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全*For more information, see Security Control: Network Security._

1.1:监视和记录 VNet、子网和 NICS 的配置与流量1.1: Monitor and log the configuration and traffic of Vnets, Subnets, and NICS

指导 :启用网络安全组 (NSG) 流日志,并将日志发送到存储帐户以进行流量审核。Guidance : Enable network security group (NSG) flow logs and send logs into a Storage Account for traffic audit.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

了解 Azure 安全中心提供的网络安全: https://docs.azure.cn/security-center/security-center-network-recommendationsUnderstanding Network Security provided by Azure Security Center: https://docs.azure.cn/security-center/security-center-network-recommendations

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.2:保护关键 Web 应用程序1.2: Protect Critical Web Applications

指导 :不适用;建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance : Not applicable; Recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

1.3:记录网络数据包和流日志1.3: Record Network Packets and Flow Logs

指导 :在用于保护 Azure 数据资源管理器群集的网络安全组 (NSG) 上启用流日志,并将日志发送到存储帐户以进行流量审核。Guidance : Enable Flow Logs on the network security groups (NSG) being used to protect your Azure Data Explorer cluster, and send logs into a Storage Account for traffic audit.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to Enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.4:部署基于网络的入侵检测/入侵防护系统1.4: Deploy Network Based Intrusion Detection/Intrusion Prevention Systems

指导 :不适用;此控制在终结点或防火墙上完成。Guidance : Not applicable; This control is done at endpoint or firewall.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

1.5:管理发往 Web 应用程序的流量1.5: Manage traffic to your web applications

指导 :不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance : Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

1.6:记录流量配置规则1.6: Document Traffic Configuration Rules

指导 :将标记用于网络安全组 (NSG) 以及与数据资源管理器群集的网络安全和流量流相关的其他资源。Guidance : Use tags for network security groups (NSG) and other resources related to network security and traffic flow for your Data Explorer clusters. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

1.7:使用自动化工具来监视网络资源配置和检测更改1.7: Use Automated Tools to Monitor Network Resource Configurations and Detect Changes

指导 :使用 Azure Policy 来验证(和/或修正)网络资源的配置。Guidance : Use Azure Policy to validate (and/or remediate) configuration for network resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use Approved Time Synchronization Sources

指导 :Microsoft 维护 Azure 资源的时间源,客户可以针对其拥有的计算部署更新时间同步。Guidance : Microsoft maintains time sources for Azure resources, customers may update time synchronization for compute deployments owned by customer.

如何为 Azure 计算资源配置时间同步: https://docs.azure.cn/virtual-machines/windows/time-syncHow to configure time synchronization for Azure compute resources: https://docs.azure.cn/virtual-machines/windows/time-sync

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :MicrosoftResponsibility : Microsoft

2.2:配置中心安全日志管理2.2: Configure Central Security Log Management

指导 :Azure 数据资源管理器使用诊断日志获取有关引入成功和失败的见解。Guidance : Azure Data Explorer uses diagnostic logs for insights on ingestion successes and failures. 可将操作日志导出到 Azure 存储、事件中心或 Log Analytics 以监视引入状态。You can export operation logs to Azure Storage, Event Hub, or Log Analytics to monitor ingestion status.

如何监视 Azure 数据资源管理器引入操作:How to monitor Azure Data Explorer ingestion operations:

https://docs.azure.cn/data-explorer/using-diagnostic-logs

如何在 Azure 数据资源管理器中引入和查询监视数据:How to ingest and query monitoring data in Azure Data Explorer:

https://docs.azure.cn/data-explorer/ingest-data-no-code

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure Resources

指导 :启用 Azure 数据资源管理器的诊断设置以访问和记录服务专用操作和日志记录。Guidance : Enable Diagnostic Settings for Azure Data Explorer for access and logging to service specific operations and logging. 默认情况下,Azure Monitor 中的 Azure 活动日志(包括有关资源的概要日志记录)处于启用状态。Azure Activity logs within Azure Monitor, which includes high-level logging about the resource are enabled by default.

如何监视 Azure 数据资源管理器引入操作: https://docs.azure.cn/data-explorer/using-diagnostic-logsHow to monitor Azure Data Explorer ingestion operations: https://docs.azure.cn/data-explorer/using-diagnostic-logs

如何使用 Azure Monitor 收集平台日志和指标: https://docs.azure.cn/azure-monitor/platform/diagnostic-settingsHow to collect platform logs and metrics with Azure Monitor: https://docs.azure.cn/azure-monitor/platform/diagnostic-settings

Azure 平台日志概述: https://docs.azure.cn/azure-monitor/platform/platform-logs-overviewOverview of Azure platform logs: https://docs.azure.cn/azure-monitor/platform/platform-logs-overview

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.4:从操作系统收集安全日志2.4: Collect Security Logs from Operating System

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

2.5:配置安全日志存储保留期2.5: Configure Security Log Storage Retention

指导 :在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期。Guidance : Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

如何为 Log Analytics 工作区设置日志保留参数: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-periodHow to set log retention parameters for Log Analytics Workspaces: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

2.6:监视和审查日志2.6: Monitor and Review Logs

指导 :分析和监视日志中的异常行为,并定期审查结果。Guidance : Analyze and monitor logs for anomalous behaviors and regularly review results. 启用 Azure 数据资源管理器的诊断设置后,使用 Azure Monitor 的 Log Analytics 工作区查看日志并对日志数据执行查询。After enabling Diagnostic Settings for Azure Data Explorer, use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

了解 Log Analytics 工作区: https://docs.azure.cn/azure-monitor/log-query/get-started-portalUnderstanding Log Analytics Workspace: https://docs.azure.cn/azure-monitor/log-query/get-started-portal

如何在 Azure Monitor 中执行自定义查询: https://docs.azure.cn/azure-monitor/log-query/get-started-queriesHow to perform custom queries in Azure Monitor: https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

2.7:启用针对异常活动的警报2.7: Enable Alerts for Anomalous Activity

指导 :不适用;Azure 数据资源管理器没有此功能。Guidance : Not applicable; Azure Data Explorer does not have this ability.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

2.8:集中管理反恶意软件日志记录2.8: Centralize Anti-malware Logging

指导 :不适用;Azure 数据资源管理器不处理反恶意软件日志记录。Guidance : Not applicable; Azure Data Explorer does not process anti-malware logging.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS Query Logging

指导 :不适用:DNS 查询不是 Azure 数据资源管理器的功能。Guidance : Not applicable: DNS query is not a function of Azure Data Explorer.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

2.10:启用命令行审核日志记录2.10: Enable Command-line Audit Logging

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain Inventory of Administrative Accounts

指导 :在 Azure 数据资源管理器中,安全角色定义哪些安全主体(用户和应用程序)有权对受保护的资源(例如数据库或表)进行操作,以及允许进行哪些操作。Guidance : In Azure Data Explorer, Security roles define which security principals (users and applications) have permissions to operate on a secured resource such as a database or a table, and what operations are permitted. 可以利用 Kusto 查询列出 Azure 数据资源管理器群集和数据库的具有管理员角色的主体。You can leverage Kusto query to list principles in the admin role for the Azure Data Explorer clusters and databases. 使用 Kusto 查询在 Azure 数据资源管理器中进行安全角色管理Security roles management in Azure Data Explorer using Kusto query

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.2:在适用的情况下更改默认密码3.2: Change Default Passwords where Applicable

指导 :Azure AD 没有默认密码。Guidance : Azure AD does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度的密码,该长度因服务而异。Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third party applications and marketplace services that may use default passwords.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.3:确保使用专用管理帐户3.3: Ensure the Use of Dedicated Administrative Accounts

指导 :客户围绕专用管理帐户的使用创建标准操作程序。Guidance : Customer to create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

客户还可以通过使用 Microsoft 服务的 Azure AD Privileged Identity Management 特权角色和 Azure ARM 来启用实时/足够访问权限。Customers can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure ARM.

什么是 Azure AD Privileged Identity Management: https://docs.azure.cn/active-directory/privileged-identity-management/pim-configureWhat is Azure AD Privileged Identity Management?: https://docs.azure.cn/active-directory/privileged-identity-management/pim-configure

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Utilize Single Sign-On (SSO) with Azure Active Directory

指导 :客户应尽可能使用 Azure Active Directory (Azure AD) SSO,而不是为每个服务配置单个独立凭据。Guidance : Wherever possible, customer to use SSO with Azure Active Directory (Azure AD) rather than configuring individual stand-alone credentials per-service. 请使用 Azure 安全中心标识和访问管理建议。Use Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证。3.5: Use Multifactor Authentication for all Azure Active Directory based access.

指导 :启用 Azure Active Directory (Azure AD) 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理的建议。Guidance : Enable Azure Active Directory (Azure AD) multi-factor authentication (MFA) and follow Azure Security Center Identity and Access Management recommendations.

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor identity and access within Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use of Dedicated Machines (Privileged Access Workstations) for all Administrative Tasks

指导 :使用配置了多重身份验证 (MFA) 的 PAW(特权访问工作站)来登录和配置 Azure 资源。Guidance : Use PAWs (privileged access workstations) with multi-factor authentication (MFA) configured to log into and configure Azure resources.

了解特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsLearn about Privileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

3.7:使用 Azure Active Directory3.7: Utilize Azure Active Directory

指导 :Azure Active Directory (Azure AD) 是向 Azure 数据资源管理器进行身份验证的首选方法。Guidance : Azure Active Directory (Azure AD) is the preferred method for authenticating to Azure Data Explorer. 它支持多种身份验证方案:It supports a number of authentication scenarios:

用户身份验证(交互式登录):用于对人类主体进行身份验证。User authentication (interactive logon): Used to authenticate human principals.

应用程序身份验证(非交互式登录):用于对必须在没有人类用户参与的情况下运行或进行身份验证的服务和应用程序进行身份验证。Application authentication (non-interactive logon): Used to authenticate services and applications that have to run/authenticate with no human user being present.

Azure 数据资源管理器访问控制概述Azure Data Explorer Access Control Overview

使用 Azure Active Directory 进行身份验证Authenticating with Azure Active Directory

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.8:定期审查和协调用户访问3.8: Regularly Review and Reconcile User Access

指导 :Azure Active Directory (Azure AD) 提供日志来帮助发现过时的帐户。Guidance : Azure Active Directory (Azure AD) provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right Users have continued access.

如何使用 Azure AD 进行 Azure 数据资源管理器访问身份验证How-To Authenticate with Azure AD for Azure Data Explorer Access

Azure AD 报告Azure AD Reporting

如何使用 Azure 标识访问评审How to use Azure Identity Access Reviews

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.9:监视尝试访问已停用帐户的行为3.9: Monitor Attempts to Access Deactivated Accounts

指导 :可使用 Azure Active Directory (Azure AD) 登录活动、审核和风险事件日志源进行监视,这让你可以与任何安全信息和事件管理 (SIEM)/监视工具集成。Guidance : You may use Azure Active Directory (Azure AD) Sign in Activity, Audit and Risk Event log sources for monitoring which allows you to integrate with any Security Information and Event Management (SIEM) / Monitoring tool.

你可以通过为 Azure Active Directory 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts, sending the audit logs and sign-in logs to a Log Analytics Workspace. 客户可以在 Log Analytics 工作区中配置所需的警报。Customer to configure desired Alerts within Log Analytics Workspace.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an Inventory of Sensitive Information

指导 :使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance : Use tags to assist in tracking Azure resources that store or process sensitive information.

如何创建和使用标记:How to create and use tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.2:监视和阻止未经授权的敏感信息传输4.2: Monitor and Block unauthorized transfer of sensitive information

指导 :不适用;对于由 Microsoft 管理的底层平台,Microsoft 将所有客户内容都视为敏感数据,并竭尽全力防范客户数据丢失和泄露。Guidance : Not applicable; For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

4.3:加密传输中的所有敏感信息4.3: Encrypt All Sensitive Information in Transit

指导 :默认情况下,Azure 数据资源管理器群集协商 TLS 1.2。Guidance : Azure Data Explorer cluster negotiate TLS 1.2 by default. 确保连接到 Azure 资源的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :共享Responsibility : Shared

4.4:4.4:
使用有效的发现工具识别敏感数据Use an Active Discovery Tool to Identify Sensitive Data

指导 :数据标识、分类和丢失防护功能尚不适用于 Azure 数据资源管理器。Guidance : Data identification, classification, and loss prevention features are not yet available for Azure Data Explorer. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

4.5:4.5:
使用 Azure RBAC 控制对资源的访问Use Azure RBAC to control access to resources

指导 :通过 Azure 数据资源管理器,可以使用基于角色的访问控制 (RBAC) 模型来控制对数据库和表的访问。Guidance : Azure Data Explorer enables you to control access to databases and tables, using a role-based access control (RBAC) model. 在此模型下,主体(用户、组和应用)将映射到角色。Under this model, principals (users, groups, and apps) are mapped to roles. 主体可以根据分配的角色访问资源。Principals can access resources according to the roles they're assigned.

角色和权限列表以及有关如何为 Azure 数据资源管理器配置 RBAC 的说明: https://docs.azure.cn/data-explorer/manage-database-permissionsList of roles and permissions and instructions on how to configure RBAC for Azure Data Explorer: https://docs.azure.cn/data-explorer/manage-database-permissions

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.6:使用基于主机的数据丢失防护功能来强制实施访问控制4.6: Use host-based Data Loss Prevention to enforce access control

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Microsoft 管理 Azure 数据资源管理器的底层基础结构,并实施了严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Azure Data Explorer and has implemented strict controls to prevent the loss or exposure of customer data.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

4.7:静态加密敏感信息4.7: Encrypt Sensitive Information at Rest

指导 :Azure 磁盘加密有助于保护数据,使组织能够信守在安全性与合规性方面作出的承诺。Guidance : Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. 它为群集虚拟机的 OS 和数据磁盘提供卷加密。It provides volume encryption for the OS and data disks of your cluster virtual machines. 它还与 Azure 密钥保管库集成,让我们可以控制和管理磁盘加密密钥和机密,并确保 VM 磁盘上的所有数据在 Azure 存储中进行静态加密。It also integrates with Azure Key Vault which allows us to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted at rest while in Azure Storage.

如何为 Azure 数据资源管理器群集启用静态加密: https://docs.azure.cn/data-explorer/manage-cluster-securityHow to enable encryption at rest for Azure Data Explorer clusters: https://docs.azure.cn/data-explorer/manage-cluster-security

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.8:记录对关键 Azure 资源的更改并对此类更改发出警报4.8: Log and alert on changes to critical Azure resources

指导 :将 Azure Monitor 与 Azure 活动日志配合使用,以创建在 Azure 数据资源管理器上发生资源级别更改时发出的警报。Guidance : Use Azure Monitor with the Azure Activity Log to create alerts for when resource-level changes take place on your Azure Data Explorer clusters.

如何针对 Azure 活动日志事件创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts for Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run Automated Vulnerability Scanning Tools

指导 :请遵循 Azure 安全中心关于保护 Azure 数据资源管理器资源的建议。Guidance : Follow recommendations from Azure Security Center on securing your Azure Data Explorer resources.

Microsoft 还对支持 Azure 数据资源管理器的底层系统执行漏洞管理。Microsoft also performs vulnerability management on the underlying systems that support Azure Data Explorer.

了解 Azure 安全中心建议: https://docs.azure.cn/security-center/recommendations-referenceUnderstand Azure Security Center recommendations: https://docs.azure.cn/security-center/recommendations-reference

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :MicrosoftResponsibility : Microsoft

5.2:部署自动操作系统修补管理解决方案5.2: Deploy Automated Operating System Patch Management Solution

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy Automated Third Party Software Patch Management Solution

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare Back-to-back Vulnerability Scans

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级。5.5: Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

指导 :使用 Azure 安全中心提供的默认风险评级(安全功能分数)。Guidance : Use the default risk ratings (Secure Score) provided by Azure Security Center. 了解 Azure 安全中心安全功能分数: https://docs.azure.cn/security-center/security-center-secure-scoreUnderstand Azure Security Center Secure Score: https://docs.azure.cn/security-center/security-center-secure-score

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Utilize Azure Asset Discovery

指导 :使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance : Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0How to view your Azure Subscriptions: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

了解 Azure RBAC: https://docs.azure.cn/role-based-access-control/overviewUnderstand Azure RBAC: https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.2:维护资产元数据6.2: Maintain Asset Metadata

指导 :将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance : Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.3:删除未经授权的 Azure 资源6.3: Delete Unauthorized Azure Resources

指导 :在适用的情况下,你可以使用适当的命名约定、标记、管理组或单独的订阅来组织和跟踪资产。Guidance : You may use appropriate naming conventions, tagging, management groups, or separate subscriptions, where appropriate, to organize and track assets. 你可以使用 Azure Resource Graph 定期核对清单,确保及时地从订阅中删除未经授权的资源。You may use Azure Resource Graph to reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create Management Groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use Tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.4:维护已批准的 Azure 资源和软件标题的清单。6.4: Maintain inventory of approved Azure resources and software titles.

指导 :你将需要根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance : You will need to create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for Unapproved Azure Resources

指导 :可以在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : You may use Azure policies to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

- <span data-ttu-id="8e036-368">不允许的资源类型</span><span class="sxs-lookup"><span data-stu-id="8e036-368">Not allowed resource types</span></span>

- <span data-ttu-id="8e036-369">允许的资源类型</span><span class="sxs-lookup"><span data-stu-id="8e036-369">Allowed resource types</span></span>

你将能够使用活动日志You will be able to monitor the policy generated events using the

(可使用 Azure Monitor 监视)监视策略生成的事件。Activity logs which can be monitored using Azure Monitor.

此外,可以使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, you may use the Azure Resource Graph to query/discover resources within the subscription(s).

教程:创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageTutorial: Create and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

快速入门:使用 Azure Resource Graph Explorer 运行第一个 Resource Graph 查询: https://docs.azure.cn/governance/resource-graph/first-query-portalQuickstart: Run your first Resource Graph query using Azure Resource Graph Explorer: https://docs.azure.cn/governance/resource-graph/first-query-portal

使用 Azure Monitor 创建、查看和管理活动日志警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logCreate, view, and manage activity log alerts by using Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for Unapproved Software Applications within Compute Resources

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove Unapproved Azure Resources and Software Applications

指导 :不适用;此建议适用于计算资源和整个 Azure。Guidance : Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

6.8:仅使用已批准的应用程序6.8: Utilize only approved applications

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Utilize only approved Azure Services

指导 :可以在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : You may use Azure policies to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

- <span data-ttu-id="8e036-392">不允许的资源类型</span><span class="sxs-lookup"><span data-stu-id="8e036-392">Not allowed resource types</span></span>

- <span data-ttu-id="8e036-393">允许的资源类型</span><span class="sxs-lookup"><span data-stu-id="8e036-393">Allowed resource types</span></span>

教程:创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageTutorial: Create and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure Policy 示例: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesAzure Policy Samples: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

6.11:限制用户通过脚本来与 Azure 资源管理器交互的功能6.11: Limit users' ability to interact with Azure Resources Manager via scripts

指导 :使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器进行交互的能力。Guidance : Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. 这会阻止在 Azure 订阅中创建和更改资源。This will prevent the creation and changes to resources within your Azure subscriptions.

使用条件访问管理对 Azure 管理的访问权限: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementManage access to Azure management with Conditional Access: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

6.12:限制用户在计算资源中执行脚本的能力6.12: Limit Users' Ability to Execute Scripts within Compute Resources

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or Logically Segregate High Risk Applications

指导 :不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance : Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish Secure Configurations for all Azure Resources

指导 :使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的配置。Guidance : Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. 你还可以使用内置的 Azure Policy 定义。You may also use built-in Azure Policy definitions.

此外,Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足/超过组织的安全要求。Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.

还可以使用来自 Azure 安全中心的建议作为 Azure 资源的安全配置基线。You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

如何查看可用的 Azure Policy 别名: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0How to view available Azure Policy Aliases: https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

教程:创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageTutorial: Create and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

在 Azure 门户中将单资源和多资源导出到模板: https://docs.azure.cn/azure-resource-manager/templates/export-template-portalSingle and multi-resource export to a template in Azure portal: https://docs.azure.cn/azure-resource-manager/templates/export-template-portal

安全建议 - 参考指南: https://docs.azure.cn/security-center/recommendations-referenceSecurity recommendations - a reference guide: https://docs.azure.cn/security-center/recommendations-reference

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

7.2:为操作系统建立安全配置7.2: Establish Secure Configurations for your Operating System

指导 :不适用;此项指导适用于计算资源。Guidance : Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

7.3:为所有 Azure 资源维护安全配置7.3: Maintain Secure Configurations for all Azure Resources

指导 :使用 Azure 策略“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance : Use Azure policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. 可以使用更改跟踪、策略符合性仪表板等解决方案或自定义解决方案来轻松识别环境中的安全更改。You may use solutions such as Change Tracking, Policy compliance dashboard or a custom solution to easily identify security changes in your environment.

了解 Azure Policy 效果: https://docs.azure.cn/governance/policy/concepts/effectsUnderstand Azure Policy effects: https://docs.azure.cn/governance/policy/concepts/effects

创建和管理策略以强制实施符合性: https://docs.azure.cn/governance/policy/tutorials/create-and-manageCreate and manage policies to enforce compliance: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

获取 Azure 资源的符合性数据: https://docs.azure.cn/governance/policy/how-to/get-compliance-dataGet compliance data of Azure resources: https://docs.azure.cn/governance/policy/how-to/get-compliance-data

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

7.4:维护操作系统安全配置7.4: Maintain Secure Configurations for Operating Systems

指导 :不适用;此项指导适用于计算资源。Guidance : Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely Store Configuration of Azure Resources

指导 :使用 Azure Repos 安全地存储和管理代码,如自定义 Azure 策略、Azure 资源管理器模板、Desired State Configuration 脚本等。若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。Guidance : Use Azure Repos to securely store and manage your code like custom Azure policies, Azure Resource Manager templates, Desired State Configuration scripts etc. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.

如何在 Azure DevOps 中存储代码: https://docs.microsoft.com/azure/devops/repos/git/gitworkflow?view=azure-devopsHow to store code in Azure DevOps: https://docs.microsoft.com/azure/devops/repos/git/gitworkflow?view=azure-devops

关于 Azure DevOps 中的权限和组: https://docs.microsoft.com/azure/devops/organizations/security/about-permissionsAbout permissions and groups in Azure DevOps: https://docs.microsoft.com/azure/devops/organizations/security/about-permissions

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

7.6:安全存储自定义操作系统映像7.6: Securely Store Custom Operating System Images

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

7.7:部署系统配置管理工具7.7: Deploy System Configuration Management Tools

指导 :使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance : Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的网络配置。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. 还可以使用与特定资源相关的内置策略定义。You may also make use of built-in policy definitions related to your specific resources. 此外,你也可以使用 Azure 自动化来部署配置更改。Additionally, you may use Azure Automation to deploy configuration changes.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用别名: https://docs.azure.cn/governance/policy/concepts/definition-structure#aliasesHow to use Aliases: https://docs.azure.cn/governance/policy/concepts/definition-structure#aliases

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy System Configuration Management Tools for Operating Systems

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

7.9:为 Azure 服务实现自动配置监视7.9: Implement Automated Configuration Monitoring for Azure Services

指导 :使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance : Use Azure Policy aliases to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”自动强制实施 Azure 资源的配置。Use Azure policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

7.10:为操作系统实现自动配置监视7.10: Implement Automated Configuration Monitoring for Operating Systems

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

7.11:安全管理 Azure 机密7.11: Securely manage Azure secrets

指导 :Azure 磁盘加密为 Azure 数据资源管理器群集虚拟机的 OS 和数据磁盘提供卷加密。Guidance : Azure Disk Encryption provides volume encryption for the OS and data disks of your Azure Data Explorer cluster virtual machines. 它还与 Azure 密钥保管库集成,让用户可以控制和管理磁盘加密密钥和机密,并确保 VM 磁盘上的所有数据在 Azure 存储中进行静态加密。It also integrates with Azure Key Vault which allows you to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted at rest while in Azure Storage.

如何在 Azure 数据资源管理器中保护群集: https://docs.azure.cn/data-explorer/manage-cluster-securityHow to secure your cluster in Azure Data Explorer: https://docs.azure.cn/data-explorer/manage-cluster-security

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :MicrosoftResponsibility : Microsoft

7.12:安全自动管理标识7.12: Securely and automatically manage identities

指导 :使用托管标识在 Azure AD 中为 Azure 服务提供自动托管标识。Guidance : Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括密钥保管库)进行身份验证,无需在代码中放入任何凭据。如何配置托管标识: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmManaged Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.How to configure Managed Identities: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

配置 Azure 数据资源管理器群集的托管标识: https://docs.azure.cn/data-explorer/managed-identitiesConfigure managed identities for your Azure Data Explorer cluster: https://docs.azure.cn/data-explorer/managed-identities

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南 :实施凭据扫描程序来识别代码中的凭据。Guidance : Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描程序:How to setup Credential Scanner:

https://secdevtools.azurewebsites.net/helpcredscan.htmlhttps://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Utilize Centrally Managed Anti-malware Software

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

在支持 Azure 服务(例如 Azure 数据资源管理器)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Data Explorer), however it does not run on customer content.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导 :在支持 Azure 服务(例如 Azure 数据资源管理器)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Guidance : Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Data Explorer), however it does not run on customer content.

预扫描要上传到非计算 Azure 资源的任何内容,例如 Azure 数据资源管理器、Data Lake Storage、Blob 存储、Azure Database for PostgreSQL 等。Microsoft 无法访问这些实例中的数据。Pre-scan any content being uploaded to non-compute Azure resources, such as Azure Data Explorer, Data Lake Storage, Blob Storage, Azure Database for PostgreSQL, etc. Microsoft cannot access your data in these instances.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure Anti-Malware Software and Signatures are Updated

指导 :不适用;此建议适用于计算资源。Guidance : Not applicable; this recommendation is intended for compute resources.

在支持 Azure 服务的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services, however it does not run on customer content.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :不适用Responsibility : Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure Regular Automated Back Ups

指导 :始终复制 Microsoft Azure 存储帐户中数据资源管理器群集使用的数据,以确保持续性和高可用性。Guidance : The data in your Microsoft Azure storage account used by your Data Explorer cluster is always replicated to ensure durability and high availability. Azure 存储功能会复制数据,以防范各种计划内和计划外的事件,包括暂时性的硬件故障、网络中断或断电、大范围自然灾害等。Azure Storage copies your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. 可以选择在同一数据中心中、跨同一区域中的局域数据中心或跨地理上隔离的区域复制数据。You can choose to replicate your data within the same data center, across zonal data centers within the same region, or across geographically separated regions.

了解 Azure 存储冗余和服务级别协议: https://docs.azure.cn/storage/common/storage-redundancyUnderstanding Azure Storage redundancy and Service-Level Agreements: https://docs.azure.cn/storage/common/storage-redundancy

将数据导出到存储Export data to storage

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指南10.1: Create incident response guide

指导 :为组织制定事件响应指南。Guidance : Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

有关生成自己的安全事件响应过程的指南: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/Guidance on building your own security incident response process: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

Microsoft Security Response Center's Anatomy of an Incident: https://msrc-blog.microsoft.com/2019/06/27/inside-the-msrc-anatomy-of-a-ssirp-incident/

Customer may also leverage NIST's Computer Security Incident Handling Guide to aid in the creation of their own incident response plan: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

10.2:创建事件评分和优先级确定过程10.2: Create Incident Scoring and Prioritization Procedure

指导 :安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance : Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, clearly mark subscriptions (for ex. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data.  It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Security alerts in Azure Security Center: https://docs.azure.cn/security-center/security-center-alerts-overview

Use tags to organize your Azure resources: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

10.3:测试安全响应过程10.3: Test Security Response Procedures

指导 :定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance : Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Refer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :客户Responsibility : Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知 10.4: Provide Security Incident Contact Details and Configure Alert Notifications  for Security Incidents

指导 :如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用安全事件联系人信息来与你取得联系。Guidance : Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

如何设置 Azure 安全中心安全联系人: https://docs.azure.cn/security-center/security-center-provide-security-contact-detailsHow to set the Azure Security Center Security Contact: https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular Penetration Testing of your Azure resources and ensure to remediate all critical security findings within 60 days

指导 :请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Microsoft 政策: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance : Please follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1.

对于 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序的实时站点渗透测试,可在此处找到详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft managed cloud infrastructure, services and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not Applicable

责任 :共享Responsibility : Shared

后续步骤Next steps