Azure 信息保护的 Azure 安全基线Azure security baseline for Azure Information Protection

此安全基线将 Azure 安全基准版本 2.0 中的指南应用于 Azure 信息保护。This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Information Protection. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于 Azure 信息保护的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Information Protection. 排除了不适用于 Azure 信息保护的“控制”。Controls not applicable to Azure Information Protection have been excluded.

若要了解 Azure 信息保护如何完全映射到 Azure 安全基准,请参阅完整的 Azure 信息保护安全基线映射文件To see how Azure Information Protection completely maps to the Azure Security Benchmark, see the full Azure Information Protection security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

NS-6:简化网络安全规则NS-6: Simplify network security rules

指导:使用虚拟网络服务标记,在为 Azure 信息保护资源配置的网络安全组或 Azure 防火墙上定义网络访问控制。Guidance: Use Virtual Network service tags to define network access controls on network security groups or Azure Firewall, which is configured for your Azure Information Protection resources.

创建安全规则时,使用服务标记代替特定的 IP 地址。When creating security rules, use service tags in place of specific IP addresses. 在规则的相应源或目标字段中指定服务标记名称(如 {AzureInformationProtection}),可以允许或拒绝相应服务的流量。Specify the service tag name, such as {AzureInformationProtection}, in the appropriate source or destination field of a rule, to allow or deny the traffic for the corresponding service.

Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识管理Identity Management

有关详细信息,请参阅 Azure 安全基准:标识管理For more information, see the Azure Security Benchmark: Identity Management.

IM-1:将 Azure Active Directory 标准化为中央标识和身份验证系统IM-1: Standardize Azure Active Directory as the central identity and authentication system

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service. 保护 Azure AD 是组织云安全实践中的高优先级工作。Make it a high priority to secure Azure AD in your organization’s cloud security practice.

查看 Azure AD 标识安全分数,帮助你根据 Microsoft 的最佳做法建议来评估标识安全状况。Review the Azure AD identity secure score to help you assess your identity security posture relative to Microsoft’s best practice recommendations. 使用评分来估计你的配置与最佳做法建议的匹配程度,并改善你的安全状况。Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

使 Azure AD 标准化,以便控制组织在以下资源中的标识和访问管理:Standardize Azure AD to govern your organization’s identity and access management in:

  • Microsoft 云资源,例如 Azure 门户、Azure 存储、Azure 虚拟机(Linux 和 Windows)、Azure Key Vault、平台即服务 (PaaS) 和软件即服务 (SaaS) 应用程序Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, Platform as a Service (PaaS), and Software as a Service (SaaS) applications

  • 你的组织的资源,例如 Azure 上的应用程序,或公司网络资源Your organization's resources, such as applications on Azure or your corporate network resources

Azure AD 支持外部标识,允许没有 Microsoft 帐户的用户使用非 Microsoft 帐户登录到其应用程序和资源。Azure AD supports external identities to allow users without a Microsoft account to sign-in to their applications and resources with their non-Microsoft accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-2:安全且自动地管理应用程序标识IM-2: Manage application identities securely and automatically

指导:Azure 信息保护与 Azure 的标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's identity and access management service. 在访问使用 Azure Key Vault 存储的客户密钥实现创建自己的密钥 (BYOK) 方案时,Azure Rights Management 服务使用 Azure AD 应用程序标识。Azure Rights Management service uses an Azure AD application identity while accessing customers’ keys stored with Azure Key Vault for Bring Your Own Key (BYOK) scenarios. 授权 Azure Rights Management 服务访问密钥是通过配置 Azure Key Vault 访问策略来实现的,这可以使用 Azure 门户或 PowerShell 来完成。Authorizing Azure Rights Management service to access your keys is achieved through configuring Azure Key Vault access policies, which can be done either using the Azure portal or using PowerShell.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-3:使用 Azure AD 单一登录 (SSO) 进行应用程序访问IM-3: Use Azure AD single sign-on (SSO) for application access

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

Azure 信息保护使用 Azure AD 提供对 Azure 资源、云应用程序和本地应用程序的标识和访问管理。Azure Information Protection uses Azure AD to provide identity and access management to Azure resources, cloud applications, and on-premises applications. 此内容包括企业标识(例如员工)以及外部标识(如合作伙伴和供应商)。This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. 这样便可通过单一登录管理本地和云中的组织数据和资源并对其进行安全访问。This enables single sign-on to manage and secure access to your organization’s data and resources on-premises and in the cloud. 将所有用户、应用程序和设备连接到 Azure AD,实现无缝的安全访问和更好的可见性和控制。Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-4:对所有基于 Azure Active Directory 的访问使用强身份验证控制IM-4: Use strong authentication controls for all Azure Active Directory based access

指导:Azure 信息保护与支持通过多重身份验证进行强身份验证的 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which supports strong authentication through multi-factor authentication. 为了支持 Azure 信息保护的身份验证和授权,必须有 Azure AD。To support authentication and authorization for Azure Information Protection, you must have an Azure AD. 若要使用本地目录 (AD DS) 中的用户帐户,还必须配置目录集成。To use user accounts from your on-premises director (AD DS), you must also configure directory integration.

  • Azure 信息保护支持单一登录,这样就不会反复提示用户输入凭据。Single sign-on is supported for Azure Information Protection, so that users are not repeatedly prompted for their credentials. 如果使用其他供应商解决方案进行联合身份验证,请与相应供应商确认如何为它配置 Azure AD。If you use another vendor solution for federation, check with that vendor for how to configure it for Azure AD. WS-Trust 是这些解决方案支持单一登录所需满足的常见要求。WS-Trust is a common requirement for these solutions to support single sign-on.

  • 多重身份验证可以与 Azure 信息保护配合使用,前提是你拥有所需的客户端软件,并正确配置了支持多重身份验证的基础结构。Multifactor authentication is supported with Azure Information Protection, when you have the required client software and have correctly configured the multi-factor authentication-supporting infrastructure.

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

IM-5:监视并提醒帐户异常IM-5: Monitor and alert on account anomalies

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

有关 Azure AD 的其他指导:Additional guidance regarding Azure AD:

  • 登录 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign-in - The sign-in report provides information about the usage of managed applications and user sign-in activities.
  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中任何资源的更改,例如添加或删除用户、应用、组、角色和策略。Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.
  • 风险登录 - 风险登录指示可能有用户帐户合法拥有者以外的人进行了登录尝试。Risky sign-in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised. 这些数据源可与 Azure Monitor、Azure Sentinel 或第三方 SIEM 系统集成。These data sources can be integrated with Azure Monitor, Azure Sentinel or third-party SIEM systems.

Azure 安全中心还可针对某些可疑活动(例如失败的身份验证尝试次数太多,或帐户已在订阅中遭到弃用)发出警报。Azure Security Center can also alert on certain suspicious activities, such as an excessive number of failed authentication attempts, or deprecated accounts in the subscription.

Azure 高级威胁防护 (ATP) 是一种安全解决方案,它可使用 Active Directory 信号来识别、检测和调查高级威胁、泄露的标识以及恶意的内部操作。Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-6:基于条件限制 Azure 资源访问IM-6: Restrict Azure resource access based on conditions

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service. 在 Azure AD 中,为 Azure 信息保护配置条件访问。Within Azure AD, configure conditional access for Azure Information Protection. 对于由 Azure 信息保护进行保护的文档,管理员可以基于标准条件访问控制,阻止或授予对其租户中的用户的访问权限。Administrators can block or grant access to users in their tenant, for documents protected by Azure Information Protection, based on the standard conditional access controls.

多重身份验证是最常见的条件之一,另一个常见条件则是设备对已配置的 Intune 策略的合规性。Multifactor authentication is one of the most commonly requested conditions, while device-compliancy with configured Intune policies is another one. 你可以要求使用条件,使移动设备满足组织密码要求,具有最低操作系统版本,并且连接的计算机已加入域。You can require conditions so that mobile devices meet your organizational-password requirements, have a minimum operating system version, and connected computers are domain-joined.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

特权访问Privileged Access

有关详细信息,请参阅 Azure 安全基准:特权访问For more information, see the Azure Security Benchmark: Privileged Access.

PA-1:保护和限制具有较高权限的用户PA-1: Protect and limit highly privileged users

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

Azure 信息保护包括 Azure AD 中的管理员级别角色。Azure Information Protection includes an administrator-level role in Azure AD. 分配到管理员角色的用户在 Azure 信息保护服务中具有全部权限。Users assigned to the Administrator role have full permissions in the Azure Information Protection service. 管理员角色可用于配置 Azure 信息保护策略的标签、管理保护模板以及激活保护。Administrator role can be used to configure labels for the Azure Information Protection policy, managing protection templates, and activating protection. 但是,管理员角色不会授予标识保护中心、Privileged Identity Management、监视 Microsoft 365 服务运行状况或 Office 365 安全与合规中心的任何权限。However, the Administrator role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

请限制高特权帐户或角色的数量并在提升的级别保护这些帐户,因为具有此特权的用户可以直接或间接地读取和修改 Azure 环境中的每个资源。Limit the number of highly privileged accounts or roles and protect these accounts at an elevated level, as users with this privilege can directly or indirectly read and modify every resource in your Azure environment. 使用 Privileged Identity Management (PIM) 启用对 Azure 资源和 Azure AD 的实时 (JIT) 特权访问权限。Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Privileged Identity Management (PIM). 实时访问仅在用户需要执行特权任务时授予临时权限。Just-in-time access grants temporary permissions to perform privileged tasks only when users need it. 当 Azure AD 组织中存在可疑或不安全的活动时,PIM 还会生成安全警报。PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-2:限制对关键业务型系统的管理访问权限PA-2: Restrict administrative access to business-critical systems

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

Azure 信息保护包括 Azure AD 中的管理员级别角色。Azure Information Protection includes an administrator-level role in Azure AD. 分配到管理员角色的用户在 Azure 信息保护服务中具有全部权限。Users assigned to the Administrator role have full permissions in the Azure Information Protection service. 管理员角色可以配置 Azure 信息保护策略的标签、管理保护模板以及激活保护。The Administrator role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. 管理员角色不会授予标识保护中心、Privileged Identity Management、监视 Microsoft 365 服务运行状况或 Office 365 安全与合规中心的任何权限。The Administrator role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-3:定期审查和协调用户访问权限PA-3: Review and reconcile user access regularly

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

使用 Azure AD 定期管理资源、审查用户帐户和访问权限分配,确保帐户及其访问权限有效。Use Azure AD to manage resources, review user accounts, and access assignments regularly to ensure that the accounts and their access are valid. 实施 Azure AD 访问评审来审查组成员身份、对企业应用程序的访问权限和角色分配。Conduct Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. 通过 Azure AD 报告发现过时帐户。Discover stale accounts with Azure AD reporting. 可以使用 Azure AD 的 Privileged Identity Management 功能来创建访问评审报表工作流,以便执行评审过程。Azure AD's Privileged Identity Management features can be used to create access review report workflow to facilitate the review process.

此外,Azure Privileged Identity Management 还可配置为在创建过多管理员帐户时发出警报,并识别过时或配置不正确的管理员帐户。In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured. 请注意,某些 Azure 服务支持不通过 Azure AD 进行管理的本地用户和角色。Note that some Azure services support local users and roles that are not managed through Azure AD. 客户需要单独管理这些用户。Customers will need to manage these users separately.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-4:在 Azure AD 中设置紧急访问PA-4: Set up emergency access in Azure AD

指导:Azure 信息保护与 Azure Active Directory (Azure AD) 集成,以管理其资源。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD) to manage its resources. 为了防止意外退出 Azure AD 组织,请设置一个紧急访问帐户,以便在正常管理帐户无法使用时进行访问。To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. 紧急访问帐户通常拥有较高的权限,因此请不要将其分配给特定的个人。Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. 紧急访问帐户只能用于“不受限”紧急情况,即不能使用正常管理帐户的情况。Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used.

应确保妥善保管紧急访问帐户的凭据(例如密码、证书或智能卡),仅将其告诉只能在紧急情况下有权使用它们的个人。You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-5:将权利管理自动化PA-5: Automate entitlement management

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), Azure's default identity and access management service.

Azure AD 提供权利管理功能来自动执行访问请求工作流,包括访问权限分配、评审和过期。Azure AD offers entitlement management features to automate access request workflows, including access assignments, reviews, and expiration. 还支持两阶段或多阶段审批。Dual or multi-stage approval is also supported.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-6:使用特权访问工作站PA-6: Use privileged access workstations

指导:可以通过 PowerShell 从客户工作站管理 Azure 信息保护。Guidance: Azure Information Protection can be managed from a customer workstation through PowerShell.

受保护的独立工作站对于敏感角色(如管理员、开发人员和关键服务操作员)的安全性至关重要。Secured, isolated workstations are critically important for the security of sensitive roles, such as administrators, developers, and critical service operators.

使用高度安全的用户工作站和/或 Azure Bastion 执行管理任务。Use highly secured user workstations and/or Azure Bastion for administrative tasks. 使用 Azure Active Directory、Microsoft Defender 高级威胁防护 (ATP) 和/或 Microsoft Intune 部署安全的托管用户工作站,用于执行管理任务。Use Azure Active Directory, Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. 可集中管理安全工作站,强制实施安全配置,包括强身份验证、软件和硬件基线,以及受限制的逻辑和网络访问。The secured workstations can be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-7:遵循 Just Enough Administration(最小特权原则)PA-7: Follow just enough administration (least privilege principle)

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

Azure 信息保护包括 Azure AD 中的管理员级别角色。Azure Information Protection includes an administrator-level role in Azure AD. 分配到管理员角色的用户在 Azure 信息保护服务中具有全部权限。Users assigned to the Administrator role have full permissions in the Azure Information Protection service. 管理员角色可用于配置 Azure 信息保护策略的标签、管理保护模板以及激活保护。Administrator role can be used to configure labels for the Azure Information Protection policy, managing protection templates, and activating protection. 但是,管理员角色不会授予标识保护中心、Privileged Identity Management、监视 Microsoft 365 服务运行状况或 Office 365 安全与合规中心的任何权限。However, the Administrator role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

请限制高特权帐户或角色的数量并在提升的级别保护这些帐户,因为具有此特权的用户可以直接或间接地读取和修改 Azure 环境中的每个资源。Limit the number of highly privileged accounts or roles and protect these accounts at an elevated level, as users with this privilege can directly or indirectly read and modify every resource in your Azure environment. 使用 Privileged Identity Management (PIM) 启用对 Azure 资源和 Azure AD 的实时 (JIT) 特权访问权限。Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Privileged Identity Management (PIM). 实时访问仅在用户需要执行特权任务时授予临时权限。Just-in-time access grants temporary permissions to perform privileged tasks only when users need it. 当 Azure AD 组织中存在可疑或不安全的活动时,PIM 还会生成安全警报。PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-8:选择 Microsoft 支持的审批流程PA-8: Choose approval process for Microsoft support

指导:Azure 信息保护支持 Azure 客户密码箱向客户提供评审、批准和拒绝数据访问请求以及正在进行的评审请求的功能。Guidance: Azure Information Protection supports Azure Customer Lockbox to provide customers with the ability to review, approve, and reject data access requests, as well as review requests being made.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

DP-1:对敏感数据进行发现、分类和标记DP-1: Discovery, classify and label sensitive data

指导:Azure 信息保护提供发现敏感信息并对其进行分类和标记的功能。Guidance: Azure Information Protection provides the ability to discover, classify, and label sensitive information.

Azure 信息保护是一种基于云的解决方案,可帮助组织通过应用标签来对文档和电子邮件进行分类和保护。Azure Information Protection is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels. 标签可通过管理员使用规则和条件来自动应用、由用户手动应用,也可通过这两者的组合进行应用(此时管理员会定义显示给用户的建议)。Labels can be applied automatically by administrators using rules and conditions, manually by users, or by a combination where administrators define the recommendations shown to users.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

DP-2:保护敏感数据DP-2: Protect sensitive data

指导:Azure 信息保护通过提供标记敏感信息的功能来提供数据保护,并通过加密对该数据提供保护。Guidance: Azure Information Protection provides data protection by offering the ability to label sensitive information and provide protection on that data through encryption. 保护是由 Azure Rights Management 服务提供的。Protection is provided by the Azure Rights Management service.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

DP-3:监视未经授权的敏感数据传输DP-3: Monitor for unauthorized transfer of sensitive data

指导:Azure 信息保护可实现通过跟踪和撤销功能监视敏感数据的未经授权的传输。Guidance: Azure Information Protection provides the ability to monitor for unauthorized transfer of sensitive data through the track and revoke capability. 使用“跟踪”和“撤销”功能,客户可以跟踪用户如何使用其发送的文档,并在用户不应再阅读文档时撤销访问权限。Track and Revoke allows the customer to track how people are using documents they have sent and revoke access if people should no longer be able to read them.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

资产管理Asset Management

有关详细信息,请参阅 Azure 安全基准:资产管理For more information, see the Azure Security Benchmark: Asset Management.

AM-1:确保安全团队可以了解与资产相关的风险AM-1: Ensure security team has visibility into risks for assets

指南:确保在 Azure 租户和订阅中向安全团队授予了安全读取者权限,以便他们可以使用 Azure 安全中心监视安全风险。Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

根据安全团队责任划分方式的不同,监视安全风险可能是中心安全团队或本地团队的责任。Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. 也就是说,安全见解和风险必须始终在组织内集中聚合。That said, security insights and risks must always be aggregated centrally within an organization.

安全读取者权限可以广泛应用于整个租户(根管理组),也可以限制到管理组或特定订阅。Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

注意:若要了解工作负载和服务,可能需要更多权限。Note: Additional permissions might be required to get visibility into workloads and services.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

AM-3:仅使用已批准的 Azure 服务AM-3: Use only approved Azure services

指导:Azure 信息保护不支持 Azure 资源管理器部署,也不允许客户通过内置的 Azure Policy 定义(例如“允许资源”或“拒绝资源”)限制部署。Guidance: Azure Information Protection does not support Azure Resource Manager Deployments or allow customers the ability to limit deployments through built-in Azure Policy definitions, such as 'Allow Resources' or 'Deny Resources'. 但是,客户可以通过安全与合规中心中的标记策略限制 Azure 信息保护的使用。However, customers can limit usage of Azure Information Protection through labeling policies in the Security and Compliance Center.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和威胁检测Logging and Threat Detection

有关详细信息,请参阅 Azure 安全基准:日志记录和威胁检测For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-2:启用 Azure 标识和访问管理的威胁检测LT-2: Enable threat detection for Azure identity and access management

指导:Azure 信息保护与 Azure 的默认标识和访问管理服务 Azure Active Directory (Azure AD) 集成。Guidance: Azure Information Protection is integrated with Azure Active Directory (Azure AD), which is Azure's default identity and access management service.

使用 Azure AD 报告和其他解决方案(如 Azure Monitor、Azure Sentinel 或其他 SIEM/监视工具)查看 Azure AD 提供的用户日志,以实现更复杂的监控和分析用例。View Azure AD-provided user logs with Azure AD reporting and other solutions such as Azure Monitor, Azure Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases.

它们是:They are:

  • 登录报告 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign-in report – The sign-in report provides information about the usage of managed applications and user sign-in activities.

  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中任何资源的更改,例如添加或删除用户、应用、组、角色和策略。Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.

  • 风险登录 - 风险登录是指可能由并非用户帐户合法拥有者的某人进行的登录尝试。Risky sign-ins - A risky sign in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure 安全中心还可针对某些可疑活动(例如失败的身份验证尝试次数太多,以及帐户已在订阅中遭到弃用)发出警报。Azure Security Center can also alert on certain suspicious activities, such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. 除了基本的安全卫生监视,安全中心的威胁防护模块还可从单个 Azure 计算资源(如虚拟机、容器、应用服务)、数据资源(如 SQL 数据库和存储)以及 Azure 服务层中收集信息更丰富的安全警报。In addition to the basic security hygiene monitoring, Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. 通过此功能可查看单个资源中的帐户异常情况。This capability allows you to see account anomalies inside the individual resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

LT-4:为 Azure 资源启用日志记录LT-4: Enable logging for Azure resources

指导:Azure 信息保护为组织的文档和电子邮件提供数据保护,并为每个请求提供日志。Guidance: Azure Information Protection provides data protection for an organization's documents and emails, along with a log for each request. 这些请求包括在用户保护文档和电子邮件以及使用此内容时,管理员为该服务执行的操作,以及 Microsoft 操作员为了支持 Azure 信息保护部署而执行的操作。These requests include when users protect documents and emails, when they consume this content, actions performed by administrators for this service, and actions performed by Microsoft operators to support your Azure Information Protection deployment.

Azure 信息保护生成的日志类型包括:Types of logs produced by Azure Information Protection include:

  • 管理日志 - 记录针对保护服务的管理任务。Admin Log - Logs administrative tasks for the protection service. 例如,在停用服务的情况下,启用超级用户功能时,以及向用户委派服务的管理员权限时。For example, if the service is deactivated, when the super user feature is enabled, and when users are delegated admin permissions to the service.

  • 文档跟踪 - 使用户可以跟踪和撤销他们使用 Azure 信息保护客户端跟踪的文档。Document Tracking - Lets users track and revoke their documents that they have tracked with the Azure Information Protection client. 全局管理员也可以代表用户跟踪这些文档。Global administrators can also track these documents on behalf of users.

  • 客户端事件日志 - Azure 信息保护客户端的使用活动,记录在本地 Windows“应用程序和服务”事件日志和“Azure 信息保护”中。Client Event Logs - Usage activity for the Azure Information Protection client, logged in the local Windows Applications and Services event log, Azure Information Protection.

  • 客户端日志文件 - Azure 信息保护客户端的故障排除日志Client Log Files- Troubleshooting logs for the Azure Information Protection client

“保护服务使用情况”日志可用于识别“谁”正在从“哪里”使用“哪些”设备访问受保护的数据。The Protection usage logs can be used to identify 'who' is accessing your protected data, from 'which' devices, and from 'where'. 日志显示用户是否能够成功读取受保护的内容,以及确定哪些用户已读取受保护的重要文档。Logs reveal whether people can successfully read protected content, as well as identify which people have read an important document that was protected.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

LT-5:集中管理和分析安全日志LT-5: Centralize security log management and analysis

指导:在调查潜在故障事件时,通过查询和使用各种数据源,确保支持人员可以全面了解事件细节。Guidance: Ensure that support personnel can build a full view of what happened during an event, by querying and using diverse data sources, as they investigate potential incidents.

通过收集各种日志并将其发送到集中式 SIEM 解决方案(如 Azure Sentinel),以跟踪整个终止链中潜在攻击者的活动,从而避免盲点。Avoid blind spots by collecting diverse logs and sending them to a central SIEM solution, such as Azure Sentinel, to track the activities of a potential attacker across the kill chain. 日志可以显示用户是否能够成功读取受保护的内容,以及确定哪些用户已读取受保护的重要文档。The logs can reveal whether people can successfully read protected content, as well as identify which people have read an important document that was protected. 确保收集见解和经验,以供其他分析人员使用,并用作将来的历史参考资料。Ensure that insights and learnings are captured for other analysts and for future historical reference.

Azure Sentinel 提供几乎针对任何日志源的广泛数据分析,并提供一个事例管理门户来管理事件的整个生命周期。Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. 调查过程中的情报信息可与事件相关联,以便进行跟踪和报告。Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

LT-6:配置日志存储保留期LT-6: Configure log storage retention

指导:Azure 信息保护为组织的文档和电子邮件提供数据保护,并为每个数据请求提供日志。Guidance: Azure Information Protection provides data protection for an organization's documents and emails, with a log for every request to it. 这些请求包括用户保护文档和电子邮件以及使用此内容时,你的管理员为该服务执行的操作,以及 Microsoft 操作员为了支持 Azure 信息保护部署而执行的操作。These requests include when users protect documents and emails, when they consume this content, actions performed by your administrators for this service, and actions performed by Microsoft operators to support your Azure Information Protection deployment.

对于每个租户,在 Azure 信息保护工作区中及其保留期内收集和存储的数据量会因各种因素(例如所拥有的 Azure 信息保护客户端和其他受支持终结点数量、是否在收集终结点发现数据、是否部署了扫描程序、所访问的受保护文档数量等)而相差很大。The amount of data collected and stored in your Azure Information Protection workspace, and its retention, will vary significantly for each tenant, depending on factors such as how many Azure Information Protection clients and other supported endpoints you have, whether you're collecting endpoint discovery data, you've deployed scanners, the number of protected documents that are accessed, and so on.

使用 Azure Monitor 日志的“使用情况和估计成本”功能,可帮助估计和查看存储的数据量,还可以控制 Log Analytics 工作区的数据保留期。Use Azure Monitor Log's Usage and estimated costs feature to help estimate and review the amount of data stored and also control the data retention period for your Log Analytics workspace.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

IR-1:准备 - 更新 Azure 的事件响应流程IR-1: Preparation – update incident response process for Azure

指导:确保组织具有响应安全事件的流程,已为 Azure 更新这些流程,并定期运用这些流程来确保就绪性。Guidance: Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IR-2:准备 - 设置事件通知IR-2: Preparation – setup incident notification

指导:在 Azure 安全中心中设置安全事件联系人信息。Guidance: Set up security incident contact information in Azure Security Center. 如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用此联系信息来与你取得联系。This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 还可以选择基于事件响应需求在不同的 Azure 服务中自定义事件警报和通知。You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

IR-3:检测和分析 - 基于高质量警报创建事件IR-3: Detection and analysis – create incidents based on high quality alerts

指导:确保具有创建高质量警报和衡量警报质量的流程。Guidance: Ensure you have a process to create high-quality alerts and measure the quality of alerts. 这样,你就可以从过去的事件中吸取经验,并为分析人员确定警报的优先级,这样他们就不会浪费时间来处理误报。This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives.

可以基于过去的事件经验、经验证的社区源以及旨在通过融合和关联各种信号源来生成和清理警报的工具构建高质量警报。High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure 安全中心可跨许多 Azure 资产提供高质量的警报。Azure Security Center provides high-quality alerts across many Azure assets. 可以使用 ASC 数据连接器将警报流式传输到 Azure Sentinel。You can use the ASC data connector to stream the alerts to Azure Sentinel. 借助 Azure Sentinel,可创建高级警报规则来自动生成事件以进行调查。Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

使用导出功能导出 Azure 安全中心警报和建议,以帮助识别 Azure 资源的风险。Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. 手动导出或持续导出警报和建议。Export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-4:检测和分析 - 调查事件IR-4: Detection and analysis – investigate an incident

指导:在调查潜在故障事件时,通过查询和使用各种数据源,确保分析人员可以全面了解详情。Guidance: Ensure that analysts can build a full view of what happened by querying and using diverse data sources as they investigate potential incidents. 通过收集各种日志来跟踪整个终止链中潜在攻击者的活动,从而避免盲点。Avoid blind spots by collecting diverse logs to track the activities of a potential attacker across the kill chain. 此外,还要确保收集见解和经验,以供其他分析人员使用,并用作将来的历史参考资料。Additionally, ensure that insights and learnings are captured for other analysts and for future historical reference.

用于调查的数据源包括已从作用域内服务和正在运行的系统中收集的集中式日志记录源,但还可以包括以下内容:The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • 网络数据 - 使用网络安全组的流日志、Azure 网络观察程序和 Azure Monitor 来捕获网络流日志和其他分析信息。Network data – use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • 正在运行的系统的快照:Snapshots of running systems:

    • 使用 Azure 虚拟机的快照功能创建正在运行的系统磁盘的快照。Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • 使用操作系统的内置内存转储功能来创建正在运行的系统内存的快照。Use the operating system's built-in memory dump capability to create a snapshot of the running system's memory.

    • 使用 Azure 服务的快照功能或软件自带的功能来创建正在运行的系统的快照。Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel 提供几乎针对任何日志源的广泛数据分析,并提供一个事例管理门户来管理事件的整个生命周期。Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. 调查过程中的情报信息可与事件相关联,以便进行跟踪和报告。Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IR-5:检测和分析 - 确定事件优先级IR-5: Detection and analysis – prioritize incidents

指南:根据警报严重性和资产敏感度,为分析人员提供上下文来确定应首要关注哪些事件。Guidance: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的可信度,以及对导致警报的活动背后存在恶意意图的可信度级别。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记资源,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-6:包含、根除和恢复 - 自动执行事件处理IR-6: Containment, eradication and recovery – automate the incident handling

指导:自动执行手动重复性任务来加快响应时间并减轻分析人员的负担。Guidance: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. 执行手动任务需要更长的时间,这会导致减慢每个事件的速度,并减少分析人员可以处理的事件数量。Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. 手动任务还会使分析人员更加疲劳,这会增加可导致延迟的人为错误的风险,并降低分析人员专注于复杂任务的工作效率。Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. 使用 Azure 安全中心和 Azure Sentinel 中的工作流自动化功能,可自动触发操作或运行 playbook,对传入的安全警报作出响应。Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. playbook 执行多项操作,如发送通知、禁用帐户和隔离有问题的网络。The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

安全状况和漏洞管理Posture and Vulnerability Management

有关详细信息,请参阅 Azure 安全基准:安全状况和漏洞管理For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1:为所有 Azure 服务建立安全配置PV-1: Establish secure configurations for Azure services

指导:可以通过安全与合规中心或 PowerShell 来配置 Azure 信息保护。Guidance: Azure Information Protection can be configured through the Security and Compliance Center or through PowerShell.

在安全与合规中心内,管理员可以创建敏感度标签,定义每个标签可以执行的操作以及发布标签。Within the Security and Compliance Center, an admin can create sensitivity labels, define what each label can do, and publish the labels.

创建标签:根据组织分类标准,针对内容的不同敏感度级别创建和命名敏感度标签。Create the labels: Create and name your sensitivity labels according to your organization's classification taxonomy for different sensitivity levels of content. 使用对用户有意义的公用名或术语。Use common names or terms that make sense to your users. 如果你还没有制定分类标准,请考虑以标签名称(如“个人”、“公开”、“常规”、“机密”和“高度机密”)开头。If you don't already have an established taxonomy, consider starting with label names such as Personal, Public, General, Confidential, and Highly Confidential. 然后,可以使用子标签按类别将相似的标签分组。You can then use sublabels to group similar labels by category. 创建标签时,使用工具提示文本可帮助用户选择适当的标签。When you create a label, use the tooltip text to help users select the appropriate label.

定义每个标签可以执行的操作:配置要与每个标签关联的保护设置。Define what each label can do: Configure the protection settings you want associated with each label. 例如,你可能希望敏感度较低的内容(如“常规”标签)仅应用一个页眉或页脚,而敏感度较高的内容(如“机密”标签)应具有水印和加密。For example, you might want lower sensitivity content (such as a "General" label) to have just a header or footer applied, while higher sensitivity content (such as a "Confidential" label) should have a watermark and encryption.

发布标签:配置完敏感度标签后,使用标签策略进行发布。Publish the labels: After your sensitivity labels are configured, publish them by using a label policy. 确定哪些用户和组应具有标签,以及要使用的策略设置。Decide which users and groups should have the labels and what policy settings to use. 单个标签可重复使用,你只需定义一次,然后就可以将它包含在分配给不同用户的多个标签策略中。A single label is reusable—you define it once, and then you can include it in several label policies assigned to different users. 因此,举一个例子,你可以通过将标签策略分配给几个用户,来试用敏感度标签。So for example, you could pilot your sensitivity labels by assigning a label policy to just a few users. 然后,当你准备好在整个组织中推出标签时,可以为标签创建一个新的标签策略,这时,指定所有用户。Then when you're ready to roll out the labels across your organization, you can create a new label policy for your labels and this time, specify all users.

若要使用 PowerShell,请安装 AIPService PowerShell 模块。In order to use PowerShell, install the AIPService PowerShell Module. 在 PowerShell 中,管理员可以执行以下任务,另外还可以执行一些其他任务:Within PowerShell, an admin can perform these tasks along with others:

  • 从本地 Rights Management(AD RMS 或 Windows RMS)迁移到 Azure 信息保护Migrate from on-premise Rights Management (AD RMS or Windows RMS) to Azure Information Protection
  • 生成和管理你自己的租户密钥 -“创建自己的密钥”(BYOK) 方案Generate and Manage your own tenant key- the bring your own key (BYOK) scenario
  • 激活或停用组织的 Rights Management 服务Activate or deactivate the Rights Management service for your organization
  • 为 Azure Rights Management 服务的分阶段部署配置加入控制机制Configure onboarding controls for a phased deployment of the Azure Rights Management service
  • 为你的组织创建和管理 Rights Management 模板Create and manage Rights Management templates for your organization
  • 管理被授权管理组织的 Rights Management 服务的用户和组Manage users and groups who are authorized to administer Rights Management service for your organization
  • 记录和分析 Rights Management 的使用情况Log and analyze usage for Rights Management

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PV-8:执行定期攻击模拟PV-8: Conduct regular attack simulation

指导:根据需要,对 Azure 资源进行渗透测试或红队活动,并确保修正所有关键安全发现。Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. 请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

备份和恢复Backup and Recovery

有关详细信息,请参阅 Azure 安全基准:备份和恢复For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-4:减少密钥丢失风险BR-4: Mitigate risk of lost keys

指导:Azure 信息保护使客户能够通过创建自己的密钥 (BYOK) 使用自己的密钥来配置租户。Guidance: Azure Information Protection provides customers with the ability to configure their tenant with their own key through Bring Your Own Key (BYOK). 客户生成的密钥必须存储在 Azure Key Vault,才能用于实现保护。Customer-generated keys must be stored in Azure Key Vault for protection. Azure Key Vault 通过软删除、角色分隔和独立安全域防止密钥丢失。Azure Key Vault helps prevent the loss of keys through soft delete, role separation, and separated security domains.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

治理和策略Governance and Strategy

有关详细信息,请参阅 Azure 安全基准:治理和策略For more information, see the Azure Security Benchmark: Governance and Strategy.

GS-1:定义资产管理和数据保护策略GS-1: Define asset management and data protection strategy

指导:确保为系统和数据的持续监视和保护记录并传达明确的策略。Guidance: Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. 确定业务关键数据和系统的发现、评估、保护和监视优先级。Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 与业务风险相符的数据分类标准Data classification standard in accordance with the business risks

  • 安全组织对风险和资产清单的洞察力Security organization visibility into risks and asset inventory

  • 安全组织对 Azure 服务使用的审批Security organization approval of Azure services for use

  • 资产在其生命周期中的安全性Security of assets through their lifecycle

  • 与组织数据分类相符的必需访问控制策略Required access control strategy in accordance with organizational data classification

  • 使用 Azure 内置的和第三方的数据保护功能Use of Azure built-in and third-party data protection capabilities

  • 传输中数据用例和静态数据用例的数据加密要求Data encryption requirements for in-transit and at-rest use cases

  • 合适的加密标准Appropriate cryptographic standards

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-2:定义企业分段策略GS-2: Define enterprise segmentation strategy

指导:建立企业范围的策略,以便使用标识、网络、应用程序、订阅、管理组和其他控件的组合来细分对资产的访问。Guidance: Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.

仔细权衡安全分离需求与为需要彼此通信并访问数据的系统启用日常操作的需求。Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

确保跨控制类型(包括网络安全、标识和访问模型、应用程序权限/访问模型,以及人机过程控制)一致地实现分段策略。Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-3:定义安全状况管理策略GS-3: Define security posture management strategy

指导:持续衡量并缓解你的个人资产及其托管环境的风险。Guidance: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. 确定高价值资产和暴露程度高的受攻击面(例如已发布的应用程序、网络入口和出口点、用户和管理员终结点等)的优先级。Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-4:协调组织角色、职责和责任GS-4: Align organization roles, responsibilities, and accountabilities

指导:确保为安全组织中的角色和责任记录并传达明确的策略。Guidance: Ensure you document and communicate a clear strategy for roles and responsibilities in your security organization. 优先考虑提供涉及安全决策的明确责任,对每个人进行共同职责模式培训,并为技术团队传授保护云的技术。Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-5:定义网络安全策略GS-5: Define network security strategy

指导:建立 Azure 网络安全方法,作为组织整体安全访问控制策略的一部分。Guidance: Establish an Azure network security approach as part of your organization’s overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的网络管理和安全职责Centralized network management and security responsibility

  • 符合企业分段策略的虚拟网络分段模型Virtual network segmentation model aligned with the enterprise segmentation strategy

  • 各种威胁和攻击场景中的补救策略Remediation strategy in different threat and attack scenarios

  • Internet 边缘及入口和出口策略Internet edge and ingress and egress strategy

  • 混合云和本地互连策略Hybrid cloud and on-premises interconnectivity strategy

  • 最新的网络安全项目(例如网络关系图、参考网络体系结构)Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-6:定义标识和特权访问策略GS-6: Define identity and privileged access strategy

指导:建立 Azure 标识和特权访问方法,作为组织整体安全访问控制策略的一部分。Guidance: Establish an Azure identity and privileged access approaches as part of your organization’s overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的标识和身份验证系统及其与其他内部和外部标识系统的互连A centralized identity and authentication system and its interconnectivity with other internal and external identity systems

  • 各种用例和条件中的强身份验证方法Strong authentication methods in different use cases and conditions

  • 保护权限高的用户Protection of highly privileged users

  • 异常用户活动监视和处理Anomaly user activities monitoring and handling

  • 用户标识和访问评审及协调流程User identity and access review and reconciliation process

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

GS-7:定义日志记录和威胁响应策略GS-7: Define logging and threat response strategy

指导:建立日志记录和威胁响应策略,以快速检测和修正威胁,同时满足合规性要求。Guidance: Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. 优先为分析人员提供高质量警报和无缝体验,以便他们能够专注于威胁而不是集成和手动步骤。Prioritize providing analysts with high-quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 安全运营 (SecOps) 组织的角色和职责The security operations (SecOps) organization’s role and responsibilities

  • 符合 NIST 或其他行业框架要求的明确定义的事件响应流程A well-defined incident response process aligning with NIST or another industry framework

  • 日志捕获和保留,用于支持威胁检测、事件响应和合规性需求Log capture and retention to support threat detection, incident response, and compliance needs

  • 使用 SIEM、内置的 Azure 功能和其他源,集中查看和关联有关威胁的信息Centralized visibility of and correlation information about threats, using SIEM, built-in Azure capabilities, and other sources

  • 与客户、供应商和公开的利益相关方之间的通信和通知计划Communication and notification plan with your customers, suppliers, and public parties of interest

  • 使用 Azure 内置的和第三方的平台进行事件处理,例如日志记录和威胁检测、取证以及攻击补救和根除Use of Azure built-in and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication

  • 处理事件和事件后活动的流程,例如经验教训和证据保留Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

有关详细信息,请参阅以下资源:For more information, see the following references:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

后续步骤Next steps