Azure 认知搜索的 Azure 安全基线Azure security baseline for Azure Cognitive Search

此安全基线将 Azure 安全基准 1.0 版中的指南应用到 Azure 认知搜索。This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure Cognitive Search. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于 Azure 认知搜索的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Cognitive Search. 控制措施不适用于 Azure 认知搜索,或已排除该客户。Controls not applicable to Azure Cognitive Search, or the customer have been excluded.

若要查看 Azure 认知搜索到 Azure 安全基准的完整映射,请参阅完整的 Azure 认知搜索安全基线映射文件To see how Azure Cognitive Search completely maps to the Azure Security Benchmark, see the full Azure Cognitive Search security baseline mapping file.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导:确保通过规则向所有 Microsoft Azure 虚拟网络子网部署应用了网络安全组,以实现“最小特权”访问方案。Guidance: Ensure that all Microsoft Azure Virtual Network subnet deployments have a network security group applied with rules to implement a "least privileged" access scheme. 只允许访问你的应用程序的受信任端口和 IP 地址范围。Allow access only to your application's trusted ports and IP address ranges. 在可行的情况下,请为 Azure 认知搜索部署 Azure 专用终结点,以实现从你的虚拟网络对你的服务的专用访问。Deploy Azure Cognitive Search with an Azure private endpoint, where feasible, to enable private access to your services from your virtual network.

认知搜索还支持通过其他网络安全功能来管理网络访问控制列表。Cognitive Search also supports additional network security functionality for managing network access control lists. 将搜索服务配置为仅允许与受信任的源通信,方法是使用其防火墙功能限制从特定公共 IP 地址范围进行访问。Configure your search service to only allow communication with trusted sources by restricting access from specific public IP address ranges using its firewall capability.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导:不能将认知搜索直接部署到虚拟网络。Guidance: Cognitive Search cannot be deployed directly into a virtual network. 但是,如果你的客户端应用程序或数据源位于虚拟网络中,则可以监视和记录这些网络内组件的流量,包括发送到云中搜索服务的请求。However, if your client application or data sources are in a virtual network, you can monitor and log traffic for those in-network components, including requests sent to a search service in the cloud. 标准建议包括启用网络安全组流日志,以及将日志发送到 Azure 存储或 Log Analytics 工作区。Standard recommendations include enabling a network security group flow log and sending logs to either Azure Storage or a Log Analytics workspace. 可以选择使用流量分析来深入了解流量模式。You could optionally use Traffic Analytics for insights into traffic patterns.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于在 Azure 应用服务或计算资源上运行的 Web 应用程序。This recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.5:记录网络数据包1.5: Record network packets

指导:为保护着要连接到你的认知搜索服务的 Azure 虚拟机 (VM) 的网络安全组启用网络安全组流日志。Guidance: Enable network security group flow logs for the network security groups protecting Azure Virtual Machines (VM) that will be connecting to your Cognitive Search service. 将日志发送到 Azure 存储帐户以进行流量审核。Send logs into an Azure Storage account for traffic audit.

如果需要启用网络观察程序数据包捕获才能调查异常活动,请启用它。Enable Network Watcher packet capture if required for investigating anomalous activity.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:认知搜索不支持网络入侵检测,但你可以配置防火墙规则,指定认知搜索服务接受的 IP 地址,作为入侵缓解措施。Guidance: Cognitive Search does not support network intrusion detection, but as an intrusion mitigation, you can configure firewall rules to specify the IP addresses accepted by the Cognitive Search service. 配置专用终结点,使搜索流量不流经公共 Internet。Configure a private endpoint to keep search traffic away from the public internet.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于在 Azure 应用服务或计算资源上运行的 Web 应用程序。This recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:如果在认知搜索中利用索引器和技能集,请使用服务标记来表示有权连接到外部资源的 IP 地址范围。Guidance: Use service tags, if you are leveraging indexers and skillsets in Cognitive Search, to represent a range of IP addresses that have permission to connect to external resources.

在规则的相应源或目标字段中指定服务标记名称(例如 AzureCognitiveSearch),以允许或拒绝流向资源的流量。Allow or deny traffic to resources by specifying the service tag name (for example, AzureCognitiveSearch) in the appropriate source or destination field of a rule.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:在设计上,认知搜索没有网络资源,也不依赖于网络资源。Guidance: Cognitive Search does not have or depend on network resources by design. 与搜索应用程序相关的客户端应用和数据源可能位于虚拟网络上,但搜索服务本身并不部署在该网络中。Client apps and data sources related to your search application might be on a virtual network, but the search service is not itself deployed in the network.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:可以为认知搜索配置 Azure 专用终结点,以便将搜索服务与虚拟网络集成。Guidance: You can configure Cognitive Search with an Azure private endpoint to integrate your search service with a virtual network. 为网络安全组以及与网络安全和通信流相关的其他资源使用资源标记。Use resource tags for network security groups and other resources related to network security and traffic flow. 对于单独的网络安全组规则,请使用“说明”字段来记录允许流入/流出网络的流量的规则。For individual network security group rules, use the "Description" field to document the rules that allow traffic to/from a network.

使用与标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”效果)来确保使用标记创建所有资源,并在现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" effects, to ensure that all resources are created with tags and to notify you of existing untagged resources.

可使用 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。You can use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their tags.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:认知搜索没有任何网络组件,也不依赖于任何网络组件,因此无法监视这些资源的配置。Guidance: Cognitive Search does not have or depend on any networking components, so the configurations of these resources cannot be monitored.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:认知搜索不支持配置你自己的时间同步源。Guidance: Cognitive Search does not support configuring your own time synchronization sources. 搜索服务依赖于 Microsoft 时间同步源,不会向客户公开以允许其进行配置。The search service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过 Azure Monitor 引入与认知搜索相关的日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Guidance: Ingest logs related to Cognitive Search via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期存档存储。In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage. 或者,可以启用此数据并将其加入 Azure Sentinel 或第三方 SIEM。Alternatively, you can enable and on-board this data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:诊断和操作日志提供有关认知搜索详细操作的见解,对于监视服务以及访问你的服务的工作负载很有用。Guidance: Diagnostic and operational logs provide insight into the detailed operations of Cognitive Search and are useful for monitoring the service and for workloads that access your service. 若要捕获诊断数据,请指定存储日志记录信息的位置以启用日志记录。To capture diagnostic data, enable logging by specifying where logging information is stored.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:认知搜索默认将馈送到诊断指标的历史数据保留 30 天。Guidance: Historical data that feeds into diagnostic metrics is preserved by Cognitive Search for 30 days by default. 若要保留更长时间,请务必启用以下设置:指定用于保存所记录事件和指标的存储选项的设置。For longer retention, be sure to enable the setting that specifies a storage option for persisting logged events and metrics.

在 Azure Monitor 中,根据组织的合规性规则设置 Log Analytics 工作区保持期。In Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. 将 Azure 存储帐户用于长期存储和存档存储。Use Azure Storage accounts for long-term and archival storage.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视认知搜索服务生成的日志中是否存在异常行为。Guidance: Analyze and monitor logs from your Cognitive Search service for anomalous behavior. 使用 Azure Monitor 的 Log Analytics 检查日志并对日志数据执行查询。Use Azure Monitor's Log Analytics to review logs and perform queries on log data. 或者,可以启用数据并将其加入 Azure Sentinel 或第三方 SIEM。Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:使用安全中心和 Log Analytics 工作区监视安全日志和事件中的异常活动并发出警报。Guidance: Use Security Center with Log Analytics workspace for monitoring and alerting on anomalous activity found in security logs and events. 或者,可以启用数据并将其加入 Azure Sentinel。Alternatively, you can enable and on-board data to Azure Sentinel.

Azure 安全中心监视:当前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. Microsoft 为基础平台管理反恶意软件解决方案。Microsoft manages the anti-malware solution for the underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 它不生成也不使用 DNS 日志。It does not produce or consume DNS logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 命令行审核不适用于认知搜索。Command-line auditing is not available for Cognitive Search.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南:借助基于 Azure 角色的访问控制 (Azure RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组服务主体和托管标识。You can assign these roles to users, groups service principals and managed identities. 某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

认知搜索角色与支持服务级别管理任务的权限相关联。Cognitive Search roles are associated with permissions that support service level management tasks. 这些角色不授予对服务终结点的访问权限。These roles do not grant access to the service endpoint. 访问对终结点执行的操作(例如索引管理、索引填充和搜索数据查询),使用 API 密钥对请求进行身份验证。Access to operations against the endpoint, (such as index management, index population, and queries on search data), use API keys to authenticate the request.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:不适用于认知搜索。Guidance: Not Applicable to Cognitive Search. 它没有默认密码的概念。It does not have a concept of default passwords.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:认知搜索没有可用于管理索引和操作的本地级别或 Azure Active Directory (Azure AD) 管理员帐户的概念。Guidance: Cognitive Search does not have the concept of any local-level or Azure Active Directory (Azure AD) administrator accounts that can be used to manage indexes and operations.

请使用 Azure AD 内置角色(必须显式分配)执行管理操作。Use the Azure AD built-in roles which must be explicitly assigned for management operations. 调用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Invoke the Azure AD PowerShell module to perform ad-hoc queries to discover accounts that are members of administrative groups.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:将 SSO 身份验证用于 Azure Active Directory (Azure AD),以便通过 Azure 资源管理器访问受支持管理操作的搜索服务信息。Guidance: Use SSO authentication with Azure Active Directory (Azure AD) to access search service information for management operations supported through Azure Resource Manager.

建立一个流程,使用组织中预先存在的标识为服务启用 SSO,从而减少标识和凭据的数量。Establish a process to reduce the number of identities and credentials by enabling SSO for the service with your organization's pre-existing identities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证 (MFA) 功能,并遵循安全中心标识和访问建议。Guidance: Enable Azure Active Directory's (Azure AD) Multi-Factor Authentication (MFA) feature and follow Security Center's Identity and Access recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证 (MFA) 的特权访问工作站 (PAW) 来登录并访问 Azure 资源。Guidance: Use a Privileged Access Workstation (PAW) with Multi-Factor Authentication (MFA) configured to log into and access Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure Active Directory (Azure AD) 安全报告和监视,来检测环境中何时发生可疑或不安全的活动。Guidance: Use Azure Active Directory (Azure AD) security reports and monitoring to detect when suspicious or unsafe activity occurs in the environment. 使用安全中心监视标识和访问活动。Use Security Center to monitor identity and access activity.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources only from approved locations

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 它不支持使用经批准的位置作为访问条件。It does not support using approved location as condition for access.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:对于 Azure 认知搜索中的服务级别管理任务,使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for service level management tasks in Azure Cognitive Search. Azure AD 标识不授予对搜索服务终结点的访问权限。Azure AD identities do not grant access to the search service endpoint. 可通过 API 密钥获得索引管理、索引填充和搜索数据查询等操作的访问权限。Access to operations such as index management, index population, and queries on search data are available via API keys.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (Azure AD) 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. 使用 Azure AD 的标识和访问评审,有效管理组成员身份、对企业应用程序的访问以及角色分配。Use Azure AD's Identity and access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right users have continued access.

查看认知搜索生成的诊断日志,以查找搜索服务终结点中的活动,例如索引管理、索引填充和查询。Review diagnostic logs from Cognitive Search for activity in the search service endpoint such as index management, index population, and queries.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:通过访问 Azure Active Directory (AD) 登录活动、审核和风险事件日志源,可以与任何 SIEM 或监视工具集成。Guidance: Access to Azure Active Directory (Azure AD) sign-in activity, audit, and risk event log sources, allow you to integrate with any SIEM or monitoring tool.

可通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。Streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 在 Log Analytics 工作区中配置所需的警报。Configure desired alerts within Log Analytics workspace.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 客户密码箱不支持认知搜索。Customer Lockbox does not support Cognitive Search.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实施单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 资源应当按虚拟网络/子网进行分隔,相应地进行标记,并由网络安全组或 Azure 防火墙提供保护。Resources should be separated by virtual network/subnet, tagged appropriately, and secured within a network security group or Azure Firewall. 应当隔离用于存储或处理敏感数据的资源。Resources storing or processing sensitive data should be isolated. 使用专用链接,将专用终结点配置到认知搜索。Use Private Link to configure a private endpoint to Cognitive Search.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:利用 Azure 市场中有关网络外围的第三方解决方案,监视并阻止敏感信息的未授权传输,同时提醒信息安全专业人员。Guidance: Use a third-party solution from Azure Marketplace in network perimeters to monitor for unauthorized transfer of sensitive information and block such transfers while alerting information security professionals.

Microsoft 管理基础平台,并将所有客户内容视为敏感数据,防范客户数据丢失和泄露。Microsoft manages the underlying platform and treats all customer content as sensitive and guards against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:认知搜索通过传输层安全性 1.2 加密传输中的数据,并始终强制加密 (SSL/TLS) 所有连接。Guidance: Cognitive Search encrypts data in transit with Transport Layer Security 1.2 and enforces encryption (SSL/TLS) at all times for all connections. 这可以确保对客户端和服务之间的所有数据进行“传输中”加密。This ensures all data is encrypted "in transit" between the client and the service.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于认知搜索。Guidance: Data identification, classification, and loss prevention features are not yet available for Cognitive Search. 可以根据合规性需要实施第三方解决方案。Implement a third-party solution if necessary for compliance purposes.

Microsoft 管理基础平台,并将所有客户内容视为敏感数据,防范客户数据丢失和泄露。Microsoft manages the underlying platform and treats all customer content as sensitive and guards against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指导:对于服务管理,使用 Azure 基于角色的访问控制 (Azure RBAC) 来管理对密钥和配置的访问。Guidance: For service administration, use Azure role-based access control (Azure RBAC) to manage access to keys and configuration. 对于索引和查询等内容操作,认知搜索使用密钥,而不是基于标识的访问控制模型。For content operations, such as indexing and queries, Cognitive Search uses keys instead of an identity-based access control model. 使用 Azure RBAC 控制对密钥的访问。Use Azure RBAC to control access to keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此项指导适用于计算资源。This guideline is intended for compute resources.

Microsoft 会管理认知搜索的底层基础结构,并实施严格的控制措施来防止客户数据丢失或泄露。Microsoft manages the underlying infrastructure for Cognitive Search and has implemented strict controls to prevent the loss or exposure of customer data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:认知搜索会自动使用 Microsoft 管理的密钥对已编制索引的内容进行静态加密。Guidance: Cognitive Search automatically encrypts indexed content at rest with Microsoft-managed keys. 如果需要更多保护,可以使用在 Azure Key Vault 中创建和管理的密钥,用第二个加密层来补充默认加密。If more protection is needed, you can supplement default encryption with a second encryption layer using keys that you create and manage in Azure Key Vault.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在认知搜索的生产实例和其他关键资源或相关资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Cognitive Search and other critical or related resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅 Azure 安全基线: 漏洞管理For more information, see the Azure Security Benchmark: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:当前不可用于认知搜索。Guidance: Currently not available to Cognitive Search. 对于存储搜索服务内容的群集,Microsoft 负责这些群集的漏洞管理。For clusters that store search service content, Microsoft is responsible for vulnerability management of those clusters.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:MicrosoftResponsibility: Microsoft

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:为第三方软件部署自动化补丁管理解决方案5.3: Deploy an automated patch management solution for third-party software titles

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. Microsoft 对支持认知搜索服务的基础系统执行漏洞管理。Microsoft performs vulnerability management on the underlying systems that support Cognitive Search services.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 对于漏洞扫描结果,没有现成的标准风险评级或评分系统。It does not have any standard risk-rating or scoring system in place for vulnerability scan results.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 来查询和发现订阅中的所有资源(例如计算、存储、网络、端口、协议等)。Guidance: Use Azure Resource Graph to query for and discover all resources (such as compute, storage, network, ports, protocols, and so on) in your subscriptions.

确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources in your subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources with metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪资产。Guidance: Use tagging, management groups, and separate subscriptions where appropriate, to organize and track assets. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准 Azure 资源的清单6.4: Define and maintain an inventory of approved Azure resources

指导:定义与认知搜索中的索引编制和技能组合处理相关的经批准 Azure 资源的列表。Guidance: Define a list of approved Azure resources related to indexing and skillset processing in Cognitive Search.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:建议先定义已根据你的组织策略和标准批准使用的 Azure 资源的清单,然后使用 Azure Policy 或 Azure Resource Graph 来监视未批准的 Azure 资源。Guidance: It is recommended that you define an inventory of Azure resources which have been approved for usage as per your organizational policies and standards prior, then monitor for unapproved Azure resources with Azure Policy, or Azure Resource Graph.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此项指导适用于计算资源。This guidance is intended for compute resources.

建议保留根据组织策略和安全标准视为已批准的软件应用程序的清单,并监视 Azure 计算资源上安装的任何未经批准的软件产品。It is recommended that you have an inventory of software applications which have been deemed approved as per your organizational policies and security standards, and monitor for any unapproved software titles installed on your Azure compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 它不会公开任何计算资源,也不允许在其任何资源上安装软件应用程序。It does not expose any compute resources or allows installation of software applications on any of its resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:使用以下内置策略定义,通过 Azure Policy 对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to place restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

使用 Azure Resource Graph 查询或发现订阅中的资源。Use Azure Resource Graph to query or discover resources within your subscription(s). 确保环境中的所有 Azure 资源均已获得批准。Ensure that all Azure resources present in the environment are approved.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于在计算资源上运行的应用程序。This recommendation is intended for applications running on compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:为进行服务管理,请使用 Azure 条件访问,为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器交互的能力。Guidance: For service management, use Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

控制对具有以下功能的密钥的访问:对向所有其他操作(特别是与认知搜索相关的操作)发出的请求进行身份验证。Control access to the keys used to authenticate requests for all other operations, particularly those related to content with Cognitive Search.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的能力6.12: Limit users' ability to execute scripts in compute resources

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于在 Azure 应用服务或计算资源上运行的 Web 应用程序。This recommendation is intended for for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用“Microsoft.Search”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 认知搜索资源的配置。Guidance: Use Azure Policy aliases in the "Microsoft.Search" namespace to create custom policies to audit or enforce the configuration of your Azure Cognitive Search resources. 还可以使用认知搜索服务的内置 Azure Policy 定义,例如:You may also use built-in Azure Policy definitions for Cognitive Search services such as:

  • 为 Azure 资源启用审核日志记录Enable audit logging for Azure resources

Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足组织的安全要求。Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.

还可以使用来自 Azure 安全中心的建议作为 Azure 资源的安全配置基线。You can also use the recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”效果对认知搜索服务资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] effects, to enforce secure settings across your Cognitive Search service resources.

还可以使用 Azure 资源管理器模板来维护组织所需的 Azure 资源的安全配置。Azure Resource Manager templates can be used to maintain the security configuration of your Azure resources required by your organization.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果使用自定义的 Azure Policy 定义,请使用 Azure DevOps 或 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用 Azure Policy 为认知搜索服务定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your Cognitive Search service resources using Azure Policy.

使用别名创建用于审核或强制实施网络配置的自定义策略。Use aliases to create custom policies to audit or enforce the network configurations. 还可以使用与特定资源相关的内置策略定义。You can also make use of built-in policy definitions related to your specific resources.

此外,也可以使用 Azure 自动化来部署配置更改和管理策略例外。Additionally, you can use Azure Automation to deploy configuration changes and manage policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用安全中心对认知搜索服务资源执行基线扫描。Guidance: Use Security Center to perform baseline scans of your Cognitive Search service resources. 此外,使用 Azure Policy 提醒和审核你的资源配置。Additionally, use Azure Policy to alert and audit your resource configurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:将 Azure 托管标识与 Azure Key Vault 结合使用,以简化云应用程序的机密管理。Guidance: Use Azure Managed Identities in conjunction with Azure Key Vault to simplify secret management for your cloud applications.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:使用 Azure 托管标识,使用 Azure Active Directory (Azure AD) 中的自动托管标识,向认知搜索授予对其他 Azure 服务(例如 Key Vault 和索引器数据源)的访问权限。Guidance: Use an Azure Managed Identity to give Cognitive Search access to other Azure services such as Key Vault and indexer data sources using an automatically-managed identity in Azure Active Directory (Azure AD). 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Azure Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed identities allow you to authenticate to any service that supports Azure AD authentication, including Azure Key Vault, without any credentials in your code.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 它不托管代码,也没有可标识的任何凭据。It does not host code and does not have any credentials to identify.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

恶意软件防护Malware defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed antimalware software

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 此建议适用于计算资源。This recommendation is intended for compute resources.

Microsoft 反恶意软件已在支持 Azure 服务(例如 Azure 认知搜索)的基础主机上启用,但它不会针对客户内容运行。Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Cognitive Search), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:预扫描要上传到非计算 Azure 资源(例如认知搜索、Blob 存储、Azure SQL 数据库等)的任何内容。Guidance: Pre-scan any content being uploaded to non-compute Azure resources, such as Cognitive Search, Blob Storage, Azure SQL Database, and so on.

你需要负责预先扫描要上传到非计算 Azure 资源的任何内容。It is your responsibility to pre-scan any content being uploaded to non-compute Azure resources. Microsoft 无法访问客户数据,因此无法代表你对客户内容执行反恶意软件扫描。Microsoft cannot access customer data, and therefore cannot conduct anti-malware scans of customer content on your behalf.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure antimalware software and signatures are updated

指导:不适用于认知搜索。Guidance: Not applicable to Cognitive Search. 它不允许在其资源上安装反恶意软件解决方案。It does not allow for anti-malware solutions to be installed on it's resources. 对于基础平台,Microsoft 将负责更新任何反恶意软件和签名。For the underlying platform Microsoft handles updating any anti-malware software and signatures.

对于你的组织拥有的、你的搜索解决方案中使用的任何计算资源,请按照安全中心的“计算和应用”内的建议进行操作,以确保所有终结点都具有最新的签名。For any compute resources that are owned by your organization and used in your search solution, follow recommendations in Security Center, Compute & Apps to ensure all endpoints are up to date with the latest signatures. 对于 Linux,请使用第三方反恶意软件解决方案。For Linux, use a third-party anti-malware solution.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

数据恢复Data recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:不能通过 Azure 备份或任何其他内置机制来备份搜索服务中存储的内容,但可以从应用程序源代码和主数据源重新生成索引,或者构建自定义工具来检索和存储已编制索引的内容。Guidance: Content stored in a search service cannot be be backed up through Azure Backup or any other built-in mechanism, but you can rebuild an index from application source code and primary data sources, or build a custom tool to retrieve and store indexed content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:认知搜索当前不支持自动备份搜索服务中的数据,必须通过手动过程进行备份。Guidance: Cognitive Search currently doesn't support automated backup for data in a search service and must be backed up via a manual process. 还可以在 Azure Key Vault 中备份客户管理的密钥。You can also backup customer-managed keys in Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:认知搜索当前不支持自动备份搜索服务中的数据,必须通过手动过程进行备份和还原。Guidance: Cognitive Search currently doesn't support automated backup for data in a search service and must be backed up and restored via a manual process. 请对手动备份的内容定期执行数据还原,以确保备份过程的端到端完整性。Periodically perform data restoration of content you have manually backed up to ensure the end-to-end integrity of your backup process.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:认知搜索当前不支持自动备份搜索服务中的数据,必须通过手动过程进行备份。Guidance: Cognitive Search currently does not support automated backup for data in a search service and must be backed up via a manual process. 还可以在 Azure Key Vault 中备份客户管理的密钥。You can also backup customer-managed keys in Azure Key Vault.

在 Key Vault 中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable soft delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. 如果将 Azure 存储用于存储手动备份,请启用软删除以在 blob 或 blob 快照被删除时保存和恢复数据。If Azure Storage is used to store manual backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果或分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytically used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出安全中心警报和建议。Guidance: Export your Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出,可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or on a continuous basis. 可使用安全中心数据连接器将警报流式传输到 Azure Sentinel。You can use the Security Center data connector to stream the alerts to Azure Sentinel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps