教程:提高合规性Tutorial: Improve your regulatory compliance

Azure 安全中心使用合规性仪表板,可以根据合规性要求简化相关过程 。Azure Security Center helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard.

安全中心持续评估混合云环境,以根据适用于你的订阅的标准中的控制措施和最佳做法来分析风险因素。Security Center continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards applied to your subscriptions. 仪表板反映了符合这些标准的状态。The dashboard reflects the status of your compliance with these standards.

在 Azure 订阅上启用安全中心后,系统会自动为该订阅分配 Azure 安全基准When you enable Security Center on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. 这一公认的基准建立在 Internet 安全中心 (CIS)国家标准与技术研究院 (NIST) 的控制基础上,重点关注以云为中心的安全性。This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.

在法规合规性仪表板中,可以查看在所选标准和法规下,环境中所有评估的状态。The regulatory compliance dashboard shows the status of all the assessments within your environment for your chosen standards and regulations. 针对建议进行操作并减少环境中的风险因素以后,合规性情况得到了改善。As you act on the recommendations and reduce risk factors in your environment, your compliance posture improves.

在本教程中,将了解如何:In this tutorial you'll learn how to:

  • 使用合规性仪表板评估合规性Evaluate your regulatory compliance using the regulatory compliance dashboard
  • 针对建议进行操作,改进符合性情况Improve your compliance posture by taking action on recommendations
  • 设置合规性状态更改时的警报Setup alerts on changes to your compliance posture

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don’t have an Azure subscription, create a Trial before you begin.

先决条件Prerequisites

若要逐步执行本教程中介绍的功能:To step through the features covered in this tutorial:

  • 必须启用 Azure DefenderAzure Defender must be enabled. 可以免费试用 Azure Defender 30 天。You can try Azure Defender for free for 30 days.
  • 你必须使用对策略合规性数据具有读取者访问权限的帐户登录(安全读取者的权限不够)。You must be signed in with an account that has reader access to the policy compliance data (Security Reader is insufficient). 订阅的全局读取器角色将起作用。The role of Global reader for the subscription will work. 至少需要分配“资源策略参与者”和“安全管理员”角色 。At a minimum, you'll need to have Resource Policy Contributor and Security Admin roles assigned.

评估合规性Assess your regulatory compliance

法规合规性仪表板显示所选的合规性标准及其所有要求,其中受支持的要求映射到适用的安全评估。The regulatory compliance dashboard shows your selected compliance standards with all their requirements, where supported requirements are mapped to applicable security assessments. 这些评估的状态反映了标准的合规性。The status of these assessments reflects your compliance with the standard.

使用法规合规性仪表板有助于重点了解你在符合所选标准和法规方面存在哪些差距。Use the regulatory compliance dashboard to help focus your attention on the gaps in compliance with your chosen standards and regulations. 有了这个专注的视图,你还可以持续监视动态云环境和混合环境中一段时间内的合规性。This focused view also enables you to continuously monitor your compliance over time within dynamic cloud and hybrid environments.

  1. 从安全中心的菜单中,选择“法规符合性”。From Security Center's menu, select Regulatory compliance.

    屏幕顶部是一个仪表板,其中概述了你的合规性状态以及一组支持的合规性法规。At the top of the screen is a dashboard with an overview of your compliance status with the set of supported compliance regulations. 你将看到总体合规性分数,以及与每个标准相关联的已通过评估的数目和失败的评估的数目。You'll see your overall compliance score, and the number of passing vs. failing assessments associated with each standard.

    法规符合性仪表板

  2. 针对与自己相关的符合性标准,选择一个选项卡 (1)。Select a tab for a compliance standard that is relevant to you (1). 你可看到该标准应用于哪些订阅 (2),以及该标准的所有控件列表 (3)。You'll see which subscriptions the standard is applied on (2), and the list of all controls for that standard (3). 对于适用控件,你可查看与控件关联的及格评估和未及格评估的详细信息 (4),以及受影响的资源数量 (5)。For the applicable controls, you can view the details of passing and failing assessments associated with that control (4), and the number of affected resources (5). 某些控件为灰显状态。这些控件没有任何与之关联的安全中心评估。Some controls are grayed out. These controls don't have any Security Center assessments associated with them. 查看其要求并在环境中对其进行评估。Check their requirements and assess them in your environment. 其中一部分可能与进程相关,与技术无关。Some of these might be process-related and not technical.

    浏览特定标准的符合性详细信息

  3. 要生成总结特定标准的当前合规性状态的 PDF 报告,请选择“下载报告”。To generate a PDF report with a summary of your current compliance status for a particular standard, select Download report.

    该报告根据安全中心评估数据,就所选标准提供你的合规性状态的大致汇总。The report provides a high-level summary of your compliance status for the selected standard based on Security Center assessments data. 该报告按照该特定标准的控件进行整理。The report's organized according to the controls of that particular standard. 该报告可与相关利益干系人共享,并可能为内部和外部审计员提供证据。The report can be shared with relevant stakeholders, and might provide evidence to internal and external auditors.

    下载符合性报告

改进符合性情况Improve your compliance posture

使用法规合规性仪表板中的信息,可以直接在仪表板中采用相关建议,改进合规性情况。Using the information in the regulatory compliance dashboard, improve your compliance posture by resolving recommendations directly within the dashboard.

  1. 选择仪表板中出现的未及格评估可查看该建议的详细信息。Select any of the failing assessments that appear in the dashboard to view the details for that recommendation. 每项建议都包含一组修正步骤,可用于解决问题。Each recommendation includes a set of remediation steps to resolve the issue.

  2. 选择特定的资源,查看更多详细信息,然后解决与该资源的建议相关的问题。Select a particular resource to view more details and resolve the recommendation for that resource.
    例如,在“Azure 安全基准”标准中,选择“应对虚拟机应用磁盘加密”建议。For example, in the Azure Security Benchmark standard, select the recommendation Disk encryption should be applied on virtual machines.

    从标准中选择一个建议会直接转到相关建议的详细信息页面

  3. 在此示例中,当你在建议详细信息页面中选择“执行操作”时,将进入 Azure 门户的 Azure 虚拟机页,可在其中启用“安全”选项卡中的加密:In this example, when you select Take action from the recommendation details page, you arrive in the Azure Virtual Machine pages of the Azure portal, where you can enable encryption from the Security tab:

    建议详细信息页上的“执行操作”按钮会转到修正选项

    有关如何应用建议的详细信息,请参阅在 Azure 安全中心实施安全建议For more information about how to apply recommendations, see Implementing security recommendations in Azure Security Center.

  4. 在采取行动实施建议后,你将在合规性仪表板报表中看到相关影响,原因是你的合规性分数会增加。After you take action to resolve recommendations, you'll see the result in the compliance dashboard report because your compliance score improves.

    备注

    评估大约每 12 小时运行一次,因此只有在下一次相关评估运行以后才能看到对符合性数据造成的影响。Assessments run approximately every 12 hours, so you will see the impact on your compliance data only after the next run of the relevant assessment.

导出合规性状态数据Export your compliance status data

可以直接从法规合规性仪表板导出法规合规性数据的 PDF/CSV 报表:You can export a PDF/CSV report of your compliance data directly from the regulatory compliance dashboard:

将法规合规性数据导出为 PDF 或 CSV 报表

当合规性发生变更时,运行工作流自动化Run workflow automations when there are changes to your compliance

安全中心的工作流自动化功能可在任一法规合规性评估状态变更时触发逻辑应用。Security Center's workflow automation feature can trigger Logic Apps whenever one of your regulatory compliance assessments change state.

例如,在合规性评估失败时,你可能希望安全中心向特定用户发送电子邮件。For example, you might want Security Center to email a specific user when a compliance assessment fails. 首先需要创建逻辑应用(使用 Azure 逻辑应用),然后在新的工作流自动化中设置触发器,如自动响应安全中心触发器中所述。You'll need to create the logic app first (using Azure Logic Apps) and then set up the trigger in a new workflow automation as explained in Automate responses to Security Center triggers.

使用对监管合规性评估的更改来触发工作流自动化

常见问题解答 - 法规合规性仪表板FAQ - Regulatory compliance dashboard

合规性仪表板支持哪些标准?What standards are supported in the compliance dashboard?

默认情况下,法规合规性仪表板显示的是 Azure 安全基准。By default, the regulatory compliance dashboard shows you the Azure Security Benchmark. Azure 安全基准是 Microsoft 制定的 Azure 专属准则,适合基于常见合规框架的安全性与合规性最佳做法。The Azure Security Benchmark is the Microsoft-authored, Azure-specific guidelines for security, and compliance best practices based on common compliance frameworks. 有关详细信息,请查看 Azure 安全基准简介Learn more in the Azure Security Benchmark introduction.

若要按任何其他标准跟踪合规性,需要将这些标准显式添加到仪表板中。To track your compliance with any other standard, you'll need to explicitly add them to your dashboard.

一些控件为何灰显?Why do some controls appear grayed out?

对于仪表板中的每一项合规性标准,都有一个列表列出该标准的控件。For each compliance standard in the dashboard, there's a list of the standard's controls. 对于适用控件,可查看及格评估和未及格评估的详细信息。For the applicable controls, you can view the details of passing and failing assessments.

某些控件为灰显状态。这些控件没有任何与之关联的安全中心评估。Some controls are grayed out. These controls don't have any Security Center assessments associated with them. 某些控件与过程或进程相关,因此无法通过安全中心进行验证。Some may be procedure or process-related, and therefore can't be verified by Security Center. 有些控件尚未实现任何自动化策略或评估,但未来将实现这些内容。Some don't have any automated policies or assessments implemented yet, but will have in the future. 而有些控件由平台负责,具体可查看云中的共同责任And some controls may be the platform responsibility as explained in Shared responsibility in the cloud.

我根据建议执行了推荐的更改,但它没有在仪表板中反映出来I made the suggested changed based on the recommendation, yet it isn't being reflected in the dashboard

在采取行动实施建议后,要等 12 个小时才会看到合规性数据的变化。After you take action to resolve recommendations, wait 12 hours to see the changes to your compliance data. 评估大约每 12 小时运行一次,因此只有在评估运行后才会看到对合规性数据造成的影响。Assessments are run approximately every 12 hours, so you will see the effect on your compliance data only after the assessments run.

我需要具备哪些权限才能访问仪表板?What permissions do I need to access the compliance dashboard?

若要查看合规性数据,你至少需要还对策略合规性数据具有读取者访问权限,也就是说只有安全读取者权限是不够的。To view compliance data, you need to have at least Reader access to the policy compliance data as well; so Security Reader alone won’t suffice. 如果你是订阅的全局读取者,那么这也足够了。If you're a global reader on the subscription, that will be enough too.

要访问仪表板和管理标准,至少必须具备“资源策略参与者”和“安全管理员”角色 。The minimum set of roles for accessing the dashboard and managing standards is Resource Policy Contributor and Security Admin.

没有为我加载法规合规性仪表板The regulatory compliance dashboard isn't loading for me

若要使用法规合规性仪表板,Azure 安全中心必须已在订阅级别启用 Azure Defender。To use the regulatory compliance dashboard, Azure Security Center must have Azure Defender enabled at the subscription level. 如果仪表板没有正确加载,请尝试以下步骤:If the dashboard isn't loading correctly, try the following steps:

  1. 清除浏览器缓存。Clear your browser's cache.
  2. 尝试使用其他浏览器。Try a different browser.
  3. 尝试从其他网络位置打开仪表板。Try opening the dashboard from different network location.

可如何在仪表板中按照每种标准查看有关及格和不及格控件的报表?How can I view a report of passing and failing controls per standard in my dashboard?

在主仪表板上,可查看仪表板中有关 (1) 和“排名前 4”的最低合规性标准的及格和不及格控件的报表。On the main dashboard, you can see a report of passing and failing controls for (1) the 'top 4' lowest compliance standards in the dashboard. 若要查看各项及格/不及格控件状态,请选择 (2)“显示所有 x”(其中,x 是你正在跟踪的标准数目)。To see all the passing/failing controls status, select (2) Show all x (where x is the number of standards you're tracking). 上下文平面会显示你跟踪的各项标准的合规性状态。A context plane displays the compliance status for every one of your tracked standards.

法规合规性仪表板的摘要部分

可如何以非 PDF 的格式下载带有合规性数据的报表?How can I download a report with compliance data in a format other than PDF?

选择“下载报表”时,可选择标准和格式(PDF 或 CSV)。When you select Download report, select the standard and the format (PDF or CSV). 生成的报表将反映你在门户筛选器中选择的当前订阅集。The resulting report will reflect the current set of subscriptions you've selected in the portal's filter.

  • PDF 报表会显示你选择的标准的汇总状态The PDF report shows a summary status for the standard you selected
  • CSV 报表会提供每项资源的详细结果,原因是它与每项控件的关联策略相关The CSV report provides detailed results per resource, as it relates to policies associated with each control

目前不支持下载自定义策略的报表,仅支持下载所提供的法规标准的相关报表。Currently, there's no support for downloading a report for a custom policy; only for the supplied regulatory standards.

需要具有哪些 Azure Defender 计划或许可证才能使用法规合规性仪表板?What Azure Defender plans or licenses do I need to use the regulatory compliance dashboard?

如果你在你的任何 Azure 资源类型上启用了任何 Azure Defender 包,那么你有权在安全中心访问法规合规性仪表板及其所有数据。If you have any of the Azure Defender packages enabled on any of your Azure resource types, you have access to the Regulatory Compliance Dashboard, with all of its data, in Security Center.

后续步骤Next steps

本教程介绍了如何使用安全中心的法规符合性仪表板执行以下操作:In this tutorial, you learned about using Security Center’s regulatory compliance dashboard to:

  • 查看和监视与重要的标准和法规相关的合规性情况。View and monitor your compliance posture regarding the standards and regulations that are important to you.
  • 改进符合性状态,方法是:解决相关的建议问题,观察符合性分数的改进情况。Improve your compliance status by resolving relevant recommendations and watching the compliance score improve.

法规合规性仪表板可以大大简化合规性过程,显著缩短为 Azure、混合环境和多云环境收集合规性证据所需的时间。The regulatory compliance dashboard can greatly simplify the compliance process, and significantly cut the time required for gathering compliance evidence for your Azure, hybrid, and multi-cloud environment.

若要了解更多信息,请参阅以下相关页面:To learn more, see these related pages: