Azure 安全基准简介Azure security benchmark introduction

Azure 中每天都会发布新的服务和功能,开发人员很快就会发布在这些服务上构建的新云应用程序,而攻击者也总是会寻找新方法来攻击配置有误的资源。New services and features are released daily in Azure, developers are rapidly publishing new cloud applications built on these services, and attackers are always seeking new ways to exploit misconfigured resources. 云在快速发展,开发人员在快速进步,而攻击者始终在“推陈出新”。The cloud moves fast, developers move fast, and attackers are always on the move. 你如何跟上形势并确保云部署的安全?How do you keep up and make sure that your cloud deployments are secure? 云系统的安全做法与本地系统的安全做法有何不同?How are security practices for cloud systems different from on-premises systems? 如何监视多个独立开发团队之间的一致性?How do you monitor for consistency across many independent development teams?

Microsoft 已经发现,使用安全基准可以帮助你快速保护云部署。Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. 来自云服务提供商的基准建议提供了一个在你的环境中选择特定安全配置设置的起点,并使你能够快速降低组织面临的风险。Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization.

Azure 安全基准包含一系列具有重要影响的安全建议,可用于帮助保护在 Azure 中使用的服务:The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

  • 安全控制:一般而言,在你的 Azure 租户和 Azure 服务中,这些建议都是适用的。Security controls : These recommendations are generally applicable across your Azure tenant and Azure services. 每个建议都会标识出利益干系人的列表,这些利益干系人通常会涉及到基准的规划、审批或实现。Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
  • 服务基线:这些基线将控制应用于单个 Azure 服务,以提供有关该服务的安全配置的建议。Service baselines : These apply the controls to individual Azure services to provide recommendations on that service�s security configuration.

实现 Azure 安全基准Implement the Azure Security Benchmark

  • 通过查看有关企业控制机制的文档和特定于服务的基线来规划你的 Azure 安全基准实现,以规划控制框架,以及该框架映射到 CIS (Controls v7.1) 和 NIST (SP800-53) 框架等指南的方式。Plan your Azure Security Benchmark implementation by reviewing the documentation for the enterprise controls and service-specific baselines to plan your control framework and how it maps to guidance like CIS (Controls v7.1) and NIST (SP800-53) framework.
  • 使用 Azure 安全中心合规性仪表板来监视符合 Azure 安全基准状态(和其他控制集)的程度。Monitor your compliance with Azure Security Benchmark status (and other control sets) using the Azure Security Center regulatory compliance dashboard.
  • 建立规范措施,以通过 Azure 蓝图和 Azure Policy 自动执行安全配置,并强制符合 Azure 安全基准(以及组织中的其他要求)。Establish guardrails to automate secure configurations and enforce compliance with Azure Security Benchmark (and other requirements in your organization) with Azure Blueprints and Azure Policy.

请注意,Azure 安全基准 v2 与 Microsoft 安全最佳做法(以前称为 Azure 安全罗盘)是一致的,因此,通过 Azure 安全基准就能全面了解 Microsoft 的 Azure 安全建议。Note that the Azure Security Benchmark v2 is aligned with Microsoft Security Best Practices (formerly Azure Security Compass) so that the Azure Security Benchmark provides a single consolidated view of Microsoft�s Azure security recommendations.

常见用例Common Use Cases

Azure 安全基准经常用于为以下类型的客户或服务合作伙伴解决这些常见难题:Azure Security Benchmark is frequently used to address these common challenges for customers or service partners who are:

  • Azure 的新用户,正在寻找安全最佳做法来确保安全部署。New to Azure and are looking for security best practices to ensure a secure deployment.
  • 需要改善现有 Azure 部署的安全状况,以优先处理级别最高的风险并采取缓解措施。Improving security posture of existing Azure deployments to prioritize top risks and mitigations.
  • 需要审批要用于技术和业务的 Azure 服务是否符合特定安全准则。Approving Azure services for use by technology and business use to meet specific security guidelines.
  • 需要符合来自政府或高度管控行业(如金融和医疗保健)的客户(或需要为这些客户构建系统的服务供应商)的法规要求。Meeting regulatory requirements for customers who are from government or highly-regulated industries like finance and healthcare (or service vendors who need to build systems for these customers). 这些客户需要确保其 Azure 配置符合行业框架(如 CIS、NIST 或 PCI)中指定的安全功能。These customers need to ensure their configuration of Azure meets the security capabilities specified in an industry framework such as CIS, NIST, or PCI. Azure 安全基准提供了一种高效的方法,其控制要求已预先映射到了这些行业基准。Azure Security Benchmark provides an efficient approach with the controls already pre-mapped to these industry benchmarks.

术语Terminology

Azure 安全基准文档中经常使用术语“控制”、“基准”和“基线”,因此了解 Azure 如何使用这些术语很重要。The terms "control", "benchmark", and "baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure uses those terms.

术语Term 说明Description 示例Example
控制Control “控制”是对需要实现的功能或活动的概要说明,并非特定于某种技术或实现。A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation. 数据保护是一项安全控制。Data Protection is one of the security controls. 这项控制包含为了帮助确保数据受到保护而必须执行的特定操作。This control contains specific actions that must be addressed to help ensure data is protected.
基准Benchmark “基准”包含针对特定技术(如 Azure)的安全建议。A benchmark contains security recommendations for a specific technology, such as Azure. 这些建议按其所属的控制进行分类。The recommendations are categorized by the control to which they belong. Azure 安全基准包含特定于 Azure 平台的安全建议The Azure Security Benchmark comprises the security recommendations specific to the Azure platform
基线Baseline 基线是有关单个 Azure 服务的基准的实现。A baseline is the implementation of the benchmark on the individual Azure service. 每个组织都会决定 Azure 实现范围内需要的基准建议和相应的配置。Each organization decides benchmark recommendation and corresponding configurations are needed in the Azure implementation scope. Contoso 公司希望通过遵循 Azure SQL 安全基线中建议的配置来启用 Azure SQL 安全功能。The Contoso company looks to enabling Azure SQL security features by following the configuration recommended in Azure SQL security baseline.

欢迎你提供有关 Azure 安全基准的反馈!We welcome your feedback on the Azure Security Benchmark! 建议你在以下反馈区域中提供评论。We encourage you to provide comments in the feedback area below. 如果你希望以更私密的方式将你的建议告知 Azure 安全基准检验团队,欢迎你在 https://aka.ms/AzSecBenchmark 中填写表单If you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark