Azure 安全基准 (V2) 概述Overview of the Azure Security Benchmark (V2)

Azure 安全基准 (ASB) 提供了说明性的最佳做法和建议,以帮助提高 Azure 上工作负载、数据和服务的安全性。The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.

此基准属于一组全面的安全指南,这组指南还包括:This benchmark is part of a set of holistic security guidance that also includes:

Azure 安全基准侧重于以云为中心的控制领域。The Azure Security Benchmark focuses on cloud-centric control areas. 这些控制与众所周知的安全基准(例如 Internet 安全中心 (CIS) Controls 版本 7.1 和美国国家标准与技术研究院 (NIST) SP 800-53 所述基准)一致。These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 and National Institute of Standards and Technology (NIST) SP 800-53. Azure 安全基准包含以下控制:The following controls are included in the Azure Security Benchmark:

ASB 控制领域ASB Control Domains 说明Description
网络安全 (NS)Network security (NS) 网络安全包含用于保护 Azure 网络的控制措施,包括保护虚拟网络、建立专用连接、阻止和减少外部攻击以及保护 DNS。Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.
标识管理 (IM)Identity Management (IM) 标识管理包括用于使用 Azure Active Directory 建立安全标识和访问控制的控制措施,其中包括使用单一登录、强身份验证、用于应用程序的托管标识(和服务主体)、条件访问和帐户异常监视。Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory, including the use of single sign-on, strong authentications, managed identities (and service principles) for applications, conditional access, and account anomalies monitoring.
特权访问 (PA)Privileged Access (PA) 特权访问包括用于保护对你的 Azure 租户和资源的特权访问的控制措施,包括一系列用于避免管理模型、管理帐户和特权访问工作站面临有意和无意的风险的控制措施。Privileged Access covers controls to protect privileged access to your Azure tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.
数据保护 (DP)Data Protection (DP) 数据保护涵盖控制静态数据保护、传输中的数据保护以及通过授权访问机制实现的数据保护,包括使用 Azure 中的访问控制、加密和日志记录发现、分类、保护和监视敏感数据资产。Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure.
资产管理 (AM)Asset Management (AM) 资产管理包括用于确保 Azure 资源安全可见性和治理的控制措施,包括以下几方面的建议:安全人员的权限、对资产清单的安全访问,以及管理对服务和资源的审批(盘点、跟踪和更正)。Asset Management covers controls to ensure security visibility and governance over Azure resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).
日志记录和威胁检测 (LT)Logging and Threat Detection (LT) 日志记录和威胁检测包括用于检测 Azure 上的威胁以及为 Azure 服务启用、收集和存储审核日志的控制措施,包括允许使用通过 Azure 服务中的本机威胁检测生成高质量警报的控制措施来检测、调查和修正过程,还包括通过 Azure Monitor 收集日志、通过时间同步集中进行安全分析和日志保留。Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, centralizing security analysis with time synchronization, and log retention.
事件响应 (IR)Incident Response (IR) 事件响应包括对事件响应生命周期(准备、检测、分析、包含和事后活动)的控制措施,包括使用 Azure 安全中心等 Azure 服务自动化事件响应过程。Incident Response covers controls in incident response life cycle - preparation, detection and analysis, containment, and post-incident activities, including using Azure services such as Azure Security Center to automate the incident response process.
状态和漏洞管理 (PV)Posture and Vulnerability Management (PV) 状况和漏洞管理侧重于评估和改进 Azure 安全状况的控制措施,包括漏洞扫描、渗透测试和修正,以及 Azure 资源中的安全配置跟踪、报告和更正。Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources.
终结点安全 (ES)Endpoint Security (ES) 终结点安全保护对终结点检测和响应的控制措施,包括在 Azure 环境中对终结点使用终结点检测和响应 (EDR) 和反恶意软件服务。Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.
备份和恢复 (BR)Backup and Recovery (BR) 备份和恢复包括用于确保在不同服务层执行、验证和保护数据和配置备份的控制措施。Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.
治理和策略 (GS)Governance and Strategy (GS) 治理和策略提供的指导可确保使用一致的安全策略和记录在案的治理方法来指导和维持安全保障,包括为不同的云安全功能、统一的技术策略以及支持策略和标准建立角色和责任。Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

Azure 安全基准检验建议Azure Security Benchmark Recommendations

每项建议都包含以下信息:Each recommendation includes the following information:

  • Azure ID:与建议对应的 Azure 安全基准检验 ID。Azure ID: The Azure Security Benchmark ID that corresponds to the recommendation.
  • CIS Controls v7.1 ID:与此建议对应的 CIS Controls v7.1 控制措施。CIS Controls v7.1 ID(s): The CIS Controls v7.1 control(s) that correspond to this recommendation.
  • NIST SP 800-53 r4 ID:与此建议对应的 NIST SP 800-53 r4(中等)控制措施。NIST SP 800-53 r4 ID(s): The NIST SP 800-53 r4 (moderate) control(s) that correspond to this recommendation.
  • 详细信息:此建议的原理阐述,以及关于如何实现建议的指南的链接。Details: The rationale for the recommendation and links to guidance on how to implement it. 如果 Azure 安全中心支持此建议,这些信息也会列出。If the recommendation is supported by Azure Security Center, that information will also be listed.
  • 责任:是由客户还是服务提供商负责(或二者共同负责)实现此建议。Responsibility: Whether the customer, the service-provider, or both are responsible for implementing this recommendation. 安全责任将在公有云中共同分担。Security responsibilities are shared in the public cloud. 某些安全控制仅适用于云服务提供商,因此该提供商负责处理相关事项。Some security controls are only available to the cloud service provider and therefore the provider is responsible for addressing those. 这些是通常的看法 - 某些单独服务的责任不同于 Azure 安全基准中列出的责任。These are general observations - for some individual services, the responsibility will be different from what is listed in the Azure Security Benchmark. 单个服务的基线建议中介绍了这些差异。Those differences are described in the baseline recommendations for the individual service.
  • 客户安全利益干系人:可就相应控制措施进行追究、问责、或咨询的客户组织的 安全功能Customer Security Stakeholders: The security functions at the customer organization who may be accountable, responsible, or consulted for the respective control. 它在各组织中可能有所不同,具体取决于公司的安全组织结构,以及你设置的与 Azure 安全性相关的角色和职责。It may be different from organization to organization depending on your company�s security organization structure, and the roles and responsibilities you set up related to Azure security.

备注

ASB 和行业基准(如 NIST 和 CI)之间的控制映射仅指示特定的 Azure 功能可用于完全或部分解决 NIST 或 CIS 中定义的控制要求。The control mappings between ASB and industry benchmarks (such as NIST and CIS) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST or CIS. 应注意,此类实现不一定意味着完全符合 CIS 或 NIST 中的相应控制措施。You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS or NIST.

我们欢迎你提供详细反馈并积极参与 Azure 安全基准检验工作。We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. 若要向 Azure 安全基准检验团队提供直接意见,请在 https://aka.ms/AzSecBenchmark 填写表单If you would like to provide the Azure Security Benchmark team direct input, fill out the form at https://aka.ms/AzSecBenchmark

下载Download

可以下载电子表格格式的 Azure 安全基准。You can download the Azure Security Benchmark in spreadsheet format.

后续步骤Next steps