安全控制:数据保护Security Control: Data Protection

数据保护建议侧重于解决与加密、访问控制列表、基于标识的访问控制以及数据访问审核日志记录相关的问题。Data protection recommendations focus on addressing issues related to encryption, access control lists, identity-based access control, and audit logging for data access.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.14.1 13.113.1 客户Customer

使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Use Tags to assist in tracking Azure resources that store or process sensitive information.

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.24.2 13.2、2.1013.2, 2.10 客户Customer

使用单独的订阅和管理组对各个安全域(如环境类型和数据敏感度级别)实现隔离。Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. 你可以限制对应用程序和企业环境所需 Azure 资源的访问级别。You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. 可以通过 Active Directory 基于角色的访问控制来控制对 Azure 资源的访问。You can control access to Azure resources via Azure Active Directory role-based access control.

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.34.3 13.313.3 共享Shared

利用 Azure 市场中有关网络外围的第三方解决方案,该解决方案可监视并阻止敏感信息的未授权传输,同时提醒信息安全专业人员。Leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

对于 Microsoft 管理的基础平台,Microsoft 会将所有客户内容视为敏感数据,并全方位防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.44.4 14.414.4 共享Shared

加密传输中的所有敏感信息。Encrypt all sensitive information in transit. 确保连接到 Azure 资源的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.

请按照 Azure 安全中心的建议,了解静态加密和传输中的加密(如果适用)。Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.54.5 14.514.5 共享Shared

如果 Azure 中的功能均不适用于你的特定服务,请使用可用的第三方发现工具来标识组织技术系统(包括现场或远程服务提供商处的技术系统)存储、处理或传输的所有敏感信息,并更新组织的敏感信息清单。When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory.

使用 Azure 信息保护标识 Office 365 文档中的敏感信息。Use Azure Information Protection for identifying sensitive information within Office 365 documents.

使用 Azure SQL 信息保护可帮助对 Azure SQL 数据库中存储的信息进行分类和标记。Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.

4.6:使用基于角色的访问控制来控制对资源的访问4.6: Use Role-based access control to control access to resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.64.6 14.614.6 客户Customer

使用 Azure AD RBAC 控制对数据和资源的访问,否则请使用特定于服务的访问控制方法。Use Azure AD RBAC to control access to data and resources, otherwise use service specific access control methods.

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.74.7 14.714.7 共享Shared

如果需要在计算资源上确保合规性,则实施第三方工具(如基于主机的自动数据丢失防护解决方案),以便对数据强制实施访问控制,即使数据从系统复制也是如此。If required for compliance on compute resources, implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.84.8 14.814.8 客户Customer

在所有 Azure 资源上使用静态加密。Use encryption at rest on all Azure resources. Microsoft 建议允许 Azure 管理加密密钥,但在某些情况下,你可以选择管理自己的密钥。Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances.

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
4.94.9 14.914.9 客户Customer

将 Azure Monitor 与 Azure 活动日志结合使用,以创建在关键 Azure 资源发生更改时发出的警报。Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to critical Azure resources.

后续步骤Next steps