安全控制:数据恢复Security Control: Data Recovery

确保所有系统数据、配置和机密均定期自动备份。Ensure that all system data, configurations, and secrets are automatically backed up on a regular basis.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
9.19.1 10.110.1 客户Customer

启用 Azure 备份并配置备份源(Azure VM、SQL Server 或文件共享)以及所需的频率和保持期。Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
9.29.2 10.210.2 客户Customer

启用 Azure 备份和目标 VM,以及所需的频率和保持期。Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. 在 Azure 密钥保管库中备份客户托管的密钥。Backup customer managed keys within Azure Key Vault.

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
9.39.3 10.310.3 客户Customer

确保能够定期在 Azure 备份中执行内容数据还原。Ensure ability to periodically perform data restoration of content within Azure Backup. 测试已备份客户托管密钥的还原。Test restoration of backed up customer managed keys.

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
9.49.4 10.410.4 客户Customer

对于本地备份,使用在备份到 Azure 时提供的密码提供静态加密。For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. 对于 Azure VM,使用存储服务加密 (SSE) 对数据进行静态加密。For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). 使用基于角色的访问控制来保护备份和客户托管的密钥。Use role-based access control to protect backups and customer managed keys.

在密钥保管库中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. 如果将 Azure 存储用于存储备份,请启用软删除以在 blob 或 blob 快照被删除时保存和恢复数据。If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.

后续步骤Next steps