安全控制 V2:资产管理Security Control V2: Asset Management

资产管理涵盖了各种控制,用于确保安全团队可以了解 Azure 资源的安全性以及对这些资源进行治理。Asset Management covers controls to ensure security visibility and governance over Azure resources. 其中包括以下几方面的建议:安全人员的权限、对资产清单的安全访问,以及管理对服务和资源的审批(盘点、跟踪和更正)。This includes recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).

AM-1:确保安全团队可以了解与资产相关的风险AM-1: Ensure security team has visibility into risks for assets

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-1AM-1 1.1、1.21.1, 1.2 CM-8、PM-5CM-8, PM-5

确保安全团队在 Azure 租户和订阅中被授予安全读取者权限,以便他们可以使用 Azure 安全中心来监视安全风险。Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

根据安全团队责任划分方式的不同,监视安全风险可能是中心安全团队或本地团队的责任。Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. 也就是说,安全见解和风险必须始终在组织内集中聚合。That said, security insights and risks must always be aggregated centrally within an organization.

安全读取者权限可以广泛应用于整个租户(根管理组),也可以限制到管理组或特定订阅。Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

注意:若要了解工作负载和服务,可能需要更多权限。Note: Additional permissions might be required to get visibility into workloads and services.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):

AM-2:确保安全团队有权访问资产清单和元数据AM-2: Ensure security team has access to asset inventory and metadata

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-2AM-2 1.1、1.2、1.4、1.5、9.1、12.11.1, 1.2, 1.4, 1.5, 9.1, 12.1 CM-8、PM-5CM-8, PM-5

确保安全团队有权访问 Azure 上持续更新的资产清单。Ensure that security teams have access to a continuously updated inventory of assets on Azure. 安全团队通常需要此清单,以评估其组织遭遇新兴风险的可能性,并根据它不断提高安全性。Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.

Azure 安全中心清单功能和 Azure Resource Graph 可以查询和发现订阅中的所有资源,包括 Azure 服务、应用程序和网络资源。The Azure Security Center inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources.

请使用 Azure 中的标记以及其他元数据(名称、说明和类别)以合乎逻辑的方式组织资产。Logically organize assets according to your organization’s taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):

AM-3:仅使用已批准的 Azure 服务AM-3: Use only approved Azure services

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-3AM-3 2.3、2.42.3, 2.4 CM-7、CM-8CM-7, CM-8

请使用 Azure Policy 来审核和限制用户可以在你的环境中预配哪些服务。Use Azure Policy to audit and restrict which services users can provision in your environment. 使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 你也可以使用 Azure Monitor 来创建规则,以便在检测到未经批准的服务时触发警报。You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):

AM-4:确保资产生命周期管理的安全AM-4: Ensure security of asset lifecycle management

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-4AM-4 2.3、2.4、2.52.3, 2.4, 2.5 CM-7、CM-8、CM-10、CM-11CM-7, CM-8, CM-10, CM-11

制定或更新安全策略,以便针对可能产生很大影响的修改来处理资产生命周期管理过程。Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. 这些修改包括对以下内容的更改:标识提供者和访问权限、数据敏感度、网络配置,以及管理特权分配。These modifications include changes to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.

如果不再需要 Azure 资源,请将其删除。Remove Azure resources when they are no longer needed.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):

AM-5:限制用户与 Azure 资源管理器进行交互的能力AM-5: Limit users' ability to interact with Azure Resource Manager

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-5AM-5 2.92.9 AC-3AC-3

使用 Azure AD 条件访问来限制用户与 Azure 资源管理器交互的能力,具体方法是为“Azure 管理”应用配置“阻止访问”。Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):

AM-6:仅使用计算资源中经过批准的应用程序AM-6: Use only approved applications in compute resources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
AM-6AM-6 2.6、2.72.6, 2.7 AC-3、CM-7、CM-8、CM-10、CM-11AC-3, CM-7, CM-8, CM-10, CM-11

请确保在 Azure 虚拟机上只执行已经过授权的软件,并阻止执行所有未经授权的软件。Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.

请使用 Azure 安全中心 (ASC) 自适应应用程序控制来发现并生成应用程序允许列表。Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. 你也可以使用 ASC 自适应应用程序控制来确保在 Azure 虚拟机上只执行已经过授权的软件,并阻止执行所有未经授权的软件。You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

请使用 Azure 自动化更改跟踪和清单来自动收集 Windows 和 Linux VM 中的清单信息。Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. 可从 Azure 门户获得软件名称、版本、发布者和刷新时间。Software name, version, publisher, and refresh time are available from the Azure portal. 若要获取软件安装日期和其他信息,请启用来宾级诊断,并将 Windows 事件日志定向到 Log Analytics 工作区。To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.

根据脚本类型的不同,可以使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.

也可以使用第三方解决方案来发现和标识未经批准的软件。You can also use a third-party solution to discover and identify unapproved software.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解更多):Customer Security Stakeholders (Learn more):