安全控制 V2:备份和恢复Security Control V2: Backup and Recovery

备份和恢复包括用于确保在不同服务层执行、验证和保护数据和配置备份的控制措施。Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.

BR-1:确保定期执行自动备份BR-1: Ensure regular automated backups

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
BR-1BR-1 10.110.1 CP-2、CP4、CP-6、CP-9CP-2, CP4, CP-6, CP-9

确保在发生意外事件后,备份系统和数据以保持业务连续性。Ensure you are backing up systems and data to maintain business continuity after an unexpected event. 这应该由恢复点目标 (RPO) 和恢复时间目标 (RTO) 的任何目标定义。This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

启用 Azure 备份,配置备份源(例如 Azure VM、SQL Server、HANA 数据库或文件共享)以及所需的频率和保持期。Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.

为了提高保护级别,可启用异地冗余存储选项,将备份数据复制到次要区域,并使用跨区域还原进行恢复。For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

BR-2:加密备份数据BR-2: Encrypt backup data

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
BR-2BR-2 10.210.2 CP-9CP-9

确保备份不受攻击。Ensure your backups are protected against attacks. 这应包括对备份进行加密,以防止丧失机密性。This should include encryption of the backups to protect against loss of confidentiality.

对于使用 Azure 备份的本地备份,请使用所提供的密码提供静态加密。For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. 对于常规 Azure 服务备份,系统会使用 Azure 平台管理的密钥自动加密备份数据。For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. 你可选择使用客户管理的密钥对备份进行加密。You can choose to encrypt the backups using customer managed key. 在这种情况下,请确保 Key Vault 中客户管理的密钥也在备份范围内。In this case, ensure this customer-managed key in the key vault is also in the backup scope.

在 Azure 备份、Azure Key Vault 或其他资源中使用基于角色的访问控制来保护备份和客户管理的密钥。Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. 此外,可启用高级安全功能,要求在更改或删除备份之前进行 MFA。Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

BR-3:验证所有备份,包括客户管理的密钥BR-3: Validate all backups including customer-managed keys

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
BR-3BR-3 10.310.3 CP-4、CP-9CP-4, CP-9

请定期在备份中执行数据还原。Periodically perform data restoration of your backup. 请确保可以还原已备份的客户管理的密钥。Ensure that you can restore backed-up customer-managed keys.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

BR-4:减少密钥丢失风险BR-4: Mitigate risk of lost keys

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
BR-4BR-4 10.410.4 CP-9CP-9

确保你有适当的措施来防止和恢复丢失的密钥。Ensure you have measures in place to prevent and recover from loss of keys. 在 Azure Key Vault 中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):