安全控制 V2:数据保护Security Control V2: Data Protection

数据保护包括对静态数据保护、传输中数据保护以及通过授权访问机制进行的数据保护进行控制。Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms. 这包括使用 Azure 中的访问控制、加密和日志记录对敏感数据资产进行发现、分类、保护和监视操作。This includes discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure.

DP-1:对敏感数据进行发现、分类和标记DP-1: Discovery, classify and label sensitive data

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
DP-1DP-1 13.1、14.5、14.713.1, 14.5, 14.7 SC-28SC-28

对敏感数据进行发现、分类和标记,以便设计合适的控件,确保组织的技术系统能够安全地存储、处理和传输敏感信息。Discover, classify, and label your sensitive data so that you can design the appropriate controls to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.

对于 Azure 中的、本地的、Office 365 中的和其他位置中的 Office 文档内的敏感信息,请使用 Azure 信息保护(及其关联的扫描工具)。Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, on Office 365, and in other locations.

使用 Azure SQL 信息保护有助于对 Azure SQL 数据库中存储的信息进行分类和标记。You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.

责任:共享Responsibility: Shared

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

DP-2:保护敏感数据DP-2: Protect sensitive data

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
DP-2DP-2 13.2、2.1013.2, 2.10 SC-7、AC-4SC-7, AC-4

使用 Azure 基于角色的访问控制 (Azure RBAC)、基于网络的访问控制以及 Azure 服务中的特定控制(例如 SQL 和其他数据库中的加密)来限制访问,从而保护敏感数据。Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).

为了确保一致的访问控制,所有类型的访问控制都应符合企业分段策略。To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. 企业分段策略还应根据敏感的或业务关键型的数据和系统的位置来确定。The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

对于 Microsoft 管理的基础平台,Microsoft 会将所有客户内容视为敏感数据,全方位防范客户数据丢失和泄露。For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. 为了确保 Azure 中的客户数据始终安全,Microsoft 实施了一些默认的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

责任:共享Responsibility: Shared

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

DP-3:监视未经授权的敏感数据传输DP-3: Monitor for unauthorized transfer of sensitive data

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
DP-3DP-3 13.313.3 AC-4、SI-4AC-4, SI-4

监视是否存在未经授权将数据传输到企业不可见且无法控制的位置的行为。Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. 这通常涉及监视那些可能意味着未经授权的数据外泄的异常活动(大型或异常传输)。This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.

Azure 存储高级威胁防护 (ATP) 和 Azure SQL ATP 可以对可能意味着未经授权传输敏感信息的异常传输行为发出警报。Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information.

Azure 信息保护 (AIP) 提供的监视功能针对已分类并标记的信息。Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labeled.

如果要求满足数据丢失防护 (DLP) 规范,可以使用基于主机的 DLP 解决方案来强制实施检测性的和/或预防性的控制,以防止数据外泄。If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

DP-4:加密传输中的敏感信息DP-4: Encrypt sensitive information in transit

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
DP-4DP-4 14.414.4 SC-8SC-8

为了对访问控制进行补充,应该对传输中的数据使用加密技术防止“带外”攻击(例如流量捕获),以确保攻击者无法轻松读取或修改数据。To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.

虽然这对于专用网络上的流量来说是可选的,但对于外部和公共网络上的流量来说,这是至关重要的。While this is optional for traffic on private networks, this is critical for traffic on external and public networks. 对于 HTTP 流量,请确保连接到 Azure 资源的任何客户端能够协商 TLS v1.2 或更高版本。For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. 对于远程管理,请使用 SSH(适用于 Linux)或 RDP/TLS(适用于 Windows),而不是使用未加密的协议。For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. 应当禁用已过时的 SSL、TLS 和 SSH 版本和协议,以及弱密码。Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.

默认情况下,Azure 为在 Azure 数据中心之间传输的数据提供加密。By default, Azure provides encryption for data in transit between Azure data centers.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

DP-5:加密静态敏感数据DP-5: Encrypt sensitive data at rest

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
DP-5DP-5 14.814.8 SC-28、SC-12SC-28, SC-12

为了对访问控制进行补充,应使用加密保护静态数据,以免遭受“带外”攻击(例如访问底层存储)。To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. 这有助于确保攻击者无法轻松读取或修改数据。This helps ensure that attackers cannot easily read or modify the data.

默认情况下,Azure 为静态数据提供加密。Azure provides encryption for data at rest by default. 对于高度敏感的数据,你可以选择在所有可用的 Azure 资源上进行额外的静态加密。For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. 默认情况下,Azure 管理你的加密密钥,但是 Azure 为某些 Azure 服务提供了管理你自己的密钥(客户管理的密钥)的选项。Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):