安全控制 V2:态势和漏洞管理Security Control V2: Posture and Vulnerability Management

态势和漏洞管理侧重于对评估和改进 Azure 安全状况的控制。Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture. 这包括漏洞扫描、渗透测试和修正,以及 Azure 资源中的安全配置跟踪、报告和更正。This includes vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources.

PV-1:为所有 Azure 服务建立安全配置PV-1: Establish secure configurations for Azure services

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-1PV-1 5.15.1 CM-2、CM-6CM-2, CM-6

为基础结构和 DevOps 团队定义安全护栏,使其可以轻松且安全地配置其使用的 Azure 服务。Define security guardrails for infrastructure and DevOps teams by making it easy to securely configure the Azure services they use.

在 Azure 安全基准检验中,通过服务基线开始 Azure 服务的安全配置,并根据组织的需要对其进行自定义。Start your security configuration of Azure services with the service baselines in the Azure Security Benchmark and customize as needed for your organization.

使用 Azure 安全中心配置 Azure Policy,以审核和强制实施 Azure 资源的配置。Use Azure Security Center to configure Azure Policy to audit and enforce configurations of your Azure resources.

你可以使用 Azure 蓝图,在单个蓝图定义中自动部署和配置服务和应用程序环境,包括 Azure 资源管理器模板、Azure RBAC 控制措施和策略。You can use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-2:为所有 Azure 服务维护安全配置PV-2: Sustain secure configurations for Azure services

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-2PV-2 5.25.2 CM-2、CM-6CM-2, CM-6

使用 Azure 安全中心监视配置基线,使用 Azure Policy 的 [拒绝] 和 [如果不存在便部署] 规则跨 Azure 计算资源(包括 VM、容器和其他资源)强制实施安全配置。Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-3:为计算资源建立安全配置PV-3: Establish secure configurations for compute resources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-3PV-3 5.15.1 CM-2、CM-6CM-2, CM-6

使用 Azure 安全中心和 Azure Policy 在所有计算资源(包括 VM、容器和其他资源)上建立安全配置。Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources, including VMs, containers, and others. 此外,你可以使用自定义操作系统映像或 Azure Automation State Configuration 来建立组织所需的操作系统的安全配置。Additionally, you can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-4:为计算资源维护安全配置PV-4: Sustain secure configurations for compute resources

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-4PV-4 5.25.2 CM-2、CM-6CM-2, CM-6

使用 Azure 安全中心和 Azure Policy 定期评估和修正 Azure 计算资源(包括 VM、容器和其他资源)上的配置风险。Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. 此外,还可以使用 Azure 资源管理器模板、自定义操作系统映像或 Azure Automation State Configuration 来维护组织所需的操作系统的安全配置。In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM 模板与 Azure Automation State Configuration 结合使用有助于满足和维护安全要求。Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.

另请注意,由 Microsoft 发布的 Azure 市场 VM 映像由 Microsoft 管理和维护。Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.

Azure 安全中心还可在容器映像中扫描漏洞,并基于 CIS Docker 基准对容器中的 Docker 配置执行连续监视。Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. 可以使用 Azure 安全中心的建议页面来查看建议和修正问题。You can use the Azure Security Center recommendations page to view recommendations and remediate issues.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-5:安全存储自定义操作系统和容器映像PV-5: Securely store custom operating system and container images

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-5PV-5 5.35.3 CM-2、CM-6CM-2, CM-6

请使用 Azure 基于角色的访问控制 (Azure RBAC) 来确保只有授权用户才能访问自定义映像。Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. 使用 Azure 共享映像库,可以将映像共享给组织内的不同用户、服务主体或 AD 组。Use an Azure Shared Image Gallery you can share your images to different users, service principals, or AD groups within your organization. 将容器映像存储在 Azure 容器注册表中,并使用 Azure RBAC 来确保只有经过授权的用户才能进行访问。Store container images in Azure Container Registry and use Azure RBAC to ensure that only authorized users have access.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-6:执行软件漏洞评估PV-6: Perform software vulnerability assessments

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-6PV-6 3.1、3.2、3.3、3.63.1, 3.2, 3.3, 3.6 CA-2、RA-5CA-2, RA-5

遵循 Azure 安全中心关于在 Azure 虚拟机、容器映像和 SQL 服务器上执行漏洞评估的建议。Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure 安全中心为虚拟机扫描提供内置漏洞扫描程序。Azure Security Center has a built-in vulnerability scanner for virtual machine scan.

使用第三方解决方案对网络设备和 Web 应用程序执行漏洞评估。Use a third-party solution for performing vulnerability assessments on network devices and web applications. 执行远程扫描时,不要使用单个永久管理帐户。When conducting remote scans, do not use a single, perpetual, administrative account. 请考虑为扫描帐户实现 JIT(实时)预配方法。Consider implementing JIT (Just In Time) provisioning methodology for the scan account. 扫描帐户的凭据应受到保护、监视,并且仅用于漏洞扫描。Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

以一致的间隔导出扫描结果,并将结果与以前的扫描进行比较以验证漏洞是否已修复。Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. 使用 Azure 安全中心建议的漏洞管理建议时,可以转到选定扫描解决方案的门户查看历史扫描数据。When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-7:快速自动修正软件漏洞PV-7: Rapidly and automatically remediate software vulnerabilities

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-7PV-7 3.73.7 CA-2、RA-5、SI-2CA-2, RA-5, SI-2

快速部署软件更新,以修正操作系统和应用程序中的软件漏洞。Rapidly deploy software updates to remediate software vulnerabilities in operating systems and applications. 使用常见的风险评分程序(例如通用漏洞评分系统)或第三方扫描工具提供的默认风险评级,并根据你的环境进行定制,同时考虑哪些应用程序存在高安全风险,哪些应用程序需要高运行时间。Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment, taking into account which applications present a high security risk and which ones require high uptime.

请使用 Azure 自动化更新管理或第三方解决方案确保在 Windows 和 Linux VM 上安装最新的安全更新。Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. 对于 Windows 虚拟机,请确保已启用 Windows 更新并将其设置为自动更新。For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

对于第三方软件,请使用第三方修补程序管理解决方案或 System Center Updates Publisher for Configuration Manager。For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PV-8:执行定期攻击模拟PV-8: Conduct regular attack simulation

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PV-8PV-8 2020 CA-8、CA-2、RA-5CA-8, CA-2, RA-5

根据需要,对 Azure 资源执行渗透测试或红队活动,确保修正所有发现的关键安全问题。As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. 请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

责任:共享Responsibility: Shared

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):