Azure 操作安全性最佳做法Azure Operational Security best practices

本文提供了用于保护 Azure 中的数据、应用程序和其他资产的一系列操作最佳做法。This article provides a set of operational best practices for protecting your data, applications, and other assets in Azure.

最佳做法以观点的共识以及 Azure 平台功能和特性集为基础。The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. 观点和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.

定义并部署强大的操作安全做法Define and deploy strong operational security practices

Azure 操作安全性是指用户可用于在 Azure 中保护其数据、应用程序和其他资产的服务、控件和功能。Azure operational security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure. Azure 操作安全性建立在一个框架上,该框架融合了通过 Microsoft 独有的功能获得的知识,包括 安全开发生命周期 (SDL)Microsoft 安全响应中心计划以及对网络安全威胁形态的深刻认识。Azure operational security is built on a framework that incorporates the knowledge gained through capabilities that are unique to Microsoft, including the Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.

管理和监视用户密码Manage and monitor user passwords

下表列出了与管理用户密码相关的一些最佳做法:The following table lists some best practices related to managing user passwords:

最佳做法:确保你在云中具有适当级别的密码保护。Best practice: Ensure you have the proper level of password protection in the cloud.
详细信息:按照 Microsoft 密码指南中的指南进行操作,该指南的适用范围是 Microsoft 标识平台(Azure Active Directory、Active Directory 和 Microsoft 帐户)的用户。Detail: Follow the guidance in Microsoft Password Guidance, which is scoped to users of the Microsoft identity platforms (Azure Active Directory, Active Directory, and Microsoft account).

  • 检测影响组织标识的潜在漏洞Detect potential vulnerabilities that affect your organization's identities
  • 配置自动响应检测到的与组织标识相关的可疑操作Configure automated responses to detected suspicious actions that are related to your organization's identities
  • 调查可疑事件,并采取适当的措施进行解决Investigate suspicious incidents and take appropriate actions to resolve them

接收来自 Microsoft 的事件通知Receive incident notifications from Microsoft

确保你的安全运营团队接收来自 Microsoft 的 Azure 事件通知。Be sure your security operations team receives Azure incident notifications from Microsoft. 事件通知让你的安全团队知道你已经破坏了某个 Azure 资源,目的是让他们可以快速响应并修正潜在的安全风险。An incident notification lets your security team know you have compromised Azure resources so they can quickly respond to and remediate potential security risks.

在 Azure 注册门户中,你可以确保管理员联系信息包含用来进行安全操作通知的详细信息。In the Azure enrollment portal, you can ensure admin contact information includes details that notify security operations. 联系人详细信息为电子邮件地址和电话号码。Contact information is an email address and phone number.

将 Azure 订阅组织到管理组中Organize Azure subscriptions into management groups

如果你的组织有多个订阅,则可能需要一种方法来高效地管理这些订阅的访问权限、策略和符合性。If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理组提供了高于订阅的一个作用域级别。Azure management groups provide a level of scope that's above subscriptions. 可将订阅组织到名为“管理组”的容器中,并将治理条件应用到管理组。You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. 管理组中的所有订阅都将自动继承应用于管理组的条件。All subscriptions within a management group automatically inherit the conditions applied to the management group.

可以在目录中构建管理组和订阅的灵活结构。You can build a flexible structure of management groups and subscriptions into a directory. 为每个目录指定了一个称为根管理组的顶级管理组。Each directory is given a single top-level management group called the root management group. 此根管理组内置在层次结构中,包含其所有下级管理组和订阅。This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. 根管理组允许在目录级别应用全局策略和 RBAC 分配。The root management group allows global policies and RBAC assignments to be applied at the directory level.

下面是管理组使用方面的一些最佳做法:Here are some best practices for using management groups:

最佳做法:确保在添加新订阅时,它们会应用治理元素,例如策略和权限。Best practice: Ensure that new subscriptions apply governance elements like policies and permissions as they are added.
详细信息:使用根管理组分配适用于所有 Azure 资产的企业范围的安全元素。Detail: Use the root management group to assign enterprise-wide security elements that apply to all Azure assets. 策略和权限是元素的示例。Policies and permissions are examples of elements.

最佳做法:将顶级管理组与分段策略匹配,以便在每个段中实现控制和策略一致性。Best practice: Align the top levels of management groups with segmentation strategy to provide a point for control and policy consistency within each segment.
详细信息:在根管理组下为每个段创建一个管理组。Detail: Create a single management group for each segment under the root management group. 请勿在根下创建任何其他管理组。Don't create any other management groups under the root.

最佳做法:限制管理组深度,以避免出现影响操作和安全性的混乱。Best practice: Limit management group depth to avoid confusion that hampers both operations and security.
详细信息:将层次结构限制为三个级别(包括根在内)。Detail: Limit your hierarchy to three levels, including the root.

最佳做法:使用根管理组,仔细选择要应用于整个企业的项。Best practice: Carefully select which items to apply to the entire enterprise with the root management group.
详细信息:确保根管理组元素明确需要在每个资源中应用,并且它们的影响很小。Detail: Ensure root management group elements have a clear need to be applied across every resource and that they're low impact.

典型的候选项包括:Good candidates include:

  • 具有明确业务影响的法规要求(例如,与数据主权相关的限制)Regulatory requirements that have a clear business impact (for example, restrictions related to data sovereignty)
  • 对操作几乎没有潜在负面影响的要求,例如,其审核效果或 RBAC 权限分配已经过仔细审查的策略Requirements with near-zero potential negative affect on operations, like policy with audit effect or RBAC permission assignments that have been carefully reviewed

最佳做法:在根管理组上应用所有企业范围的更改(策略、RBAC 模型等)之前,请仔细规划并测试它们。Best practice: Carefully plan and test all enterprise-wide changes on the root management group before applying them (policy, RBAC model, and so on).
详细信息:根管理组中的更改可能会影响 Azure 上的每个资源。Detail: Changes in the root management group can affect every resource on Azure. 尽管它们提供了一种强大的方法来确保整个企业中的一致性,但错误或不正确的使用可能会对生产操作产生负面影响。While they provide a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively affect production operations. 请在测试实验室或生产试点中测试对根管理组的所有更改。Test all changes to the root management group in a test lab or production pilot.

监视存储服务的意外行为更改Monitor storage services for unexpected changes in behavior

诊断和排查在云环境中托管的分布式应用程序中的问题可能会比在传统环境中更复杂。Diagnosing and troubleshooting issues in a distributed application hosted in a cloud environment can be more complex than it is in traditional environments. 应用程序可以部署在 PaaS 或 IaaS 基础结构、本地、移动设备,或这些环境的某种组合中。Applications can be deployed in a PaaS or IaaS infrastructure, on-premises, on a mobile device, or in some combination of these environments. 应用程序的网络流量可能会遍历公用和专用网络,你的应用程序可能使用多种存储技术。Your application's network traffic might traverse public and private networks, and your application might use multiple storage technologies.

应持续监视应用程序使用的存储服务是否存在任何意外行为更改(如响应时间变长)。You should continuously monitor the storage services that your application uses for any unexpected changes in behavior (such as slower response times). 若要收集更详细的数据和深度分析问题,请使用日志记录。Use logging to collect more detailed data and to analyze a problem in depth. 从监视和日志记录获取的诊断信息将有助于确定应用程序所遇到问题的根本原因。The diagnostics information that you obtain from both monitoring and logging helps you to determine the root cause of the issue that your application encountered. 然后,可以排查该问题,并确定修正问题的相应步骤。Then you can troubleshoot the issue and determine the appropriate steps to remediate it.

Azure 存储分析执行日志记录并为 Azure 存储帐户提供指标数据。Azure Storage Analytics performs logging and provides metrics data for an Azure storage account. 建议使用此数据跟踪请求、分析使用情况趋势以及诊断存储帐户的问题。We recommend that you use this data to trace requests, analyze usage trends, and diagnose issues with your storage account.

防范、检测和应对威胁Prevent, detect, and respond to threats

Azure 安全中心增强了对 Azure 资源安全的可见性和可控性,可帮助你预防、检测和响应威胁。Azure Security Center helps you prevent, detect, and respond to threats by providing increased visibility into (and control over) the security of your Azure resources. 它提供对 Azure 订阅的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于各种安全解决方案。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with various security solutions.

安全中心的免费层仅为 Azure 资源提供有限的安全性。The Free tier of Security Center offers limited security for only your Azure resources. 标准层将这些功能扩展到本地和其他云中。The Standard tier extends these capabilities to on-premises and other clouds. 借助安全中心标准层,可以查找和修复安全漏洞、应用访问控制和应用程序控制来阻止恶意活动、使用分析和智能功能检测威胁,以及在受到攻击时迅速做出响应。Security Center Standard helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats by using analytics and intelligence, and respond quickly when under attack. 可以尝试安全中心标准版,头 60 天免费。You can try Security Center Standard at no cost for the first 60 days. 建议将 Azure 订阅升级到安全中心标准层We recommend that you upgrade your Azure subscription to Security Center Standard.

使用安全中心,可以通过一个集中化视图查看所有 Azure 资源的安全状态。Use Security Center to get a central view of the security state of all your Azure resources. 一眼就可验证适当的安全控件是否配置到位且配置正确,还可快速确认任何需要注意的资源。At a glance, verify that the appropriate security controls are in place and configured correctly, and quickly identify any resources that need attention.

安全中心还集成了 Microsoft Defender 高级威胁防护 (ATP),后者提供了完善的终结点检测和响应 (EDR) 功能。Security Center also integrates with Microsoft Defender Advanced Threat Protection (ATP), which provides comprehensive Endpoint Detection and Response (EDR) capabilities. 使用 Microsoft Defender ATP 集成可以查明异常。With Microsoft Defender ATP integration, you can spot abnormalities. 你还可以检测和响应安全中心所监视的服务器终结点上出现的高级攻击。You can also detect and respond to advanced attacks on server endpoints monitored by Security Center.

几乎所有的企业组织都有一个安全信息和事件管理 (SIEM) 系统,它可以整合来自不同信号收集设备的日志信息,因此可以识别新出现的威胁。Almost all enterprise organizations have a security information and event management (SIEM) system to help identify emerging threats by consolidating log information from diverse signal gathering devices. 然后,数据分析系统会对日志进行分析,以便从所有日志收集和分析解决方案的不可避免的干扰内容中找出“需关注”的内容。The logs are then analyzed by a data analytics system to help identify what's 'interesting' from the noise that is inevitable in all log gathering and analytics solutions.

下面是一些用于预防、检测和响应威胁的最佳做法:Here are some best practices for preventing, detecting, and responding to threats:

最佳做法:找到最严重的安全漏洞,以便确定调查优先级。Best practice: Find the most serious security vulnerabilities so you can prioritize investigation.
详细信息:查看你的 Azure 安全评分,了解 Azure 安全中心内置的 Azure 策略和计划所产生的建议。Detail: Review your Azure secure score to see the recommendations resulting from the Azure policies and initiatives built into Azure Security Center. 这些建议有助于解决顶级风险,例如安全更新、终结点保护、加密、安全配置、WAF 缺失、VM 连接到 Internet 等方面的风险。These recommendations help address top risks like security updates, endpoint protection, encryption, security configurations, missing WAF, internet-connected VMs, and many more.

安全评分基于 Internet 安全中心 (CIS) 控件,允许你根据外部源对组织的 Azure 安全性进行基准测试。The secure score, which is based on Center for Internet Security (CIS) controls, lets you benchmark your organization's Azure security against external sources. 外部验证可帮助验证并扩充团队的安全策略。External validation helps validate and enrich your team's security strategy.

最佳做法:监视计算机、网络、存储和数据服务以及应用程序的安全状况,发现潜在的安全问题并确定其优先级。Best practice: Monitor the security posture of machines, networks, storage and data services, and applications to discover and prioritize potential security issues.
详细信息:按照安全中心的安全建议操作,并从优先级最高的项开始。Detail: Follow the security recommendations in Security Center starting, with the highest priority items.

最佳做法:将 Azure 日志与你的 SIEM 集成。Best practice: Integrate Azure logs with your SIEM.
详细信息使用 Azure Monitor 收集和导出数据Detail: Use Azure Monitor to gather and export data. 此做法对于启用安全事件调查至关重要,而在线日志保留期是有限的。This practice is critical for enabling security incident investigation, and online log retention is limited.

最佳做法:通过将终结点检测和响应 (EDR) 功能集成到攻击调查中,加快调查和搜寻过程,并减少误报。Best practice: Speed up your investigation and hunting processes and reduce false positives by integrating Endpoint Detection and Response (EDR) capabilities into your attack investigation.
详细信息:通过安全中心安全策略启用 Microsoft Defender ATP 集成Detail: Enable Microsoft Defender ATP integration via your Security Center security policy. 考虑使用 Azure Sentinel 进行威胁搜寻和事件响应。Consider using Azure Sentinel for threat hunting and incident response.

监视基于端到端方案的网络监视Monitor end-to-end scenario-based network monitoring

客户在 Azure 中通过合并虚拟网络、ExpressRoute、应用程序网关和负载均衡器等网络资源来构建端到端网络。Customers build an end-to-end network in Azure by combining network resources like a virtual network, ExpressRoute, Application Gateway, and load balancers. 监视适用于每个网络资源。Monitoring is available on each of the network resources.

Azure 网络观察程序是一项区域性服务。Azure Network Watcher is a regional service. 其诊断和可视化工具可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Use its diagnostic and visualization tools to monitor and diagnose conditions at a network scenario level in, to, and from Azure.

以下是网络监视和可用工具的最佳做法。The following are best practices for network monitoring and available tools.

最佳做法:使用数据包捕获实现远程网络监视的自动化。Best practice: Automate remote network monitoring with packet capture.
详细信息:使用网络观察程序监视和诊断网络问题,无需登录 VM。Detail: Monitor and diagnose networking issues without logging in to your VMs by using Network Watcher. 通过设置警报触发数据包捕获,并获取数据包级别上的实时性能信息访问权限。Trigger packet capture by setting alerts and gain access to real-time performance information at the packet level. 如果遇到问题,可进行详细调查,获得更精确的诊断。When you see an issue, you can investigate in detail for better diagnoses.

最佳做法:使用流日志深入了解网络流量。Best practice: Gain insight into your network traffic by using flow logs.
详细信息:使用网络安全组流日志更深入地了解网络流量模式。Detail: Build a deeper understanding of your network traffic patterns by using network security group flow logs. 流日志中的信息可帮助收集符合性数据、审核和监视网络安全配置文件。Information in flow logs helps you gather data for compliance, auditing, and monitoring your network security profile.

最佳做法:诊断 VPN 连接问题。Best practice: Diagnose VPN connectivity issues.
详细信息:使用网络观察程序来诊断最常见的 VPN 网关和连接问题Detail: Use Network Watcher to diagnose your most common VPN Gateway and connection issues. 不仅可以确定问题,还可以使用详细日志进一步调查。You can not only identify the issue but also use detailed logs to further investigate.

启用 Azure PolicyEnable Azure Policy

Azure Policy 是 Azure 中的一项服务,用于创建、分配和管理策略。Azure Policy is a service in Azure that you use to create, assign, and manage policies. 这些策略将在整个资源中强制实施规则和效果,使这些资源符合公司标准和服务级别协议。These policies enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements. Azure Policy 通过评估资源是否符合指定策略来满足此需求。Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.

启用 Azure Policy 来进行监视并强制实施组织的书面策略。Enable Azure Policy to monitor and enforce your organization's written policy. 这样就可以集中管理混合云工作负荷中的安全策略,确保符合公司或法规安全要求。This will ensure compliance with your company or regulatory security requirements by centrally managing security policies across your hybrid cloud workloads. 了解如何创建和管理策略以强制实施合规性Learn how to create and manage policies to enforce compliance. 有关策略元素的概述,请参阅 Azure Policy 定义结构See Azure Policy definition structure for an overview of the elements of a policy.

下面是在采用 Azure Policy 后要遵循的一些安全性最佳做法:Here are some security best practices to follow after you adopt Azure Policy:

最佳做法:Azure Policy 支持多种类型的效果。Best practice: Policy supports several types of effects. 可以在 Azure Policy 定义结构中了解相关信息。You can read about them in Azure Policy definition structure. 拒绝效果和修正效果可能会给业务运营带来负面影响,因此请从审核效果开始以限制策略带来的负面影响风险。Business operations can be negatively affected by the deny effect and the remediate effect, so start with the audit effect to limit the risk of negative impact from policy.
详细信息以审核模式开始策略部署,然后推进到拒绝修正Detail: Start policy deployments in audit mode and then later progress to deny or remediate. 在推进到拒绝修正之前,请测试并查看审核效果的结果。Test and review the results of the audit effect before you move to deny or remediate.

有关详细信息,请参阅创建和管理策略以强制实施符合性For more information, see Create and manage policies to enforce compliance.

最佳做法:确定负责监视策略违规的角色,并确保快速执行正确的修正操作。Best practice: Identify the roles responsible for monitoring for policy violations and ensuring the right remediation action is taken quickly.
详细信息:让已分配的角色通过 Azure 门户命令行来监视符合性。Detail: Have the assigned role monitor compliance through the Azure portal or via the command line.

最佳做法:Azure Policy 是组织的书面策略的技术表示形式。Best practice: Azure Policy is a technical representation of an organization's written policies. 将所有 Azure 策略映射到组织策略,以减少混乱并增强一致性。Map all Azure policies to organizational policies to reduce confusion and increase consistency.
详细信息:通过在 Azure Policy 定义Azure Policy 计划描述中添加对组织策略的引用,在组织的文档中或 Azure Policy 定义本身中记录映射。Detail: Document mapping in your organization's documentation or in the Azure Policy definition itself by adding a reference to the organizational policy in the Azure Policy definition or the Azure Policy initiative description.

以下资源提供了有关 Azure 安全性及相关 Microsoft 服务的更多常规信息:The following resources are available to provide more general information about Azure security and related Microsoft services: