Service Fabric 的 Azure 安全基线Azure security baseline for Service Fabric

Service Fabric 的 Azure 安全基线包含可帮助你改善部署安全状况的建议。The Azure Security Baseline for Service Fabric contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全性Network security

有关详细信息,请参阅安全控制:网络安全For more information, see Security control: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导:确保所有虚拟网络子网部署都应用了网络安全组,且具有针对应用程序受信任端口和源的网络访问控制。Guidance: Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导:使用 Azure 安全中心,并修正有关虚拟网络、子网以及用于保护 Azure Service Fabric 群集的网络安全组的网络保护建议。Guidance: Use Azure Security Center and remediate network protection recommendations for the virtual network, subnet, and network security group being used to secure your Azure Service Fabric cluster. 启用网络安全组 (NSG) 流日志,并将日志发送到 Azure 存储帐户以进行流量审核。Enable network security group (NSG) flow logs and send logs into an Azure Storage Account to traffic audit. 还可以将 NSG 流日志发送到 Azure Log Analytics 工作区,并使用 Azure 流量分析来洞察 Azure 云中的通信流。You may also send NSG flow logs to an Azure Log Analytics Workspace and use Azure Traffic Analytics to provide insights into traffic flow in your Azure cloud. Azure 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Azure Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:提供前端网关,为用户、设备或其他应用程序提供单一入口点。Guidance: Provide a front-end gateway to provide a single point of ingress for users, devices, or other applications. Azure API Management 直接与 Service Fabric 集成,可保护对后端服务的访问、防止 DOS 攻击,还可以验证 API 密钥、JWT 令牌、证书和其他凭据。Azure API Management integrates directly with Service Fabric, allowing you to secure access to back-end services, prevent DOS attacks by using throttling, and verify API keys, JWT tokens, certificates, and other credentials.

请考虑在关键 Web 应用程序前部署 Azure Web 应用程序防火墙 (WAF),以对传入的流量进行额外的检查。Consider deploying Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. 启用 WAF 的诊断设置,并将日志引入存储帐户、事件中心或 Log Analytics 工作区。Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:为了防范 DDoS 攻击,请在部署 Azure Service Fabric 群集的虚拟网络中启用 Azure DDoS 标准防护。Guidance: For protections from DDoS attacks, enable Azure DDoS Standard protection on the virtual network where your Azure Service Fabric cluster is deployed. 使用 Azure 安全中心集成的威胁情报来拒绝与已知恶意的或未使用过的 Internet IP 地址进行通信。Use Azure Security Center integrated threat intelligence to deny communications with known malicious or unused Internet IP addresses.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包1.5: Record network packets

指导:针对附加到子网的、用于保护 Azure Service Fabric 群集的网络安全组 (NSG) 启用 NSG 流日志。Guidance: Enable network security group (NSG) flow logs for the NSG attached to the subnet being used to protect your Azure Service Fabric cluster. 将 NSG 流日志记录到 Azure 存储帐户中,以生成流记录。Record the NSG flow logs into an Azure Storage Account to generate flow records. 如果需要调查异常活动,请启用 Azure 网络观察程序数据包捕获。If required for investigating anomalous activity, enable Azure Network Watcher packet capture.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能。Guidance: Select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. 如果不需要基于有效负载检查的入侵检测和/或防护,则可以使用包含威胁情报功能的 Azure 防火墙。If intrusion detection and/or prevention based on payload inspection is not a requirement, Azure Firewall with Threat Intelligence can be used. 基于 Azure 防火墙威胁情报的筛选功能可以发出警报,并拒绝传入和传出已知恶意 IP 地址和域的流量。Azure Firewall Threat intelligence-based filtering can alert and deny traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

在组织的每个网络边界上部署所选的防火墙解决方案,以检测和/或拒绝恶意流量。Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:为 Web 应用程序部署 Azure 应用程序网关,并为受信任的证书启用 HTTPS/SSL。Guidance: Deploy Azure Application Gateway for web applications with HTTPS/SSL enabled for trusted certificates.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:使用虚拟网络服务标记,在附加到部署 Azure Service Fabric 群集的子网的网络安全组 (NSG) 中定义网络访问控制。Guidance: Use Virtual network service tags to define network access controls on network security groups (NSG) that are attached to the subnet your Azure Service Fabric cluster is deployed in. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:定义并实施与 Azure Service Fabric 群集相关的网络资源的标准安全配置。Guidance: Define and implement standard security configurations for network resources related to your Azure Service Fabric cluster. 在“Microsoft.ServiceFabric”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure Service Fabric 群集的网络配置。Use Azure Policy aliases in the "Microsoft.ServiceFabric" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure Service Fabric cluster.

还可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、RBAC 控制措施和策略),来简化大规模的 Azure 部署。You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, RBAC controls, and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅和环境,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and environments, and fine-tune control and management through versioning.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 Azure Service Fabric 群集关联的网络安全性和流量流相关的网络安全组 (NSG) 及其他资源使用标记。Guidance: Use Tags for network security group (NSGs) and other resources related to network security and traffic flow that are associated with your Azure Service Fabric cluster. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure 命令行接口 (CLI) 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure command-line interface (CLI) to look up or perform actions on resources based on their Tags.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure Service Fabric 部署相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure Service Fabric deployments. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security control: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Azure 维护 Azure Service Fabric 群集组件的时间源,你可以针对计算部署更新时间同步。Guidance: Azure maintains time sources for Azure Service Fabric cluster components, you may update time synchronization for your compute deployments.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:AzureResponsibility: Azure

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:为 Service Fabric 群集启用 Azure Monitor,并将日志定向到 Log Analytics 工作区。Guidance: Enable Azure Monitor for the Service Fabric cluster, direct it to a Log Analytics workspace. 这会记录所有 Azure Service Fabric 群集节点的相关群集信息和 OS 指标。This will log relevant cluster information and OS metrics for all Azure Service Fabric cluster nodes.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导:将 Azure Service Fabric 群集加入 Azure Monitor。Guidance: Onboard the Azure Service Fabric cluster to Azure Monitor. 确保根据组织的合规性规章为使用的 Log Analytics 工作区设置日志保留期。Ensure that the Log Analytics workspace used has the log retention period set according to your organization's compliance regulations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:将 Azure Service Fabric 群集加入 Azure Monitor。Guidance: Onboard the Azure Service Fabric cluster to Azure Monitor. 确保根据组织的合规性规章为使用的 Log Analytics 工作区设置日志保留期。Ensure that the Log Analytics workspace used has the log retention period set according to your organization's compliance regulations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.6:监视和查看日志2.6: Monitor and review logs

指导:使用 Azure Log Analytics 工作区查询来查询 Azure Service Fabric 日志。Guidance: Use Azure Log Analytics workspace queries to query Azure Service Fabric logs.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:使用 Azure Log Analytics 工作区在与 Azure Service Fabric 群集相关的安全日志和事件中监视异常活动并对其发出警报。Guidance: Use Azure Log Analytics workspace for monitoring and alerting on anomalous activities in security logs and events related to your Azure Service Fabric cluster.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:默认情况下,Windows Defender 安装在 Windows Server 2016 上。Guidance: By default, Windows Defender is installed on Windows Server 2016. 如果不使用 Windows Defender,请参阅有关配置规则的反恶意软件文档。Refer to your Antimaleware documentation for configuration rules if you are not using Windows Defender. Linux 不支持 Windows Defender。Windows Defender is not supported on Linux.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:实施用于 DNS 日志记录的第三方解决方案。Guidance: Implement a third-party solution for DNS logging.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:为每个节点手动配置控制台日志记录。Guidance: Manually configure console logging on a per-node basis.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:维护预配 Azure Service Fabric 群集期间创建的本地管理帐户以及创建的任何其他帐户的记录。Guidance: Maintain record of the local administrative account that is created during cluster provisioning of Azure Service Fabric cluster as well as any other accounts you create. 此外,如果使用了 Azure AD 集成,必须显式分配(因此可查询)Azure AD 的内置角色。In addition, if Azure AD integration is used, Azure AD has built-in roles that must be explicitly assigned and are therefore queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform adhoc queries to discover accounts that are members of administrative groups.

此外,可以使用 Azure 安全中心标识和访问管理建议。In addition, you may use Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:预配群集时,Azure 会要求创建新的密码用于访问 Web 门户。Guidance: When provisioning a cluster, Azure requires you to create new passwords for the web portal. 没有要更改的默认密码,但是,可以指定不同的密码用于访问 Web 门户。There are no default passwords to change, however you can specify different passwords for web portal access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:将 Azure Service Fabric 身份验证与 Azure Active Directory 集成。Guidance: Integrate Authentication for Azure Service Fabric with Azure Active Directory. 围绕专用管理帐户的使用创建策略和过程。Create policies and procedures around the use of dedicated administrative accounts.

此外,可以使用 Azure 安全中心标识和访问管理建议。In addition, you may use Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure AD MFA,并遵循 Azure 安全中心标识和访问管理建议。Guidance: Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证 (MFA) 的 PAW(特权访问工作站)来登录和配置 Azure Service Fabric 群集与相关资源。Guidance: Use PAWs (privileged access workstations) with multi-factor authentication (MFA) configured to log into and configure your Azure Service Fabric clusters and related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 此外,还可使用 Azure AD 风险检测来查看警报和报告有风险的用户行为。In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (AAD) 作为中心身份验证和授权系统,以安全访问 Azure Service Fabric 群集的管理终结点。Guidance: Use Azure Active Directory (AAD) as the central authentication and authorization system to secure access to management endpoints of Azure Service Fabric clusters. AAD 通过对静态数据和传输中数据使用强加密来保护数据。AAD protects data by using strong encryption for data at rest and in transit. AAD 还会对用户凭据进行加盐、哈希处理和安全存储。AAD also salts, hashes, and securely stores user credentials.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:对 Azure Service Fabric 群集使用 Azure Active Directory (AAD) 身份验证。Guidance: Use Azure Active Directory (AAD) authentication with your Azure Service Fabric cluster. AAD 提供日志来帮助发现过时的帐户。AAD provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right Users have continued access.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:对与 Azure Service Fabric 部署相关的资源使用标记,以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags on resources related to your Azure Service Fabric cluster deployments to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实现单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 资源应当按 VNet/子网进行分隔,相应地进行标记,并由 NSG 或 Azure 防火墙提供保护。Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. 存储或处理敏感数据的资源应当充分隔离。Resources storing or processing sensitive data should be sufficiently isolated. 对于存储或处理敏感数据的虚拟机,请实施相应的策略和过程,以在不使用这些虚拟机时将其关闭。For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:在网络外围部署一个自动化工具,用于监视敏感信息的未授权传输,并阻止此类传输,同时提醒信息安全专业人员。Guidance: Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and

和功能。capabilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:加密传输中的所有敏感信息。Guidance: Encrypt all sensitive information in transit. 确保连接到 Azure 资源的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.

请按照 Azure 安全中心的建议,了解静态加密和传输中的加密(如果适用)。Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Azure 存储或计算资源。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指南:不适用;此建议适用于设计用于存储数据的非计算资源。Guidance: Not applicable; this recommendation is intended for non-compute resources designed to store data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:对于存储或处理敏感信息的 Azure Service Fabric 群集,请使用标记将该群集和相关资源标记为敏感。Guidance: For Azure Service Fabric clusters storing or processing sensitive information, mark the cluster and related resources as sensitive using tags. 数据标识、分类和丢失防护功能尚不适用于 Azure 存储或计算资源。Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:在所有 Azure 资源上使用静态加密。Guidance: Use encryption at rest on all Azure resources. Azure 建议允许 Azure 管理加密密钥,但在某些情况下,你可以选择管理自己的密钥。Azure recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在关键 Azure 资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to critical Azure resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅安全控制:漏洞管理For more information, see Security control: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:定期运行 Service Fabric 故障分析服务和混沌服务,以模拟整个群集中的故障,从而评估服务的稳定性和可靠性。Guidance: Regularly run the Service Fabric Fault Analysis Service and Chaos services to simulate faults throughout the cluster to assess the robustness and reliability of your services.

遵循 Azure 安全中心关于在 Azure 虚拟机和容器映像上执行漏洞评估的建议。Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines and container images.

使用第三方解决方案对网络设备和 Web 应用程序执行漏洞评估。Use a third-party solution for performing vulnerability assessments on network devices and web applications. 执行远程扫描时,不要使用单个永久管理帐户。When conducting remote scans, do not use a single, perpetual, administrative account. 请考虑为扫描帐户实现 JIT 预配方法。Consider implementing JIT provisioning methodology for the scan account. 扫描帐户的凭据应受到保护、监视,并且仅用于漏洞扫描。Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:在 Azure Service Fabric 群集的虚拟机规模集上启用自动 OS 映像升级。Guidance: Enable automatic OS image upgrades on the virtual machine scale sets of your Azure Service Fabric cluster.

或者,若要在投入生产之前先测试 OS 修补程序,请使用手动触发器对规模集进行 OS 映像升级。Alternately, to test OS patches first before going to production, use the manual trigger for OS image upgrades of your scale set. 请注意,手动触发器选项不提供内置回滚。Note that the manual trigger option doesn't provide built-in rollback. 使用 Azure 自动化中的更新管理监视 OS 修补程序。Monitor OS patches using Update Management from Azure Automation.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

指导:在 Azure Service Fabric 群集的虚拟机规模集上启用自动 OS 映像升级。Guidance: Enable automatic OS image upgrades on the virtual machine scale sets of your Azure Service Fabric cluster. 修补业务流程应用程序 (POA) 是一种替代解决方案,适用于 Azure 外部托管的 Service Fabric 群集。Patch Orchestration Application (POA) is an alternative solution that is intended for Service Fabric clusters hosted outside of Azure. 可结合使用 POA 和 Azure 群集,但需要一些额外的托管开销。POA can be used with Azure clusters, with some additional hosting overhead.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:以一致的间隔导出扫描结果,并比较结果以验证漏洞是否已修复。Guidance: Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. 使用 Azure 安全中心建议的漏洞管理建议时,可以转到选定解决方案的门户查看历史扫描数据。When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:使用常用的风险评分程序(例如通用漏洞评分系统)或第三方扫描工具提供的默认风险评级。Guidance: Use a common risk scoring program (e.g. Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于 Azure 资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指导:为计算资源定义已批准的 Azure 资源和软件。Guidance: Define approved Azure resources and approved software for compute resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

不允许的资源类型Not allowed resource types

允许的资源类型Allowed resource types

使用 Azure Resource Graph 查询/发现订阅中的资源。Use Azure Resource Graph to query/discover resources within your subscription(s). 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:实施第三方解决方案以监视群集节点中未批准的软件应用程序。Guidance: Implement a third-party solution to monitor cluster nodes for unapproved software applications.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等),包括 Azure Service Fabric 群集。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.), including Azure Service Fabric clusters, within your subscription(s). 删除发现的任何未批准 Azure 资源。Remove any unapproved Azure resources that you discover. 对于 Azure Service Fabric 群集节点,请实施第三方解决方案来删除未批准的软件或对其发出警报。For Azure Service Fabric cluster nodes, implement a third-party solution to remove or alert on unapproved software.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:对于 Azure Service Fabric 群集节点,请实施第三方解决方案,以防止执行未经授权的软件。Guidance: For Azure Service Fabric cluster nodes, implement a third-party solution to prevent unauthorized software from executing.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:使用 Azure Policy 限制可在环境中预配的服务。Guidance: Use Azure Policy to restrict which services you can provision in your environment.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导:对于 Azure Service Fabric 群集节点,请实施第三方解决方案,以防止执行未经授权的文件类型。Guidance: For Azure Service Fabric cluster nodes, implement a third-party solution to prevent unauthorized file types from executing.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的能力。Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Guidance: Use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:业务运营所需的软件可能会给组织带来更高的风险,应将其隔离在自己的虚拟机和/或虚拟网络中,并通过 Azure 防火墙或网络安全组进行充分的保护。Guidance: Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or Network Security Group.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security control: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:在“Microsoft.ServiceFabric”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Service Fabric 群集的网络配置。Guidance: Use Azure Policy aliases in the "Microsoft.ServiceFabric" namespace to create custom policies to audit or enforce the network configuration of your Service Fabric cluster.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:Azure Service Fabric 操作系统映像由 Microsoft 管理和维护。Guidance: Azure Service Fabric Operating System Images are managed and maintained by Microsoft. 客户负责为群集节点的操作系统实施安全配置。Customer responsible for implementing secure configurations for your cluster nodes' operating system.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure 策略“[拒绝]”和“[不存在则部署]”来对 Azure Service Fabric 群集和相关资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings for your Azure Service Fabric clusters and related resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:Azure Service Fabric 群集操作系统映像由 Microsoft 管理和维护。Guidance: Azure Service Fabric cluster Operating System Images managed and maintained by Microsoft. 客户负责实施 OS 级别的状态配置。Customer responsible for implementing OS-level state configuration.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果使用自定义的 Azure Policy 定义,请使用 Azure DevOps 或 Azure Repos 安全地存储和管理代码。Guidance: If using custom Azure Policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:如果使用自定义映像,请使用 Azure 基于角色的访问控制 (Azure RBAC) 来确保只有授权用户才能访问映像。Guidance: If using custom images, use Azure role-based access control (Azure RBAC) to ensure only authorized users may access the images. 对于容器映像,请将其存储在 Azure 容器注册表中,并利用 Azure RBAC 确保只有授权用户才能访问这些映像。For container images, store them in Azure Container Registry and leverage Azure RBAC to ensure only authorized users may access the images.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:在“Microsoft.ServiceFabric”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.ServiceFabric" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导:不适用;此项指导适用于 IaaS 计算资源。Guidance: Not applicable; this guideline is intended for IaaS compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:在“Microsoft.ServiceFabric”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Service Fabric 群集的配置。Guidance: Use Azure Policy aliases in the "Microsoft.ServiceFabric" namespace to create custom policies to audit or enforce the configuration of your Service Fabric cluster.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:使用 Azure 安全中心对 OS 和容器的 Docker 设置执行基线扫描。Guidance: Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护云应用程序的机密管理。Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:托管标识可用于 Azure 部署的 Service Fabric 群集,也可用于部署为 Azure 资源的应用程序。Guidance: Managed identities can be used in Azure-deployed Service Fabric clusters, and for applications deployed as Azure resources. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指导:如果使用与 Azure Service Fabric 部署相关的任何代码,可以实施凭据扫描程序来识别代码中的凭据。Guidance: If using any code related to your Azure Service Fabric deployment, you may implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

使用 Azure Key Vault 自动轮换 Service Fabric 群集证书。Use Azure Key Vault to rotate Service Fabric cluster certificates automatically.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security control: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导:默认情况下,Windows Defender 防病毒安装在 Windows Server 2016 上。Guidance: By default, Windows Defender antivirus is installed on Windows Server 2016. 用户界面默认安装在某些 SKU 上,但不是必需的。The user interface is installed by default on some SKUs, but is not required.

如果不使用 Windows Defender,请参阅有关配置规则的反恶意软件文档。Refer to your Antimalware documentation for configuration rules if you are not using Windows Defender. Linux 不支持 Windows Defender。Windows Defender isn't supported on Linux.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指南:不适用;此建议适用于设计用于存储数据的非计算资源。Guidance: Not applicable; this recommendation is intended for non-compute resources designed to store data. 已在支持 Azure 服务(例如 Service Fabric)的底层主机上启用 Azure 反恶意软件,但是该软件不针对客户内容运行。Azure anti-malware is enabled on the underlying host that supports Azure services (for example, Service Fabric), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于设计用于存储数据的非计算资源。Guidance: Not applicable; this recommendation is intended for non-compute resources designed to store data. 已在支持 Azure 服务(例如 Service Fabric)的底层主机上启用 Azure 反恶意软件,但是该软件不针对客户内容运行。Azure anti-malware is enabled on the underlying host that supports Azure services (for example, Service Fabric), however it does not run on customer content.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security control: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:Service Fabric 中的备份和还原服务可以轻松自动备份存储在有状态服务中的信息。Guidance: The Backup and Restore service in Service Fabric enables easy and automatic backup of information stored in stateful services. 定期备份应用程序数据是防止数据丢失和服务不可用的基础。Backing up application data on a periodic basis is fundamental for guarding against data loss and service unavailability. Service Fabric 提供可选的备份和还原服务,因此无需编写任何其他代码,便可配置有状态可靠服务(包括角色服务)的定期备份。Service Fabric provides an optional backup and restore service, which allows you to configure periodic backup of stateful Reliable Services (including Actor Services) without having to write any additional code. 它还有助于还原以前执行的备份。It also facilitates restoring previously taken backups.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:在 Service Fabric 群集中启用备份还原服务,并创建备份策略以定期和按需备份有状态服务。Guidance: Enable backup restore service in your Service Fabric cluster and create backup policies to back up stateful services periodically and on-demand. 在 Azure Key Vault 中备份客户管理的密钥。Backup customer-managed keys within Azure Key Vault.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:通过定期查看备份配置信息和可用备份,确保能够从备份还原服务执行还原。Guidance: Ensure ability to perform restoration from the backup restore service by periodically reviewing backup configuration information and available backups. 测试对备份的客户管理的密钥进行还原。Test restoration of backed up customer-managed keys.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:Service Fabric 备份还原服务中的备份使用订阅中的 Azure 存储帐户。Guidance: Backups from Service Fabric backup restore service use an Azure Storage account in your subscription. Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest. 默认情况下,数据使用 Azure 管理的密钥进行加密。By default, data is encrypted with Azure-managed keys. 为了更进一步控制加密密钥,可以提供客户管理的密钥用于对存储数据进行加密。For additional control over encryption keys, you can supply customer-managed keys for encryption of storage data.

如果使用的是客户管理的密钥,请确保在 Key Vault 中启用软删除,以防止意外或恶意删除密钥。If you are using customer-managed-keys, ensure Soft-Delete in Key Vault is enabled to protect keys against accidental or malicious deletion.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅安全控制:事件响应For more information, see Security control: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了你的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Sentinel。You may use the Azure Security Center data connector to stream the alerts Sentinel.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security control: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Azure 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Azure Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

后续步骤Next steps