适用于 Azure 存储的 Azure 安全基线Azure Security Baseline for Azure Storage

适用于 Azure 存储的 Azure 安全基线包含有助于改进部署安全状况的建议。The Azure Security Baseline for Azure Storage contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:通过限制从特定的公共 IP 地址范围、Azure 上的特定虚拟网络 (VNet) 访问客户端,或者限制为只能访问特定的 Azure 资源,对存储帐户的防火墙进行配置。Guidance: Configure your Storage Account's Firewall by restricting access to clients from specific public IP address ranges, select virtual networks (VNets) on Azure, or to specific Azure resources. 还可以配置专用终结点,以便从企业到存储服务的流量仅通过专用网络进行传输。You can also configure Private Endpoints so traffic to the storage service from your enterprise travels exclusively over private networks.

注意:经典存储帐户不支持防火墙和虚拟网络。Note: Classic storage accounts do not support firewalls and virtual networks.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 Vnet、子网和 NIC 配置与流量1.2: Monitor and log Vnet, Subnet, and NIC configuration and traffic

指导:Azure 存储提供分层安全模型。Guidance: Azure Storage provides a layered security model. 可将存储帐户的访问权限限制给源自指定的 IP 地址、IP 范围,或 Azure 虚拟网络 (VNet) 中某个子网列表的请求。You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet). 可以使用 Azure 安全中心并遵循网络保护建议来帮助保护 Azure 中的网络资源。You can use Azure Security Center and follow network protection recommendations to help secure your network resources in Azure. 此外,请为已通过存储帐户防火墙为存储帐户配置的虚拟网络/子网启用 NSG 流日志,并将日志发送到存储帐户进行流量审核。Also, enable NSG flow logs for virtual networks / subnet configured for the Storage accounts via Storage account firewall and send logs into a Storage Account for traffic audit.

请注意,如果你的专用终结点已附加到存储帐户,则无法为子网配置网络安全组 (NSG) 规则。Note that if you have Private Endpoints attached to your storage account, you can't configure Network Security Group (NSG) rules for subnets.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect Critical Web Applications

指导:不适用;建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record Network Packets and Flow Logs

指导:使用网络观察程序数据包捕获,可以创建捕获会话以跟踪存储帐户和虚拟机之间的流量。Guidance: Network Watcher packet capture allows you to create capture sessions to track traffic between Storage account and a virtual machine. 为捕获会话提供了筛选器以确保仅捕获所需的流量。Filters are provided for the capture session to ensure you capture only the traffic you want. 数据包捕获有助于以主动和被动方式诊断网络异常。Packet capture helps to diagnose network anomalies, both reactively, and proactively. 其他用途包括收集网络统计信息,获得网络入侵信息,调试客户端与服务器之间的通信,等等。Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. 由于能够远程触发数据包捕获,此功能可减轻在所需虚拟机上手动运行数据包捕获的负担,从而节省宝贵的时间。Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to your web applications

指导:不适用;建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:对于虚拟网络中需要访问存储帐户的资源,请在网络安全组或 Azure 防火墙上使用已配置的虚拟网络的虚拟网络服务标记来定义网络访问控制。Guidance: For resource in Virtual Networks that need access to your Storage account, use Virtual Network Service Tags for the configured Virtual network to define network access controls on Network Security Groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应“源”或“目标”字段中指定服务标记名称(例如 Azure 存储),可允许或拒绝相应服务的流量。By specifying the service tag name (e.g., Storage) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

如果需要将网络访问的范围限定为特定的存储帐户,请使用虚拟网络服务终结点策略。When network access needs to be scoped to specific Storage Accounts, use Virtual Network service endpoint policies.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:服务Responsibility: Service

1.9:维护网络设备的标准安全配置1.9: Maintain Standard Security Configurations for Network Devices

指导:使用 Azure Policy 为与 Azure 存储帐户关联的网络资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for network resources associated with your Azure Storage Account with Azure Policy. 在“Microsoft.Storage”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施存储帐户资源的网络配置。Use Azure Policy aliases in the "Microsoft.Storage" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Storage account resources.

还可以利用与存储帐户相关的内置策略定义,例如:存储帐户应使用虚拟网络服务终结点You may also make use of built-in policy definitions related to Storage account, such as: Storage Accounts should use a virtual network service endpoint

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:记录流量配置规则1.10: Document Traffic Configuration Rules

指导:将标记用于网络安全组 (NSG) 以及其他与网络安全和通信流有关的资源。Guidance: Use tags for network security groups (NSG) and other resources related to network security and traffic flow. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network. 使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources. 可以使用 Azure PowerShell 或 Azure CLI 基于其标记对资源进行查找或执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their tags.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use Automated Tools to Monitor Network Resource Configurations and Detect Changes

指导:使用 Azure Policy 来记录网络资源的配置更改。Guidance: Use Azure Policy to log configuration changes for network resources. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步资源2.1: Use Approved Time Synchronization resource

指导:不适用;Azure 维护 Azure 存储帐户的时间源。Guidance: Not applicable; Azure maintains time sources for Azure Storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:AzureResponsibility: Azure

2.2:配置中心安全日志管理2.2: Configure Central Security Log Management

指导:通过 Azure Monitor 引入日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Guidance: Ingest logs via Azure Monitor to aggregate security data generated by endpoints devices, network resources, and other security systems. 在 Azure Monitor 中,使用 Log Analytics 工作区查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储(可以选择使用不可变存储和强制保留等安全功能)。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage, optionally with security features such as immutable storage and enforced retention holds.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure Resources

指导:Azure 存储分析提供 Blob、队列和表的日志。Guidance: Azure Storage Analytics provides logs for blobs, queues, and tables. 可以使用 Azure 门户来配置要为帐户记录哪些日志。You can use the Azure portal to configure which logs are recorded for your account.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect Security Logs from Operating Systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

2.5:配置安全日志存储保留期2.5: Configure Security Log Storage Retention

指导:在 Azure 存储帐户或 Log Analytics 工作区中存储安全事件日志时,可以根据组织的需求设置保留策略。Guidance: When storing Security event logs in the Azure Storage account or Log Analytics workspace, you may set the retention policy according to your organization's requirements.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and Review Logs

指导:若要查看 Azure 存储日志,可以使用通过 Log Analytics 产品/服务进行查询之类的常用选项,也可以使用唯一用于直接查看日志文件的选项。Guidance: To review the Azure Storage logs, there are the usual options such as queries through the Log Analytics offering as well as a unique option of viewing the log files directly. 在 Azure 存储中,日志存储在必须从 http://accountname.blob.core.chinacloudapi.cn/ $logs 直接访问的 blob 中(默认情况下会隐藏日志记录文件夹,因此你需要直接导航。In Azure Storage, the logs are stored in blobs that must be accessed directly at http://accountname.blob.core.chinacloudapi.cn/$logs (The logging folder is hidden by default, so you will need to navigate directly. 它不会显示在 List 命令中)It will not display in List commands)

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.10:启用命令行审核日志记录2.10: Enable Command-line Audit Logging

指导:不适用;基准适用于计算资源。Guidance: Not applicable; benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain Inventory of Administrative Accounts

指南:Azure AD 具有必须显式分配且可查询的内置角色。Guidance: Azure AD has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change Default Passwords where Applicable

指导:Azure 存储帐户和 Azure Active Directory 都没有默认密码或空密码的概念。Guidance: Azure Storage accounts nor Azure Active Directory have the concept of default or blank passwords. Azure 存储实现了一个访问控制模型,该模型支持 Azure 基于角色的访问控制 (Azure RBAC) 以及共享密钥和共享访问签名 (SAS)。Azure Storage implements an access control model that supports Azure role-based access control (Azure RBAC) as well as Shared Key and Shared Access Signatures (SAS). 共享密钥和 SAS 身份验证的特点是没有与调用方关联的标识,因此不能执行基于安全主体权限的授权。A characteristic of Shared Key and SAS authentication is that no identity is associated with the caller and therefore security principal permission-based authorization cannot be performed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use Dedicated Administrative Accounts

指导:围绕可以访问存储帐户的专用管理帐户的使用,创建标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts that have access to your Storage account. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and access management to monitor the number of administrative accounts.

你还可以通过 Microsoft 服务的 Azure AD Privileged Identity Management 特权角色和 Azure ARM 来启用实时/恰好足够的访问权限。You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure ARM.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证。3.5: Use Multifactor Authentication for all Azure Active Directory based access.

指导:启用 Azure Active Directory 多重身份验证,并遵循 Azure 安全中心标识和访问管理建议,以帮助保护 Azure 存储帐户资源。Guidance: Enable Azure Active Directory Multifactor Authentication and follow Azure Security Center Identity and access management recommendations to help protect your Storage account resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure Resource from only Approved Locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure 提供 Azure 基于角色的访问控制 (Azure RBAC),用于精细地控制客户端对存储帐户中资源的访问。Azure provides Azure role-based access control (Azure RBAC) for fine-grained control over a client's access to resources in a storage account. 请尽可能地使用 Azure AD 凭据(而不要使用更容易泄露的帐户密钥),这是安全方面的最佳做法。Use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. 当应用程序设计需要共享访问签名以访问 Blob 存储时,请尽可能使用 Azure AD 凭据创建用户委托共享访问签名 (SAS) 以提高安全性。When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation shared access signatures (SAS) when possible for superior security.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly Review and Reconcile User Access

指导:检查 Azure Active Directory 日志,以帮助发现可能包含具有存储帐户管理角色的陈旧帐户。Guidance: Review the Azure Active Directory logs to help discover stale accounts which can include those with Storage account administrative roles. 此外,使用 Azure 标识访问评审可高效地管理组成员身份、对可用于访问 Azure 存储帐户资源的企业应用程序的访问权限以及角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications that may be used to access Storage account resources, and role assignments. 应定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access should be reviewed on a regular basis to make sure only the right Users have continued access.

也可使用共享访问签名 (SAS) 来对存储帐户中的资源进行安全的委托访问,而不会损害数据的安全性。You can also use shared access signature (SAS) to provide secure delegated access to resources in your storage account without compromising the security of your data. 你可以控制客户端可以访问哪些资源、客户端对这些资源拥有哪些权限、SAS 的有效期,以及其他参数。You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

另外,请评审对容器和 Blob 的匿名读取访问权限。Also, review anonymous read access to containers and blobs. 默认情况下,容器和其中的任何 Blob 只能由已获得适当权限的用户访问。By default, a container and any blobs within it may be accessed only by a user that has been given appropriate permissions. 你可以使用 Azure Monitor,在出现针对存储帐户进行的匿名访问时根据匿名身份验证条件发出警报。You can use Azure Monitor to alert on anonymous access for Storage accounts using anonymous authentication condition.

若要降低未受怀疑的用户帐户访问权限的风险,一种有效的方法是限制授予用户的访问权限的持续时间。One effective way to reduce the risk of unsuspected user account access is to limit the duration of access that you grant to users. 受时间限制的 SAS URI 是自动终止用户对存储帐户的访问权限的一种有效方式。Time-limited SAS URIs are one effective way to automatically expire user access to a Storage account. 此外,可以经常轮换存储帐户密钥,以确保通过存储帐户密钥进行非正常访问的持续时间有限。Additionally, rotating Storage Account Keys on a frequent basis is a way to ensure that unexpected access via Storage Account keys is of limited duration.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用帐户的行为3.11: Monitor Attempts to Access Deactivated Accounts

指导:使用存储分析来记录成功和失败的存储服务请求的详细信息。Guidance: Use Storage Analytics to logs detailed information about successful and failed requests to a storage service. 所有日志以块 Blob 的形式存储在一个名为 $logs 的容器中,为存储帐户启用存储分析时会自动创建该容器。All logs are stored in block blobs in a container named $logs, which is automatically created when Storage Analytics is enabled for a storage account.

为 Azure Active Directory 用户帐户创建诊断设置,将审核日志和登录日志发送到 Log Analytics 工作区。Create Diagnostic Settings for Azure Active Directory user accounts, sending the audit logs and sign-in logs to a Log Analytics Workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired Alerts within Log Analytics Workspace. 若要监视针对 Azure 存储帐户进行的身份验证的失败情况,可以创建警报,以便在达到存储资源指标的某些阈值时收到通知。To monitor authentication failures against Azure Storage Accounts, you can create alerts to notify you when certain thresholds have been reached for storage resource metrics. 也可使用 Azure Monitor,在出现针对存储帐户进行的匿名访问时根据匿名身份验证条件发出警报。Additionally, use Azure Monitor to alert on anonymous access for Storage accounts using anonymous authentication condition.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪那些存储或处理敏感信息的 Azure 存储帐户资源。Guidance: Use tags to assist in tracking Storage account resources that store or process sensitive information.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:使用单独的订阅、管理组和存储帐户对各个安全域(例如环境、数据敏感度)实施隔离。Guidance: Implement isolation using separate subscriptions, management groups, and storage accounts for individual security domains such as environment, data sensitivity. 可以对存储帐户进行限制,以便根据所用网络的类型和子集来控制应用程序与企业环境所需的存储帐户访问级别。You can restrict your Storage Account to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used. 配置网络规则后,仅通过指定网络组请求数据的应用程序才能访问存储帐户。When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. 可以通过 Azure RBAC 来控制对 Azure 存储的访问。You can control access to Azure Storage via Azure RBAC. 你还可以配置专用终结点以提高安全性,因为虚拟网络与服务之间的流量将通过 Microsoft 主干网络,因此不会从公共 Internet 泄露。You can also configure Private Endpoints to improve security as traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输。4.3: Monitor and block unauthorized transfer of sensitive information.

指导:对于存储或处理敏感信息的存储帐户资源,请使用标记将这些资源标记为敏感。Guidance: For Storage account resources storing or processing sensitive information, mark the resources as sensitive using Tags. 为了减少通过外泄丢失数据的风险,请使用 Azure 防火墙限制 Azure 存储帐户的出站网络流量。To reduce the risk of data loss via exfiltration, restrict outbound network traffic for Azure Storage accounts using Azure Firewall.

另外,使用虚拟网络服务终结点策略可以通过服务终结点筛选发往 Azure 存储帐户的出口虚拟网络流量,让数据只能外泄到特定 Azure 存储帐户。Additionally, use Virtual network service endpoint policies to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:可以通过为存储帐户启用“需要安全传输”来强制使用 HTTPS。Guidance: You can enforce the use of HTTPS by enabling Secure transfer required for the storage account. 启用此设置后,使用 HTTP 的连接将被拒绝。Connections using HTTP will be refused once this is enabled. 另外,请使用 Azure 安全中心和 Azure Policy 为存储帐户强制实施安全传输。Additionally, use Azure Security Center and Azure Policy to enforce Secure transfer for your storage account.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识功能尚不可用于 Azure 存储帐户和相关的资源。Guidance: Data identification features are not yet available for Azure Storage account and related resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:Azure Active Directory (Azure AD) 通过 Azure 基于角色的访问控制 (Azure RBAC) 授予对受保护资源的访问权限。Guidance: Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure 存储定义了一组内置的 Azure 角色,它们包含用于访问 Blob 或队列数据的通用权限集。Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob or queue data.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护功能来强制实施访问控制4.7: Use host-based Data Loss Prevention to enforce access control

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

4.8:静态加密敏感信息4.8: Encrypt Sensitive Information at Rest

指导:将针对所有存储帐户启用 Azure 存储加密,但不能禁用加密。Guidance: Azure Storage encryption is enabled for all storage accounts and cannot be disabled. 在数据保存到云时,Azure 存储会自动加密数据。Azure Storage automatically encrypts your data when it is persisted to the cloud. 从 Azure 存储读取数据时,Azure 存储会在返回数据之前将其解密。When you read data from Azure Storage, it is decrypted by Azure Storage before being returned. 使用 Azure 存储加密,无需修改代码或将代码添加到任何应用程序,就可以保护静态数据。Azure Storage encryption enables you to secure your data at rest without having to modify code or add code to any applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在存储帐户资源发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to Storage account resources. 也可启用 Azure 存储日志记录以跟踪对 Azure 存储发出的每个请求的授权方式。You can also enable Azure Storage logging to track how each request made against Azure Storage was authorized. 日志可指示请求是匿名提出的,还是使用 OAuth 2.0 令牌、共享密钥或共享访问签名 (SAS) 提出的。The logs indicate whether a request was made anonymously, by using an OAuth 2.0 token, by using Shared Key, or by using a shared access signature (SAS). 也可使用 Azure Monitor,在出现针对存储帐户进行的匿名访问时根据匿名身份验证条件发出警报。Additionally, use Azure Monitor to alert on anonymous access for Storage accounts using anonymous authentication condition.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run Automated Vulnerability Scanning Tools

指导:按照 Azure 安全中心提供的建议,持续审核和监视存储帐户的配置。Guidance: Follow recommendations from Azure Security Center to continuously audit and monitor the configuration of your storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy Automated Operating System Patch Management Solution

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy Automated Third Party Software Patch Management Solution

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare Back-to-back Vulnerability Scans

指导:不适用;Microsoft 对支持存储帐户的底层系统执行漏洞管理。Guidance: Not applicable; Microsoft performs vulnerability management on the underlying systems that support Storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.5:使用风险分级流程确定所发现漏洞的修正优先级。5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities.

指导:使用 Azure 安全中心提供的默认风险评级(安全功能分数)。Guidance: Use the default risk ratings (Secure Score) provided by Azure Security Center.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 查询和发现订阅中的所有资源(包括存储帐户)。Guidance: Use Azure Resource Graph to query and discover all resources (including Storage accounts) within your subscription(s). 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain Asset Metadata

指导:将标记应用到存储帐户资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Storage account resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete Unauthorized Azure Resources

指导:使用标记、管理组和单独订阅(如果适用)来组织和跟踪 Azure 存储帐户和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Storage accounts and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单。6.4: Maintain inventory of approved Azure resources and software titles.

指导:你需要根据组织需求创建已批准的 Azure 资源的清单。Guidance: You will need to create an inventory of approved Azure resources as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for Unapproved Azure Resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within the subscription(s). 这可以在基于高安全性的环境(例如具有存储帐户的环境)中提供帮助。This can help in high security based environments, such as those with Storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for Unapproved Software Applications within Compute Resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove Unapproved Azure Resources and Software Applications

指导:根据客户的公司政策,客户可以阻止通过 Azure Policy 来创建或使用资源的操作。Guidance: Customer may prevent resource creation or usage with Azure Policy as required by the customer's company policies.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure Services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.11:限制用户通过脚本与 Azure 资源管理器进行交互的能力6.11: Limit Users' Ability to interact with Azure Resource Manager via Scripts

指导:使用 Azure 条件访问,通过为“Microsoft Azure 管理”应用配置“阻止访问”,限制用户与 Azure 资源管理器进行交互的能力。Guidance: Use the Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. 这可防止在高度安全的环境(例如,使用 Azure 存储帐户的环境)中创建和更改资源。This can prevent the creation and changes to resources within a high security environment, such as those with Storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的能力6.12: Limit Users' Ability to Execute Scripts within Compute Resources

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or Logically Segregate High Risk Applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish Secure Configurations for all Azure Resources

指导:在“Microsoft.Storage”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 存储帐户实例的配置。Guidance: Use Azure Policy aliases in the "Microsoft.Storage" namespace to create custom policies to audit or enforce the configuration of your Storage account instances. 你还可以使用内置的用于 Azure 存储帐户的 Azure Policy 定义,例如:You may also use built-in Azure Policy definitions for Azure Storage account such as:

审核对存储帐户的不受限的网络访问Audit unrestricted network access to storage accounts
应将存储帐户迁移到新 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources
应该启用安全传输到存储帐户Secure transfer to storage accounts should be enabled

使用来自 Azure 安全中心的建议作为 Azure 存储帐户的安全配置基线。Use recommendations from Azure Security Center as a secure configuration baseline for your Storage accounts.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.2:为操作系统建立安全配置7.2: Establish Secure Configurations for your Operating System

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.3:为所有 Azure 资源维护安全配置7.3: Maintain Secure Configurations for all Azure Resources

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”,对不同的 Azure 存储帐户资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Storage account resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护操作系统安全配置7.4: Maintain Secure Configurations for Operating Systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely Store Configuration of Azure Resources

指导:使用 Azure Repos 安全地存储和管理代码,如自定义 Azure 策略、Azure 资源管理器模板、Desired State Configuration 脚本等。若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。Guidance: Use Azure Repos to securely store and manage your code like custom Azure policies, Azure Resource Manager templates, Desired State Configuration scripts etc. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely Store Custom Operating System Images

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy System Configuration Management Tools

指导:利用 Azure Policy 发出警报、执行审核和强制执行 Azure 存储帐户的系统配置。Guidance: Leverage Azure Policy to alert, audit, and enforce system configurations for Storage account. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy System Configuration Management Tools for Operating Systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.9:为 Azure 服务实现自动配置监视7.9: Implement Automated Configuration Monitoring for Azure Services

指导:利用 Azure 安全中心对 Azure 存储帐户资源执行基线扫描。Guidance: Leverage Azure Security Center to perform baseline scans for your Azure Storage account resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.10:为操作系统实现自动配置监视7.10: Implement Automated Configuration Monitoring for Operating Systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

7.11:安全管理 Azure 机密7.11: Securely manage Azure secrets

指导:Azure 存储在将数据保存到云时会自动加密数据。Guidance: Azure Storage automatically encrypts your data when it is persisted it to the cloud. 可以使用 Microsoft 管理的密钥来加密存储帐户,也可使用自己的密钥来管理加密。You can use Microsoft-managed keys for the encryption of the storage account, or can manage encryption with their own keys. 如果你使用客户提供的密钥,则可利用 Azure Key Vault 安全地存储密钥。If you are using customer-provided keys, you can leverage Azure Key Vault to securely store the keys.

此外,可以经常轮换存储帐户密钥,以限制丢失或泄露存储帐户密钥的影响。Additionally, rotate Storage Account Keys on a frequent basis to limit the impact of loss or disclosure of Storage Account keys.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Securely and automatically manage identities

指导:使用 Azure Active Directory 和托管标识授权对 Azure 存储帐户中 Blob 和队列的访问权限。Guidance: Authorize access to blobs and queues within Azure Storage Accounts with Azure Active Directory and Managed Identities. Azure Blob 和队列存储支持使用 Azure 资源的托管标识进行 Azure Active Directory (Azure AD) 身份验证。Azure Blob and Queue storage support Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Azure 资源的托管标识可以从 Azure 虚拟机 (VM)、函数应用、虚拟机规模集和其他服务中运行的应用程序使用 Azure AD 凭据授权对 Blob 和队列数据的访问权限。Managed identities for Azure resources can authorize access to blob and queue data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. 将 Azure 资源的托管标识与 Azure AD 身份验证结合使用,可避免将凭据随在云中运行的应用程序一起存储。By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use Centrally Managed Anti-malware Software

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources. Microsoft 会处理基础平台的反恶意软件。Microsoft handles anti-malware for underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure Anti-Malware Software and Signatures are Updated

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources. Azure 会处理基础平台的反恶意软件。Azure handles anti-malware for underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure Regular Automated Back Ups

指导:始终自动复制 Azure 存储帐户中的数据,确保持久性和高可用性。Guidance: The data in your Azure storage account is always automatically replicated to ensure durability and high availability. Azure 存储功能会复制数据,以防范各种计划内和计划外的事件,包括暂时性的硬件故障、网络中断或断电、大范围自然灾害等。Azure Storage copies your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. 可以选择在同一数据中心复制数据,也可以跨数据中心复制数据。You can choose to replicate your data within the same data center, across data centers.

还可以启用 Azure 自动化,以定期拍摄 blob 快照。You can also enable Azure automation to take regular snapshots of the blobs.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform Complete System Backups and Backup any Customer Managed Keys

指导:若要从 Azure 存储帐户支持的服务备份数据,可以使用多种方法,包括使用 azcopy 或第三方工具。Guidance: In order to backup data from Storage account supported services, there are multiple methods available including using azcopy or third party tools. Azure Blob 存储的不可变存储可让用户以 WORM(一次写入,多次读取)状态存储业务关键型数据对象。Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. 此状态可以根据用户指定的时间间隔使数据保持不可擦除且不可修改的状态。This state makes the data non-erasable and non-modifiable for a user-specified interval.

可以使用 Azure CLI 或 PowerShell 在 Azure Key Vault 中备份客户管理/提供的密钥。Customer managed / provided keys can be backed within Azure Key Vault using Azure CLI or PowerShell.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all Backups including Customer Managed Keys

指导:使用以下 PowerShell 命令定期执行 Key Vault 证书、密钥、托管存储帐户和机密的数据还原:Guidance: Periodically perform data restoration of your Key Vault Certificates, Keys, Managed Storage Accounts, and Secrets, with the following PowerShell commands:

Restore-AzKeyVaultCertificate Restore-AzKeyVaultKey Restore-AzKeyVaultManagedStorageAccount Restore-AzKeyVaultSecretRestore-AzKeyVaultCertificate Restore-AzKeyVaultKey Restore-AzKeyVaultManagedStorageAccount Restore-AzKeyVaultSecret

注意:若要从/向 Azure 表存储服务复制数据,请安装 AzCopy 7.3 版。Note: If you want to copy data to and from your Azure Table storage service, then install AzCopy version 7.3.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure Protection of Backups and Customer Managed Keys

指导:若要在存储帐户上启用客户管理的密钥,必须使用 Azure 密钥保管库来存储密钥。Guidance: To enable customer-managed keys on a storage account, you must use an Azure Key Vault to store your keys. 必须同时启用密钥保管库上的“软删除”和“不清除”属性 。You must enable both the Soft Delete and Do Not Purge properties on the key vault. Key Vault 的软删除功能允许恢复已删除的保管库和保管库对象,例如密钥、机密和证书。Key Vault's Soft Delete feature allows recovery of deleted vaults and vault objects such as keys, secrets, and certificates. 如果将 Azure 存储帐户数据备份到 Azure 存储 blob,请启用软删除以在 blob 或 blob 快照被删除时保存和恢复数据。If backing Storage account data to Azure Storage blobs, enable soft delete to save and recover your data when blobs or blob snapshots are deleted. 你应将备份视为敏感数据,并应用相关的访问和数据保护控制作为此基线的一部分。You should treat your backups as sensitive data and apply the relevant access and data protection controls as part of this baseline. 另外,为了加强保护,可以 WORM(一次写入,多次读取)状态存储业务关键型数据对象。Additionally, for improved protection, you may store business-critical data objects in a WORM (Write Once, Read Many) state.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指南10.1: Create incident response guide

指导:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级确定过程10.2: Create Incident Scoring and Prioritization Procedure

指导:安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请用标记明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test Security Response Procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide Security Incident Contact Details and Configure Alert Notifications for Security Incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指南:使用连续导出功能导出 Azure 安全中心警报和建议,以帮助确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试11.1: Conduct regular Penetration Testing of your Azure resources

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Azure 策略。Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps