您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

标识基线策略符合性流程Identity Baseline policy compliance processes

本文介绍了一种策略遵守控制 标识基线的过程的方法。This article discusses an approach to policy adherence processes that govern the Identity Baseline discipline. 有效的标识管理从指导标识策略采用和修订的定期手动流程开始。Effective governance of identity starts with recurring manual processes that guide identity policy adoption and revisions. 这需要定期参与云调控团队和感兴趣的业务和 IT 利益干系人,以查看和更新策略并确保策略符合性。This requires regular involvement of the cloud governance team and interested business and IT stakeholders to review and update policy and ensure policy compliance. 此外,还可以使用工具自动处理或补充许多进行中的监视和强制流程,以减少治理开销并允许对策略偏差的实现更快响应。In addition, many ongoing monitoring and enforcement processes can be automated or supplemented with tooling to reduce the overhead of governance and allow for faster response to policy deviation.

计划、评审和报告流程Planning, review, and reporting processes

标识管理工具提供的各种功能和特性,可以极大地帮助云部署中的用户管理和访问控制。Identity management tools offer capabilities and features that greatly assist user management and access control within a cloud deployment. 它们还需要合理的流程和策略来支持组织的目标。They also require well-considered processes and policies to support your organization's goals. 以下是标识基线规则中通常涉及的一组示例进程。The following is a set of example processes commonly involved in the Identity Baseline discipline. 在规划流程时,请先从这些示例入手,可使你根据业务变化和 IT 团队(负责将治理指南转化为行动)的反馈继续更新标识策略。Use these examples as a starting point when planning the processes that will allow you to continue to update identity policy based on business change and feedback from the IT teams tasked with turning governance guidance into action.

初始风险评估和规划: 作为首次采用标识基准规范的一部分,确定与云标识管理相关的核心业务风险和容差。Initial risk assessment and planning: As part of your initial adoption of the Identity Baseline discipline, identify your core business risks and tolerances related to cloud identity management. 利用这些信息,与负责管理标识服务的 IT 团队成员讨论具体的技术风险,并制定一组用于缓解这些风险的安全策略基线,以建立初始管理策略。Use this information to discuss specific technical risks with members of your IT teams responsible for managing identity services and develop a baseline set of security policies for mitigating these risks to establish your initial governance strategy.

部署规划: 在进行任何部署之前,请查看任何工作负荷的访问需求,并开发与已建立的企业标识策略相符的访问控制策略。Deployment planning: Before any deployment, review the access needs for any workloads and develop an access control strategy that aligns with established corporate identity policy. 记录需求和当前策略之间的任何差距,以确定是否需要策略更新,并根据需要修改策略。Document any gaps between needs and current policy to determine whether policy updates are required, and modify policy as needed.

部署测试: 作为部署的一部分,云管理团队与负责标识服务的 IT 团队合作,将负责检查部署以验证身份策略符合性。Deployment testing: As part of the deployment, the cloud governance team, in cooperation with IT teams responsible for identity services, will be responsible for reviewing the deployment to validate identity policy compliance.

年度规划: 在日常工作中,对标识管理策略进行高级审查。Annual planning: On an annual basis, perform a high-level review of identity management strategy. 研究对标识服务环境计划的更改,以及已更新的云采用策略,以确定潜在的风险提升或修改当前标识基础结构模式的需求。Explore planned changes to the identity services environment and updated cloud adoption strategies to identify potential risk increase or need to modify current identity infrastructure patterns. 此外,还可以利用这段时间来评审最新的标识管理最佳做法,并将其集成到策略和评审流程中。Also use this time to review the latest identity management best practices and integrate these into your policies and review processes.

季度规划: 按季度对标识和访问控制审核数据进行常规审查,并与云采用团队会面,以确定任何可能需要更新身份策略或访问控制策略中的更改的潜在新风险或操作要求。Quarterly planning: On a quarterly basis perform a general review of identity and access control audit data, and meet with the cloud adoption teams to identify any potential new risks or operational requirements that would require updates to identity policy or changes in access control strategy.

此规划过程也是评估云治理团队当前成员身份的最佳时机,以了解与标识相关的新的或更改的策略和风险相关的知识缺口。This planning process is also a good time to evaluate the current membership of your cloud governance team for knowledge gaps related to new or changing policy and risks related to identity. 邀请相关 IT 人员作为临时技术顾问或团队的固定成员参与评审和规划。Invite relevant IT staff to participate in reviews and planning as either temporary technical advisors or permanent members of your team.

教育和培训: 在 bimonthly 的基础上,提供培训课程以确保 IT 人员和开发人员及时了解最新的标识策略要求。Education and training: On a bimonthly basis, offer training sessions to make sure IT staff and developers are up-to-date on the latest identity policy requirements. 作为此过程的一部分,请查看和更新任何文档、指导或其他培训资产,以确保它们与最新的公司政策声明同步。As part of this process review and update any documentation, guidance, or other training assets to ensure they're in sync with the latest corporate policy statements.

每月审核和报告评审: 在每月的基础上,对所有云部署执行审核,以确保其与标识策略的持续对齐。Monthly audit and reporting reviews: On a monthly basis, perform an audit on all cloud deployments to assure their continued alignment with identity policy. 使用此审查检查用户对业务更改的访问权限,以确保用户对云资源具有正确的访问权限,并确保按一致的方式使用 Azure RBAC 等访问策略。Use this review to check user access against business change to ensure users have correct access to cloud resources, and ensure access strategies such as Azure RBAC are being followed consistently. 标识任何特权帐户并记录其用途。Identify any privileged accounts and document their purpose. 此审查过程为云策略团队和每个云采用团队生成了一份报告,其中详细说明了策略的总体遵守情况。This review process produces a report for the cloud strategy team and each cloud adoption team detailing overall adherence to policy. 此外,也将存储本报告用于审核和法律目的。The report is also stored for auditing and legal purposes.

持续监视过程Processes for ongoing monitoring

成功的标识基线策略依赖于对标识系统的当前状态和过去状态的可见性。A successful Identity Baseline strategy depends on visibility into the current and past state of your identity systems. 如果无法分析云部署的相关指标和相关数据,则无法识别风险中的变化或检测风险容忍度的违规情况。Without the ability to analyze your cloud deployment's relevant metrics and related data, you cannot identify changes in your risks or detect violations of your risk tolerances. 上面讨论的持续治理流程需要高质量的数据,才能确保可以修改策略,以支持业务不断变化的需求。The ongoing governance processes discussed above require quality data to ensure policy can be modified to support the changing needs of your business.

请确保 IT 团队为标识服务实施了自动化监视系统,捕获评估风险所需的日志和审核信息。Ensure that your IT teams have implemented automated monitoring systems for your identity services that capture the logs and audit information you need to evaluate risk. 积极主动地监控这些系统,确保及时检测并减少潜在的策略违规行为,并确保对标识基础结构的任何更改都反映在监控策略中。Be proactive in monitoring these systems to ensure prompt detection and mitigation of potential policy violation, and ensure any changes to your identity infrastructure are reflected in your monitoring strategy.

违规触发器和强制执行操作Violation triggers and enforcement actions

违反标识策略可能导致对敏感数据未授权的访问,并导致任务关键型应用程序和服务发生严重中断。Violations of identity policy can result in unauthorized access to sensitive data and lead to serious disruption of mission-critical application and services. 检测到违规时,应尽快采取措施重新调整策略。When violations are detected, you should take actions to realign with policy as soon as possible. IT 团队可以使用标识基线工具链中概述的工具自动执行大多数违规触发器。Your IT team can automate most violation triggers using the tools outlined in the Identity Baseline toolchain.

以下触发器和强制执行操作提供了在规划如何使用监控数据来解决策略违规时可以参考的示例:The following triggers and enforcement actions provide examples you can reference when planning how to use monitoring data to resolve policy violations:

  • 检测到可疑活动: 从匿名代理 IP 地址、不熟悉的位置或从无比的多个地理位置进行的连续登录中检测到的用户登录可能表示潜在的帐户泄露或恶意访问尝试。Suspicious activity detected: User logins detected from anonymous proxy IP addresses, unfamiliar locations, or successive logins from impossibly distant geographical locations may indicate a potential account breach or malicious access attempt. 登录将会被阻止,直到可以验证用户标识和密码重置。Login will be blocked until user identity can be verified and password reset.
  • 泄露的用户凭据: 在验证用户身份并重置密码之前,将禁用其用户名和密码泄露到 internet 的帐户。Leaked user credentials: Accounts that have their username and password leaked to the internet will be disabled until user identity can be verified and password reset.
  • 检测到的访问控制不足: 访问限制不满足安全要求的任何受保护资产在资源变为符合性之前会阻止访问。Insufficient access controls detected: Any protected assets where access restrictions do not meet security requirements will have access blocked until the resource is brought into compliance.

后续步骤Next steps

使用 " 标识基线" 专业模板 来记录与当前的云采用计划一致的进程和触发器。Use the Identity Baseline discipline template to document the processes and triggers that align to the current cloud adoption plan.

有关根据采用计划执行云管理策略的指南,请参阅有关规则改进的文章。For guidance on executing cloud management policies in alignment with adoption plans, see the article on discipline improvement.