您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

云本机安全基线策略Cloud-native Security Baseline policy

安全基准学科云监管的五个层面之一。The Security Baseline discipline is one of the Five Disciplines of Cloud Governance. 本主题重点介绍一般安全主题,包括保护网络、数字资产和数据。This discipline focuses on general security topics including protection of the network, digital assets, and data. 本文介绍了安全基线规范的云本机示例策略。This article discusses a cloud-native sample policy for the Security Baseline discipline.

备注

Microsoft 无权决定企业或 IT 策略。Microsoft is in no position to dictate corporate or IT policy. 本文将帮助你准备内部策略审查。This article will help you prepare for an internal policy review. 在尝试使用此示例策略之前,它会根据公司策略进行扩展、验证和测试。It's assumed that this sample policy will be extended, validated, and tested against your corporate policy before attempting to use it. 不鼓励按原样使用此示例策略。Any use of this sample policy as-is is discouraged.

策略对齐方式Policy alignment

此示例策略合成云本机方案,这意味着 Azure 提供的工具和平台足以管理部署中涉及的业务风险。This sample policy synthesizes a cloud-native scenario, meaning that the tools and platforms provided by Azure are sufficient to manage business risks involved in a deployment. 在此方案中,假设默认 Azure 服务的简单配置提供充足的资产保护。In this scenario, it's assumed that a simple configuration of the default Azure services provides sufficient asset protection.

云安全性和符合性Cloud security and compliance

安全性已集成到 Azure 的各个方面,提供了源自全球安全智能、面向客户的完善控制和安全强化基础结构的独特安全优势。Security is integrated into every aspect of Azure, offering unique security advantages derived from global security intelligence, sophisticated customer-facing controls, and a secure, hardened infrastructure. 这一功能强大的组合可帮助保护应用程序和数据,为你遵从法规提供支持,并为所有规模的组织提供符合成本效益的安全性。This powerful combination helps protect your applications and data, support your compliance efforts, and provide cost-effective security for organizations of all sizes. 这种方法为任何安全策略创建了一个强大的起点,但还是有必要提供与所使用的安全服务相关的同样强大的安全做法。This approach creates a strong starting position for any security policy, but does not negate the need for equally strong security practices related to the security services being used.

内置安全控件Built-in security controls

当安全控制不直观并且需要单独配置时,难以维护强大的安全基础结构。It's hard to maintain a strong security infrastructure when security controls are not intuitive and need to be configured separately. Azure 包含各种服务的内置安全控件,可帮助你快速保护数据和工作负载,并跨混合环境管理风险。Azure includes built-in security controls across a variety of services that help you protect data and workloads quickly and manage risk across hybrid environments. 借助集成的合作伙伴解决方案,还可轻松将现有保护转移到云。Integrated partner solutions also let you easily transition existing protections to the cloud.

云-本机标识策略Cloud-native identity policies

标识正在成为安全性的新边界控制平面,而在此之前,人们一直将网络视为边界层。Identity is becoming the new boundary control plane for security, taking over that role from the traditional network-centric perspective. 网络外围网络越来越漏洞,外围防御不能像在引入你自己的设备 (BYOD) 和云应用程序之前那样有效。Network perimeters have become increasingly porous and that perimeter defense cannot be as effective as it was before the advent of bring your own device (BYOD) and cloud applications. Azure 标识管理和访问控制可实现对所有应用程序的无缝安全访问。Azure identity management and access control enable seamless secure access to all your applications.

适用于跨云和本地目录的标识的示例云本机策略可能包括如下要求:A sample cloud-native policy for identity across cloud and on-premises directories, could include requirements like the following:

  • 使用 Azure 基于角色的访问控制授权访问资源 (Azure RBAC) 、多重身份验证和单一登录 (SSO) 。Authorized access to resources with Azure role-based access control (Azure RBAC), multi-factor authentication, and single sign-on (SSO).
  • 快速缓解怀疑泄露的用户标识。Quick mitigation of user identities suspected of compromise.
  • 实时 (JIT) ,只需按任务授予足够的访问权限,以限制 overprivileged 管理员凭据的公开。Just-in-time (JIT), just-enough access granted on a task-by-task basis to limit exposure of overprivileged admin credentials.
  • 通过 Azure Active Directory 扩展用户标识以及跨多个环境对策略的访问。Extended user identity and access to policies across multiple environments through Azure Active Directory.

虽然在安全基线规范上下文中了解 标识基准规范 非常重要,但 云监管的五个层面 将其视为一个单独的专业。While it's important to understand the Identity Baseline discipline in the context of the Security Baseline discipline, the Five Disciplines of Cloud Governance treats it as a separate discipline.

网络访问策略Network access policies

网络控制包括配置、管理和保护网络元素(例如虚拟网络、负载均衡、DNS 和网关)。Network control includes the configuration, management, and securing of network elements such as virtual networking, load balancing, DNS, and gateways. 这种控制为服务提供了一种通信和互操作的方法。The controls provide a means for services to communicate and interoperate. Azure 包括可靠和安全的网络基础结构以支持应用程序和服务连接需求。Azure includes a robust and secure networking infrastructure to support your application and service connectivity requirements. Azure 中的资源之间、本地资源与 Azure 托管的资源之间,以及 Internet 与 Azure 之间都可能存在网络连接。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.

网络控制的云本机策略可能包括如下要求:A cloud-native policy for network controls may include requirements like the following:

  • 本地资源的混合连接可能不允许在云本地策略中使用。Hybrid connections to on-premises resources, might not be allowed in a cloud-native policy. 如果需要对混合连接进行证明,则更可靠的企业安全策略示例将是更相关的参考。Should a hybrid connection prove necessary, a more robust enterprise security policy sample would be a more relevant reference.
  • 用户可以使用虚拟网络和网络安全组与 Azure 建立安全连接。Users can establish secure connections to and within Azure using virtual networks and network security groups.
  • 本机 Windows Azure 防火墙通过限制端口访问来保护主机免遭恶意网络流量。The native Windows Azure Firewall protects hosts from malicious network traffic by limiting port access. 此策略的一个很好的示例是需要阻止或不通过 SSH/RDP 直接启用到 VM 的流量。A good example of this policy is a requirement to block or not enable traffic directly to a VM over SSH/RDP.
  • Azure Web 应用程序防火墙等服务 (WAF) Azure 应用程序网关和 Azure DDoS 保护,并确保在 Azure 中运行的虚拟机的可用性。Services like the Azure Web Application Firewall (WAF) on Azure Application Gateway and Azure DDoS protection safeguard applications and ensure availability for virtual machines running in Azure. 不应禁用这些功能。These features should not be disabled.

数据保护Data protection

在云中保护数据的关键问题之一是考虑数据可能将发生的状态,以及适用于每种状态的控制类型。One of the keys to data protection in the cloud is accounting for the possible states in which your data may occur, and what controls are available for each state. 根据 Azure 数据安全和加密最佳做法的目的,相关建议主要关注以下数据状态:For the purpose of Azure data security and encryption best practices, recommendations focus on the following data states:

  • 数据加密控制内置于从虚拟机到存储和 SQL 数据库的服务中。Data encryption controls are built into services from virtual machines to storage and SQL Database.
  • 当数据在云和客户之间移动时,可以使用行业标准加密协议对其进行保护。As data moves between clouds and customers, it can be protected using industry-standard encryption protocols.
  • Azure Key Vault 使用户能够保护和控制云应用程序和服务使用的加密密钥、密码、连接字符串和证书。Azure Key Vault enables users to safeguard and control cryptographic keys, passwords, connection strings and certificates used by cloud applications and services.
  • Azure 信息保护可帮助对应用程序中的敏感数据进行分类、标记和保护。Azure Information Protection will help classify, label, and protect your sensitive data within applications.

虽然这些功能内置于 Azure 中,但上述每个功能都需要配置,并且可能会增加成本。While these features are built into Azure, each of the above requires configuration and could increase costs. 强烈建议将每个云本机功能与 数据分类策略 相协调。Alignment of each cloud-native feature with a data classification strategy is highly suggested.

安全监视Security monitoring

安全监视是对资源进行审核的前瞻性策略,可识别不符合组织标准或最佳做法的系统。Security monitoring is a proactive strategy that audits your resources to identify systems that do not meet organizational standards or best practices. Azure 安全中心为混合云工作负荷提供统一的安全基线和 Microsoft Defender。Azure Security Center provides unified security baseline and Microsoft Defender for Identity across hybrid cloud workloads. 有了安全中心,即可对各种工作负载应用安全策略、减少受到的威胁,以及检测和响应攻击,包括:With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks, including:

  • 通过 Azure 安全中心在所有本地和云工作负载中统一查看安全性。Unified view of security across all on-premises and cloud workloads with Azure Security Center.
  • 持续监视和安全评估,以确保合规性并修正任何漏洞。Continuous monitoring and security assessments to ensure compliance and remediate any vulnerabilities.
  • 用于简化调查的交互式工具和上下文威胁智能。Interactive tools and contextual threat intelligence for streamlined investigation.
  • 广泛的日志记录和与现有安全信息的集成。Extensive logging and integration with existing security information.
  • 降低了对昂贵的 nonintegrated 安全解决方案的需求。Reduces the need for expensive, nonintegrated, one off security solutions.

扩展云本机策略Extend cloud-native policies

使用云可以减少一些安全负担。Using the cloud can reduce some of the security burden. Microsoft 为 Azure 数据中心提供物理安全性,并帮助保护云平台免受 DDoS 攻击等基础结构威胁。Microsoft provides physical security for Azure datacenters and helps protect the cloud platform against infrastructure threats such as a DDoS attack. 假设 Microsoft 有成千上万的网络安全专家每天都在使用安全,要检测、阻止或缓解网络攻击的资源相当可观。Given that Microsoft has thousands of cybersecurity specialists working on security every day, the resources to detect, prevent, or mitigate cyberattacks are considerable. 事实上,尽管组织经常想要考虑云是否是安全的,但大多数情况下都知道,由供应商(如 Microsoft)所做的人员和专用基础结构的投资,使云比大多数本地数据中心更安全。In fact, while organizations used to worry about whether the cloud was secure, most now understand that the level of investment in people and specialized infrastructure made by vendors like Microsoft makes the cloud more secure than most on-premises datacenters.

使用云可以减少一些安全负担。Using the cloud can reduce some of the security burden. Microsoft 为 Azure 数据中心提供物理安全性,并帮助保护云平台免受 DDoS 攻击等基础结构威胁。Microsoft provides physical security for Azure datacenters and helps protect the cloud platform against infrastructure threats such as a DDoS attack. 假设 Microsoft 有成千上万的网络安全专家每天都在使用安全,要检测、阻止或缓解网络攻击的资源相当可观。Given that Microsoft has thousands of cybersecurity specialists working on security every day, the resources to detect, prevent, or mitigate cyberattacks are considerable. 事实上,尽管组织经常想要考虑云是否是安全的,但大多数情况下都知道,由供应商(如 Microsoft)所做的人员和专用基础结构的投资,使云比大多数本地数据中心更安全。In fact, while organizations used to worry about whether the cloud was secure, most now understand that the level of investment in people and specialized infrastructure made by vendors like Microsoft makes the cloud more secure than most on-premises datacenters.

即使在云本机安全基线中进行这种投资,也建议任何安全基线策略扩展默认的云本机策略。Even with this investment in a cloud-native security baseline, it's suggested that any Security Baseline policy extend the default cloud-native policies. 下面是一些应考虑的扩展策略示例,即使在云本机环境中也是如此:The following are examples of extended policies that should be considered, even in a cloud-native environment:

  • 保护虚拟机。Secure VMs. 安全应该是每个组织的首要任务,有效地实现它需要几项操作。Security should be every organization's top priority, and doing it effectively requires several things. 必须评估安全状态,防范安全威胁,然后检测并快速响应发生的威胁。You must assess your security state, protect against security threats, and then detect and respond rapidly to threats that occur.
  • 保护 VM 内容。Protect VM contents. 设置定期自动备份对于防止用户错误至关重要。Setting up regular automated backups is essential to protect against user errors. 但这还不够;你还必须确保你的备份从网络攻击安全,并在需要时可用。This isn't enough, though; you must also make sure that your backups are safe from cyberattacks and are available when you need them.
  • 监视应用程序。Monitor applications. 此模式包含多个任务,包括深入了解 VM 的运行状况,了解它们之间的交互,以及建立监视这些 VM 运行的应用程序的方法。This pattern encompasses several tasks, including getting insight into the health of your VMs, understanding interactions among them, and establishing ways to monitor the applications these VMs run. 所有这些任务对于保持应用程序全天候运行都至关重要。All of these tasks are essential in keeping your applications running around the clock.
  • 保护和审核数据访问。Secure and audit data access. 组织应该审核所有数据访问,并使用高级机器学习功能来偏离常规访问模式的偏差。Organizations should audit all data access and use advanced machine learning capabilities to call out deviations from regular access patterns.
  • 故障转移实践。Failover practice. 对于故障容差的云操作,必须能够在网络安全或平台事件中进行故障转移或恢复。Cloud operations that have low tolerances for failure must be capable of failing over or recovering from a cybersecurity or platform incident. 不得简单地记录这些过程,但应按季度进行练习。These procedures must not simply be documented, but should be practiced quarterly.

后续步骤Next steps

现在,你已经查看了适用于云原生解决方案的安全基线策略示例,接下来,请返回到策略审核指南,开始基于此示例创建你自己的云采用策略。Now that you've reviewed the sample Security Baseline policy for cloud-native solutions, return to the policy review guide to start building on this sample to create your own policies for cloud adoption.