您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

云安全策略和标准的功能Function of cloud security policy and standards

安全策略和标准团队创作、审批和发布安全策略和标准,以指导组织内的安全决策。Security policy and standards teams author, approve, and publish security policy and standards to guide security decisions within the organization.

策略和标准应:The policies and standards should:

  • 以一种详细的方式反映组织的安全策略,以指导各个团队组织的决策Reflect the organizations security strategy at a detailed enough way to guide decisions in the organization by various teams
  • 在整个组织中实现生产力,同时降低组织业务和任务的风险Enable productivity throughout the organization while reducing risk to the organizations business and mission

安全策略 应反映符合组织安全策略和风险容差的长期可持续目标。Security policy should reflect long term sustainable objectives that align to the organizations security strategy and risk tolerance. 策略应始终解决:Policy should always address:

  • 法规遵从性要求和当前符合性状态 (满足要求,已接受风险,等等。 ) Regulatory compliance requirements and current compliance status (requirements met, risks accepted, and so on.)
  • 当前状态的体系结构评估,以及设计、实施和强制实施的技术Architectural assessment of current state and what is technically possible to design, implement, and enforce
  • 组织文化和首选项Organizational culture and preferences
  • 行业最佳实践Industry best practices
  • 分配给负责其他风险和业务结果的适当业务利益干系人的安全风险责任。Accountability of security risk assigned to appropriate business stakeholders who are accountable for other risks and business outcomes.

安全标准 定义用于支持安全策略执行的过程和规则。Security standards define the processes and rules to support execution of the security policy.

现代化Modernization

尽管策略应保持为静态,但标准应该是动态的,并且需要不断地进行重配置,以使云技术、威胁环境和业务竞争形势的变化步调一致。While policy should remain static, standards should be dynamic and continuously revisited to keep up with pace of change in cloud technology, threat environment, and business competitive landscape.

由于这种变化率很高,你应该密切留意正在进行的异常,因为这可能表明需要调整标准 (或策略) 。Because of this high rate of change, you should keep a close eye on how many exceptions are being made as this may indicate a need to adjust standards (or policy).

安全标准应包括特定于采用云的指导,例如:Security standards should include guidance specific to the adoption of cloud such as:

  • 保护用于托管工作负荷的云平台Secure use of cloud platforms for hosting workloads
  • 在开发中安全使用 DevOps 模型以及包含云应用程序、Api 和服务Secure use of DevOps model and inclusion of cloud applications, APIs, and services in development
  • 使用标识外围控制来补充或替换网络外围控制Use of identity perimeter controls to supplement or replace network perimeter controls
  • 在将工作负荷移至 IaaS 平台之前定义分段策略Define your segmentation strategy prior to moving your workloads to IaaS platform
  • 对资产的敏感度进行标记和分类Tagging and classifying the sensitivity of assets
  • 定义评估和确保正确配置和保护资产的过程Define process for assessing and ensuring your assets are configured and secured properly

团队组合和键关系Team composition and key relationships

云安全策略和标准通常由以下类型的角色提供。Cloud security policy and standards are commonly provided by the following types of roles. 组织策略应通过) 通知 (和通知:The organizational policy should inform (and be informed by):

  • 安全体系结构Security architectures
  • 合规性和风险管理团队Compliance and risk management teams
  • 业务部门的领导和代表Business unit's leadership and representatives
  • 信息技术Information technology
  • 审核和法律团队Audit and legal teams

应该根据组织中的许多输入/要求优化策略,包括但不限于 安全概述示意图中描述的内容。The policy should be refined based on many inputs/requirements from across the organization, including but not restricted to those depicted in the security overview diagram.

后续步骤Next steps

查看 云安全操作中心 的功能 (SOC) 。Review the function of a cloud security operations center (SOC).