您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

企业规模安全性、治理和合规性Enterprise-scale security, governance, and compliance

本文介绍如何定义加密和密钥管理、规划管理、定义安全监视和审核策略,以及规划平台安全性。This article covers defining encryption and key management, planning for governance, defining security monitoring and an audit policy, and planning for platform security. 本文末尾介绍了一个表,其中描述了用于评估 Azure 服务的企业安全准备情况的框架。At the end of the article, you can refer to a table that describes a framework to assess enterprise security readiness of Azure services.

定义加密和密钥管理Define encryption and key management

加密是确保 Microsoft Azure 中的数据隐私、合规性和数据驻留的关键步骤。Encryption is a vital step toward ensuring data privacy, compliance, and data residency in Microsoft Azure. 它也是许多企业最重要的安全问题之一。It's also one of the most important security concerns of many enterprises. 本部分介绍有关加密和密钥管理的设计注意事项和建议。This section covers design considerations and recommendations as they pertain to encryption and key management.

设计注意事项:Design considerations:

  • 适用于 Azure Key Vault 的订阅和规模限制: Key Vault 对密钥和机密具有事务限制。Subscription and scale limits as they apply to Azure Key Vault: Key Vault has transaction limits for keys and secrets. 若要在某个时间段内限制每个保管库的事务,请参阅 Azure 限制To throttle transactions per vault in a certain period, see Azure limits.

  • Key Vault 提供安全边界,因为密钥、机密和证书的访问权限位于保管库级别。Key Vault serves a security boundary because access permissions for keys, secrets, and certificates are at the vault level. Key Vault 访问策略分配将权限分别授予密钥、机密或证书。Key Vault access policy assignments grant permissions separately to keys, secrets, or certificates. 它们不支持精确的对象级权限,如特定密钥、机密或证书 密钥管理They don't support granular, object-level permissions like a specific key, secret, or certificate key management.

  • 你可以将特定于应用程序和工作负荷的机密与共享机密隔离起来,如适当的 控制访问权限You can isolate application-specific and workload-specific secrets and shared secrets, as appropriate control access.

  • 你可以优化高级 Sku,其中需要硬件安全模块保护的密钥。You can optimize Premium SKUs where hardware-security-module-protected keys are required. 基础硬件安全模块 (Hsm) 符合 FIPS 140-2 级别2。Underlying hardware security modules (HSMs) are FIPS 140-2 Level 2 compliant. 通过考虑支持的方案,管理 Azure 专用 HSM 的 FIPS 140-2 级别3符合性。Manage Azure dedicated HSM for FIPS 140-2 Level 3 compliance by considering the supported scenarios.

  • 密钥轮替和密钥过期。Key rotation and secret expiration.

    • 使用 Key Vault 关于证书的证书采购和签名。Certificate procurement and signing by using Key Vault about certificates.
    • 警报/通知和自动证书续订。Alerting/notifications and automated certificate renewals.
  • 密钥、证书和机密的灾难恢复要求。Disaster recovery requirements for keys, certificates, and secrets.

    Key Vault 服务复制和故障转移功能: 可用性和冗余Key Vault service replication and failover capabilities: availability and redundancy.

  • 监视密钥、证书和密钥用法。Monitoring key, certificate, and secret usage.

    使用密钥保管库或 Log Analytics 工作区 Azure Monitor 检测未经授权的访问: 监视和警报Detecting unauthorized access by using a key vault or Azure Monitor Log Analytics workspace: monitoring and alerting.

  • 委托 Key Vault 实例化和特权访问: 安全访问Delegated Key Vault instantiation and privileged access: secure access.

  • 使用客户托管密钥进行 Azure 存储加密等本机加密机制的要求:Requirements for using customer-managed keys for native encryption mechanisms such as Azure Storage encryption:

    • 客户管理的密钥Customer-managed keys.
    • (Vm) 的虚拟机的磁盘加密。Whole-disk encryption for virtual machines (VMs).
    • 数据传输中加密。Data-in-transit encryption.
    • 静态数据加密。Data-at-rest encryption.

设计建议:Design recommendations:

  • 使用联合 Azure Key Vault 模型避免事务比例限制。Use a federated Azure Key Vault model to avoid transaction scale limits.

  • 设置 Azure Key Vault 启用软删除和清除策略,以允许对删除的对象进行保留保护。Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.

  • 通过限制授权将密钥、机密和证书永久删除到专用自定义 Azure Active Directory (Azure AD) 角色,遵循最低权限模型。Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles.

  • 通过公共证书颁发机构自动执行证书管理和续订过程以简化管理。Automate the certificate management and renewal process with public certificate authorities to ease administration.

  • 建立密钥和证书轮换的自动化过程。Establish an automated process for key and certificate rotation.

  • 启用保管库上的防火墙和虚拟网络服务终结点,以控制对密钥保管库的访问。Enable firewall and virtual network service endpoint on the vault to control access to the key vault.

  • 使用平台中心 Azure Monitor Log Analytics 工作区在每个 Key Vault 实例中审核密钥、证书和密钥使用情况。Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.

  • 委托 Key Vault 实例化和特权访问,并使用 Azure 策略强制实施一致的符合性配置。Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.

  • 默认为用于主体加密功能的 Microsoft 托管密钥,并在需要时使用客户管理的密钥。Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.

  • 请勿对应用程序密钥或机密使用 Key Vault 的集中式实例。Don't use centralized instances of Key Vault for application keys or secrets.

  • 不要在应用程序之间共享 Key Vault 实例,以避免跨环境的密钥共享。Don't share Key Vault instances between applications to avoid secret sharing across environments.

规划管理Plan for governance

“治理”提供了机制和流程来保持对 Azure 中的应用程序和资源的控制。Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. Azure 策略对于确保企业技术财产中的安全性和符合性至关重要。Azure Policy is essential to ensuring security and compliance within enterprise technical estates. 它可以跨 Azure 平台服务强制实施重要的管理和安全约定,并补充 Azure 基于角色的访问控制 (Azure RBAC) ,用于控制授权用户可执行的操作。It can enforce vital management and security conventions across Azure platform services and supplement Azure role-based access control (Azure RBAC) that controls what actions authorized users can perform.

设计注意事项:Design considerations:

  • 确定需要哪些 Azure 策略。Determine what Azure policies are needed.

  • 强制执行管理和安全约定,如使用私有终结点。Enforce management and security conventions, such as the use of private endpoints.

  • 使用策略定义管理和创建策略分配可以在多个继承的分配范围内重复使用。Manage and create policy assignments by using policy definitions can be reused at multiple inherited assignment scopes. 你可以在管理组、订阅和资源组范围内进行集中式的基准策略分配。You can have centralized, baseline policy assignments at management group, subscription, and resource group scopes.

  • 确保遵守相容性报告和审核。Ensure continuous compliance with compliance reporting and auditing.

  • 了解 Azure 策略有限制,如在任何特定范围内的定义限制: 策略限制Understand that Azure Policy has limits, such as the restriction of definitions at any particular scope: policy limits.

  • 了解法规遵从性策略。Understand regulatory compliance policies. 其中可能包括 HIPAA、PCI-DSS 或 SOC 2 信任服务原则。These might include HIPAA, PCI-DSS, or SOC 2 trust service principles.

设计建议:Design recommendations:

  • 确定所需的 Azure 标记,并使用追加策略模式来强制使用。Identify required Azure tags and use the append policy mode to enforce usage.

  • 将法规和合规性要求映射到 Azure 策略定义和 Azure 角色分配。Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.

  • 在顶级根管理组上建立 Azure 策略定义,以便可以在继承的作用域中分配它们。Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.

  • 如果需要,则在最低级别上通过排除项来管理策略分配。Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.

  • 使用 Azure 策略来控制订阅和/或管理组级别的资源提供程序注册。Use Azure Policy to control resource provider registrations at the subscription and/or management group levels.

  • 尽可能使用内置策略来最大程度地降低运营开销。Use built-in policies where possible to minimize operational overhead.

  • 在特定范围分配内置策略参与者角色,以启用应用程序级别的管理。Assign the built-in Policy Contributor role at a particular scope to enable application-level governance.

  • 限制在根管理组范围内进行的 Azure 策略分配数量,以避免通过继承范围内的排除项进行管理。Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.

定义安全监视和审核策略Define security monitoring and an audit policy

企业必须深入了解其技术云领域的发生情况。An enterprise must have visibility into what's happening within their technical cloud estate. Azure 平台服务的安全监视和审核日志记录是可扩展框架的关键组成部分。Security monitoring and audit logging of Azure platform services is a key component of a scalable framework.

设计注意事项:Design considerations:

  • 审核数据的数据保留期。Data retention periods for audit data. Azure AD Premium 报表具有30天的保持期。Azure AD Premium reports have a 30-day retention period.

  • 日志长期存档,如 Azure 活动日志、VM 日志和平台即服务 (PaaS) 日志。Long-term archiving of logs such as Azure activity logs, VM logs, and platform as a service (PaaS) logs.

  • 通过 Azure 来宾内 VM 策略设置基准安全性。Baseline security configuration via Azure in-guest VM policy.

  • 严重漏洞的紧急修补。Emergency patching for critical vulnerabilities.

  • 修补长时间处于脱机状态的 Vm。Patching for VMs that are offline for extended periods of time.

  • 实时监视和警报的要求。Requirements for real-time monitoring and alerting.

  • 安全信息和事件管理与 Azure 安全中心和 Azure Sentinel 的集成。Security information and event management integration with Azure Security Center and Azure Sentinel.

  • Vm 的漏洞评估。Vulnerability assessment of VMs.

设计建议:Design recommendations:

  • 使用 Azure AD 报告功能生成访问控制审核报告。Use Azure AD reporting capabilities to generate access control audit reports.

  • 将 Azure 活动日志导出到 Azure Monitor 日志以便长期数据保留。Export Azure activity logs to Azure Monitor Logs for long-term data retention. 如果需要,请将其导出到超过两年的长期存储的 Azure 存储。Export to Azure Storage for long-term storage beyond two years, if necessary.

  • 为所有订阅启用安全中心标准,并使用 Azure 策略来确保符合性。Enable Security Center Standard for all subscriptions, and use Azure Policy to ensure compliance.

  • 通过 Azure Monitor 日志和 Azure 安全中心监视基础操作系统修补偏差。Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center.

  • 使用 Azure 策略通过 VM 扩展自动部署软件配置,并强制实施符合的基准 VM 配置。Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.

  • 通过 Azure 策略监视 VM 安全配置的偏差。Monitor VM security configuration drift via Azure Policy.

  • 将默认资源配置连接到集中式 Azure Monitor Log Analytics 工作区。Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.

  • 使用基于 Azure 事件网格的解决方案进行面向日志的实时警报。Use an Azure Event Grid-based solution for log-oriented, real-time alerting.

规划平台安全性Plan for platform security

采用 Azure 时,必须保持正常的安全状况。You must maintain a healthy security posture as you adopt Azure. 除了可见性,在 Azure 服务发展时,还必须能够控制初始设置和更改。Besides visibility, you have to be able to control the initial settings and changes as the Azure services evolve. 因此,规划平台安全性是关键所在。Therefore, planning for platform security is key.

设计注意事项:Design considerations:

  • 共享责任。Shared responsibility.

  • 高可用性和灾难恢复。High availability and disaster recovery.

  • 针对数据管理和控制平面操作,在 Azure 服务之间保持一致的安全性。Consistent security across Azure services in terms of data management and control plane operations.

  • 关键平台组件的多租户。Multitenancy for key platform components. 这包括 Hyper-v、Hsm 基础 Key Vault 和数据库引擎。This includes Hyper-V, the HSMs underpinning Key Vault, and database engines.

设计建议:Design recommendations:

  • 在底层需求的环境中,对每个所需的服务进行联合检查。In the context of your underlying requirements, conduct a joint examination of each required service. 如果要引入自己的密钥,则所有被认为的服务都可能不支持此项。If you want to bring your own keys, this might not be supported across all considered services. 实现相关的缓解措施,以避免不一致的结果。Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. 选择适当的区域对和最大程度减少延迟的灾难恢复区域。Choose appropriate region pairs and disaster recovery regions that minimize latency.

  • 开发安全允许列表计划,以评估服务安全配置、监视、警报,以及如何将它们与现有系统集成。Develop a security allow-list plan to assess services security configuration, monitoring, alerts, and how to integrate these with existing systems.

  • 确定 Azure 服务的事件响应计划,然后再将其投入生产。Determine the incident response plan for Azure services before allowing it into production.

  • 使用 Azure AD 报告功能生成访问控制审核报告。Use Azure AD reporting capabilities to generate access control audit reports.

  • 通过 Azure 平台路线图使你的安全要求保持最新,使其保持最新发布的安全控制。Align your security requirements with Azure platform roadmaps to stay current with newly released security controls.

  • 在适用的情况下,实施零信任方法来访问 Azure 平台。Implement a zero-trust approach for access to the Azure platform, where appropriate.

Azure 安全基准Azure Security Benchmark

Azure 安全基准包含一系列具有重要影响的安全建议,可用于帮助保护在 Azure 中使用的大多数服务。The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure most of the services you use in Azure. 可以将这些建议视为“常规”或“组织”建议,因为它们适用于大多数 Azure 服务。You can think of these recommendations as "general" or "organizational" as they are applicable to most Azure services. 然后,针对每个 Azure 服务自定义 Azure 安全基准建议。此自定义指南包含在服务建议文章中。The Azure Security Benchmark recommendations are then customized for each Azure service, and this customized guidance is contained in service recommendations articles.

Azure 安全基准文档指定了安全控制和服务建议。The Azure Security Benchmark documentation specifies security controls and service recommendations.

  • 安全控制: Azure 安全基准建议按安全控制进行分类。Security controls: The Azure Security Benchmark recommendations are categorized by security controls. 安全控制代表与供应商无关的高级安全需求,如网络安全和数据保护。Security controls represent high-level vendor-agnostic security requirements, such as network security and data protection. 每个安全控制都有一组安全建议和帮助你实现这些建议的说明。Each security control has a set of security recommendations and instructions that help you implement those recommendations.
  • 服务建议:在可用时,针对 azure 服务的基准建议将包含专为该服务定制的 Azure 安全基准建议。Service recommendations: When available, benchmark recommendations for Azure services will include Azure Security Benchmark recommendations that are tailored specifically for that service.

服务启用框架Service enablement framework

当业务单元请求将工作负荷部署到 Azure 时,需要对工作负荷进行更多的查看,以确定如何实现适当的管理级别、安全性和符合性。As business units request to deploy workloads to Azure, you need additional visibility into a workload to determine how to achieve appropriate levels of governance, security, and compliance. 需要新服务时,你需要允许它。When a new service is required, you need to allow it. 下表提供了一个框架,用于评估 Azure 服务的企业安全准备情况:The following table provides a framework to assess enterprise security readiness of Azure services:

评估Assessment 类别Category 条件Criteria
安全性Security 网络终结点Network endpoint 服务是否具有可在虚拟网络外部访问的公共终结点?Does the service have a public endpoint that is accessible outside of a virtual network?
它是否支持虚拟网络服务终结点?Does it support virtual network service endpoints?
Azure 服务是否可以直接与服务终结点交互?Can Azure services interact directly with the service endpoint?
它是否支持 Azure 专用链接终结点?Does it support Azure Private Link endpoints?
它是否可以部署在虚拟网络中?Can it be deployed within a virtual network?
数据渗透防护Data exfiltration prevention PaaS 服务在 Azure ExpressRoute Microsoft 对等互连中是否有 (BGP) 社区的单独边界网关协议?Does the PaaS service have a separate Border Gateway Protocol (BGP) community in Azure ExpressRoute Microsoft peering? ExpressRoute 是否公开服务的路由筛选器?Does ExpressRoute expose a route filter for the service?
服务是否支持专用链接终结点?Does the service support Private Link endpoints?
强制执行管理和数据平面操作的网络通信流Enforce network traffic flow for management and data plane operations 是否可以检查进入/退出服务的流量?Is it possible to inspect traffic entering/exiting the service? 流量是否可以通过用户定义的路由进行 tunnelled?Can traffic be force-tunnelled with user-defined routing?
管理操作是否使用 Azure 共享公共 IP 范围?Do management operations use Azure shared public IP ranges?
通过在主机上公开的链路本地终结点定向管理流量吗?Is management traffic directed via a link-local endpoint exposed on the host?
静态数据加密Data encryption at-rest 默认情况下是否应用加密?Is encryption applied by default?
是否可以禁用加密?Can encryption be disabled?
加密是通过 Microsoft 托管密钥还是由客户管理的密钥执行的?Is encryption performed with Microsoft-managed keys or customer-managed keys?
传输中的数据加密Data encryption in-transit 到服务的流量是否以协议级别加密 (SSL/TLS) ?Is traffic to the service encrypted at a protocol level (SSL/TLS)?
是否有任何 HTTP 终结点,是否可以禁用它们?Are there any HTTP endpoints, and can they be disabled?
是否也对基础服务通信进行加密?Is underlying service communication also encrypted?
加密是通过 Microsoft 托管密钥还是由客户管理的密钥执行的?Is encryption performed with Microsoft-managed keys or customer-managed keys? (提供了你自己的加密支持吗? ) (Is bring your own encryption supported?)
软件部署Software deployment 应用程序软件或第三方产品是否可以部署到服务?Can application software or third-party products be deployed to the service?
如何执行和管理软件部署?How is software deployment performed and managed?
是否可以强制实施策略来控制源或代码的完整性?Can policies be enforced to control source or code integrity?
如果软件可部署,是否可以使用反恶意软件功能、漏洞管理和安全监视工具?If software is deployable, can antimalware capability, vulnerability management, and security monitoring tools be used?
服务是否在本机提供此类功能,如 Azure Kubernetes Service?Does the service provide such capabilities natively, such as with Azure Kubernetes Service?
标识和访问管理Identity and access management 身份验证和访问控制Authentication and access control 是否所有控制平面操作都受 Azure AD 控制?Are all control plane operations governed by Azure AD? 是否存在嵌套的控制平面,如使用 Azure Kubernetes Service?Is there a nested control plane, such as with Azure Kubernetes Service?
提供对数据平面的访问有哪些方法?What methods exist to provide access to the data plane?
数据平面是否与 Azure AD 集成?Does the data plane integrate with Azure AD?
身份验证 bwtween Azure 服务使用托管标识还是服务主体?Does authentication bwtween Azure services use managed identities or service principals?
是否通过 Azure AD 进行 Azure 到 IaaS (服务到虚拟网络) 身份验证?Is Azure-to-IaaS (service-to-virtual-network) authentication via Azure AD?
如何管理任何适用的密钥或共享访问签名?How are any applicable keys or shared access signatures managed?
如何撤销访问权限?How can access be revoked?
职责分离Segregation of duties 服务是否在 Azure AD 中分离控制面和数据平面操作?Does the service separate control plane and data plane operations within Azure AD?
多重身份验证和条件访问Multi-factor authentication and conditional access 是否强制用户进行服务交互的多重身份验证?Is multi-factor authentication enforced for user to service interactions?
调控Governance 数据导出和导入Data export and import 服务是否允许安全地导入和导出数据?Does service allow you to import and export data securely and encrypted?
数据隐私和使用情况Data privacy and usage Microsoft 工程师是否可以访问数据?Can Microsoft engineers access the data?
与服务的任何 Microsoft 支持部门交互是否经过审核?Is any Microsoft Support interaction with the service audited?
数据驻留Data residency 数据是否包含到服务部署区域?Is data contained to the service deployment region?
操作Operations 监视Monitoring 服务是否与 Azure Monitor 集成?Does the service integrate with Azure Monitor?
备份管理Backup management 需要备份哪个工作负荷数据?Which workload data need to be backed up?
如何捕获备份?How are backups captured?
执行备份的频率如何?How frequently can backups be taken?
备份可以保留多长时间?How long can backups be retained for?
备份已加密?Are backups encrypted?
是否对 Microsoft 管理的密钥或客户托管的密钥执行备份加密?Is backup encryption performed with Microsoft-managed keys or customer-managed keys?
灾难恢复Disaster recovery 如何使用区域冗余方式来使用服务?How can the service be used in a regional redundant fashion?
什么是可实现的恢复时间目标和恢复点目标?What is the attainable recovery time objective and recovery point objective?
SKUSKU 哪些 Sku 可用?What SKUs are available? 它们有何不同?And how do they differ?
是否存在与高级 SKU 的安全性相关的任何功能?Are there any features related to security for Premium SKU?
容量管理Capacity management 如何监视容量?How is capacity monitored?
横向扩展的单位是什么?What is the unit of horizontal scale?
修补和更新管理Patch and update management 服务是否需要活动更新,或者是否自动进行更新?Does the service require active updating or do updates happen automatically?
更新应用的频率是多少?How frequently are updates applied? 它们能否自动进行?Can they be automated?
审核Audit 嵌套控制平面操作是否 (例如,Azure Kubernetes 服务或 Azure Databricks) 捕获?Are nested control plane operations captured (for example, Azure Kubernetes Service or Azure Databricks)?
关键数据平面活动是否已录制?Are key data plane activities recorded?
配置管理Configuration management 它是否支持标记并为 put 所有资源提供架构?Does it support tags and provide a put schema for all resources?
Azure 服务相容性Azure service compliance 服务证明、认证和外部审核Service attestation, certification, and external audits 服务 PCI/ISO/SOC 是否兼容?Is the service PCI/ISO/SOC compliant?
服务可用性Service availability 服务是个人预览版、公共预览版还是正式发布?Is the service a private preview, a public preview, or generally available?
服务在哪些区域可用?In what regions is the service available?
服务的部署范围是什么?What is the deployment scope of the service? 这是一种区域服务还是全球服务?Is it a regional or global service?
服务级别协议 (Sla) Service-level agreements (SLAs) 服务可用性的 SLA 是什么?What is the SLA for service availability?
如果适用,性能的 SLA 是什么?If applicable, what is the SLA for performance?