安全性基準專業領域改進Security Baseline discipline improvement

安全性基準專業領域著重于建立原則的方式,以保護網路、資產,以及最重要的資料,也就是位於雲端提供者解決方案上的資料。The Security Baseline discipline focuses on ways of establishing policies that protect the network, assets, and most importantly the data that will reside on a cloud provider's solution. 在雲端治理的五個專業領域中,安全性基準專業領域包含數位資產和資料的分類。Within the Five Disciplines of Cloud Governance, the Security Baseline discipline includes classification of the digital estate and data. 此外也包含與資料、資產和網路的安全性相關聯的風險、商業容忍度和風險降低策略的文件說明。It also includes documentation of risks, business tolerance, and mitigation strategies associated with the security of the data, assets, and network. 從技術觀點來看,這也包括有關 加密網路需求、混合式身分 識別策略以及用來 開發雲端安全性基準原則之程式的參與考慮。From a technical perspective, this also includes involvement in decisions regarding encryption, network requirements, hybrid identity strategies, and the processes used to develop Security Baseline policies for the cloud.

本文將概述一些貴公司可參與的潛在工作,以更好的方式來開發安全性基準專業領域並使其臻至成熟。This article outlines some potential tasks your company can engage in to better develop and mature the Security Baseline discipline. 這些工作可以細分為實作雲端解決方案的規劃、建置、採用及操作階段,接著反覆執行以允許開發雲端治理的累加方法These tasks can be broken down into planning, building, adopting, and operating phases of implementing a cloud solution, which are then iterated on allowing the development of an incremental approach to cloud governance.

雲端治理的漸進式方法階段 圖1:雲端治理增量方法的階段。Phases of an incremental approach to cloud governance Figure 1: Phases of an incremental approach to cloud governance.

沒有任何一份文件能夠滿足所有企業需求。It's impossible for any one document to account for the requirements of all businesses. 因此,本文將針對治理成熟流程的每個階段,概述建議的最小和潛在範例活動。As such, this article outlines suggested minimum and potential example activities for each phase of the governance maturation process. 這些活動的初始目標是協助您建立 原則 MVP ,並建立用於增量原則改進的架構。The initial objective of these activities is to help you build a policy MVP and establish a framework for incremental policy improvement. 您的雲端治理小組必須決定投資這些活動的數量,以改善您的安全性基準專業領域。Your cloud governance team will need to decide how much to invest in these activities to improve your Security Baseline discipline.

警告

本文所述的最小或潛在活動都不符合特定的公司原則或協力廠商合規性需求。Neither the minimum or potential activities outlined in this article are aligned to specific corporate policies or third-party compliance requirements. 此指導方針旨在協助促成交談,從而使這兩個需求與雲端治理模型保持一致。This guidance is designed to help facilitate the conversations that will lead to alignment of both requirements with a cloud governance model.

規劃和整備Planning and readiness

這個治理成熟度階段可消彌業務成果與可操作之策略間的鴻溝。This phase of governance maturity bridges the divide between business outcomes and actionable strategies. 在此程序中,領導小組會定義特定的計量、將這些計量對應至數位資產,並開始規劃整體移轉工作。During this process, the leadership team defines specific metrics, maps those metrics to the digital estate, and begins planning the overall migration effort.

最小的建議活動:Minimum suggested activities:

  • 評估您的安全性基準工具鏈選項。Evaluate your Security Baseline toolchain options.
  • 開發草稿架構指導方針檔,並散發給重要的專案關係人。Develop a draft architecture guidelines document and distribute to key stakeholders.
  • 教育並涵蓋受到開發架構指導方針影響的人員和小組。Educate and involve the people and teams affected by the development of architecture guidelines.
  • 將已設定優先權的安全性工作新增至您的移轉待辦項目中。Add prioritized security tasks to your migration backlog.

潛在的活動:Potential activities:

  • 定義資料分類結構描述。Define a data classification schema.
  • 進行數位資產規劃程序以清查涉及您商務程序並支持營運的目前 IT 資產。Conduct a digital estate planning process to inventory the current IT assets powering your business processes and supporting operations.
  • 進行原則檢閱以開始將現有的公司 IT 安全性原則現代化並定義 MVP 原則以因應已知風險。Conduct a policy review to begin the process of modernizing existing corporate IT security policies, and define MVP policies addressing known risks.
  • 檢閱您雲端平台的安全性指導方針。Review your cloud platform's security guidelines. 針對 Azure,可以在 Microsoft 服務信任入口網站中找到。For Azure these can be found in the Microsoft Service Trust Portal.
  • 判斷您的安全性基準原則是否包含 安全性開發生命週期Determine whether your Security Baseline policy includes a security development lifecycle.
  • 根據接下來的一到三個版本評估網路、資料與資產相關商務風險,並判定您組織對那些風險的容忍度。Evaluate network, data, and asset-related business risks based on the next one to three releases, and gauge your organization's tolerance for those risks.
  • 複習 Microsoft 在網路安全性報告中的熱門趨勢 ,以瞭解目前的安全性環境。Review Microsoft's top trends in cybersecurity report for an overview of the current security landscape.
  • 請考慮在您的組織中開發 DevSecOps 角色。Consider developing a DevSecOps role in your organization.

組建和部署Build and predeployment

成功遷移環境需要數個技術性和非技術性的必要條件。Several technical and nontechnical prerequisites are required to successful migrate an environment. 此程序著重於可繼續進行移轉的決策、整備和核心基礎結構。This process focuses on the decisions, readiness, and core infrastructure that proceeds a migration.

最小的建議活動:Minimum suggested activities:

  • 在預先部署階段推出,以實行 安全性基準工具鏈Implement your Security Baseline toolchain by rolling out in a predeployment phase.
  • 更新架構指導方針檔,並散發給重要的專案關係人。Update the architecture guidelines document and distribute to key stakeholders.
  • 在已設定優先權的移轉待辦項目上實作安全性工作。Implement security tasks on your prioritized migration backlog.
  • 開發教育性資料和文件、認知溝通、獎勵和其他計畫,以協助試用產品的使用者採用。Develop educational materials and documentation, awareness communications, incentives, and other programs to help drive user adoption.

潛在的活動:Potential activities:

  • 決定您組織的雲端裝載資料加密策略。Determine your organization's encryption strategy for cloud-hosted data.
  • 評估您雲端部署的身分識別策略。Evaluate your cloud deployment's identity strategy. 決定您的雲端式身分識別解決方案將與內部部署身分識別提供者共存或整合。Determine how your cloud-based identity solution will coexist or integrate with on-premises identity providers.
  • 決定您軟體定義網路 (SDN) 設計的網路界限原,以確保可以獲得安全的虛擬化網路功能。Determine network boundary policies for your Software Defined Networking (SDN) design to ensure secure virtualized networking capabilities.
  • 評估您組織的 最低許可權存取 原則,並使用以工作為基礎的角色來提供特定資源的存取權。Evaluate your organization's least-privilege access policies, and use task-based roles to provide access to specific resources.
  • 將安全性與監視機制套用至所有雲端服務和虛擬機器。Apply security and monitoring mechanisms to all cloud services and virtual machines.
  • 在可能的情況下自動化安全性原則Automate security policies where possible.
  • 請檢查您的安全性基準原則,並判斷您是否需要根據最佳做法指導方針來修改方案,例如 安全性開發生命週期中所述。Review your Security Baseline policy and determine whether you need to modify your plans according to best practices guidance such as those outlined in the security development lifecycle.

採用和移轉Adopt and migrate

移轉是一個累加式程序,著重於在現有的數位資產中移動、測試及採用應用程式或工作負載。Migration is an incremental process that focuses on the movement, testing, and adoption of applications or workloads in an existing digital estate.

最小的建議活動:Minimum suggested activities:

  • 將您的 安全性基準工具鏈 從預先部署遷移至生產環境。Migrate your Security Baseline toolchain from predeployment to production.
  • 更新架構指導方針檔,並散發給重要的專案關係人。Update the architecture guidelines document and distribute to key stakeholders.
  • 開發教育性資料和文件、認知溝通、獎勵和其他計畫,以協助試用產品的使用者採用。Develop educational materials and documentation, awareness communications, incentives, and other programs to help drive user adoption.

潛在的活動:Potential activities:

  • 請參閱最新的安全性基準和威脅資訊,以找出任何新的商務風險。Review the latest security baseline and threat information to identify any new business risks.
  • 判斷您組織的容忍度以處理可能會發生的新安全性威脅。Gauge your organization's tolerance to handle new security risks that may arise.
  • 找出來自原則的偏差,並強制進行修正。Identify deviations from policy, and enforce corrections.
  • 調整安全性與存取控制自動化,以確保可以獲得最大的原則合規性。Adjust security and access control automation to ensure maximum policy compliance.
  • 驗證在組建和預先部署階段期間定義的最佳作法是否正確執行。Validate that the best practices defined during the build and predeployment phases are properly executed.
  • 檢查您的最低許可權存取原則,並調整存取控制以將安全性最大化。Review your least-privilege access policies and adjust access controls to maximize security.
  • 針對您的工作負載測試您的安全性基準工具鏈,以找出並解決任何弱點。Test your Security Baseline toolchain against your workloads to identify and resolve any vulnerabilities.

操作和實作後Operate and post-implementation

轉換完成之後,治理和操作必須依存於應用程式或工作負載的自然生命週期。Once the transformation is complete, governance and operations must live on for the natural lifecycle of an application or workload. 這個治理成熟度階段著重於通常會在實作解決方案且轉換週期開始穩定後隨之而來的活動。This phase of governance maturity focuses on the activities that commonly come after the solution is implemented and the transformation cycle begins to stabilize.

最小的建議活動:Minimum suggested activities:

  • 驗證並精簡您的 安全性基準工具鏈Validate and refine your Security Baseline toolchain.
  • 自訂通知與報告,以在發生潛在安全性問題時接收通知。Customize notifications and reports to alert you of potential security issues.
  • 精簡架構指導方針,以引導未來的採用流程。Refine the architecture guidelines to guide future adoption processes.
  • 定期與受影響的小組溝通並教育他們,以確保會持續遵循架構指導方針。Communicate and educate the affected teams periodically to ensure ongoing adherence to architecture guidelines.

潛在的活動:Potential activities:

  • 探索您工作負載的模式與行為,並設定您的監視與報告工具,以偵測任何異常活動、存取或資源使用狀況並通知您。Discover patterns and behavior for your workloads and configure your monitoring and reporting tools to identify and notify you of any abnormal activity, access, or resource usage.
  • 持續更新您的監視與報告原則,以偵測最新的弱點、漏洞與攻擊。Continuously update your monitoring and reporting policies to detect the latest vulnerabilities, exploits, and attacks.
  • 備妥適當的程序,以快速停止未經授權存取並停用可能已被攻擊者入侵的資源。Have procedures in place to quickly stop unauthorized access and disable resources that may have been compromised by an attacker.
  • 定期檢閱最新的安全性最佳做法,並在可能的情況下套用建議到您的安全性原則、自動化與監視功能。Regularly review the latest security best practices and apply recommendations to your security policy, automation, and monitoring capabilities where possible.

下一步Next steps

現在您已了解雲端安全性治理的概念,請繼續深入了解 Microsoft 為 Azure 提供哪些安全性與最佳做法Now that you understand the concept of cloud security governance, move on to learn more about what security and best practices guidance Microsoft provides for Azure.