企業級安全性、治理和合規性 (部分機器翻譯)Enterprise-scale security, governance, and compliance

本文涵蓋定義加密與金鑰管理、規劃治理、定義安全性監視和稽核原則,以及規劃平臺安全性。This article covers defining encryption and key management, planning for governance, defining security monitoring and an audit policy, and planning for platform security. 在本文結尾,您可以參考描述架構的表格,以評估 Azure 服務的企業安全性就緒程度。At the end of the article, you can refer to a table that describes a framework to assess enterprise security readiness of Azure services.

定義加密與金鑰管理Define encryption and key management

加密是在 Microsoft Azure 中確保資料隱私權、合規性及資料的重要步驟。Encryption is a vital step toward ensuring data privacy, compliance, and data residency in Microsoft Azure. 其也是許多企業最重要的安全性考量之一。It's also one of the most important security concerns of many enterprises. 本節涵蓋與加密及金鑰管理有關的設計考慮和建議。This section covers design considerations and recommendations as they pertain to encryption and key management.

設計考慮:Design considerations:

  • 適用于 Azure Key Vault 的訂用帳戶和規模限制: Key Vault 具有金鑰和秘密的交易限制。Subscription and scale limits as they apply to Azure Key Vault: Key Vault has transaction limits for keys and secrets. 若要在特定期間內對每個保存庫進行交易節流,請參閱 Azure 限制To throttle transactions per vault in a certain period, see Azure limits.

  • Key Vault 可提供安全性界限,因為金鑰、秘密和憑證的存取權限是在保存庫層級。Key Vault serves a security boundary because access permissions for keys, secrets, and certificates are at the vault level. Key Vault 存取原則指派會分別授與金鑰、秘密或憑證的許可權。Key Vault access policy assignments grant permissions separately to keys, secrets, or certificates. 它們不支援細微的物件層級許可權,例如特定金鑰、秘密或憑證 金鑰管理They don't support granular, object-level permissions like a specific key, secret, or certificate key management.

  • 您可以將特定應用程式和工作負載特定的密碼和共用的密碼,以適當的 控制存取權來隔離。You can isolate application-specific and workload-specific secrets and shared secrets, as appropriate control access.

  • 您可以優化 Premium Sku,其中需要硬體安全模組保護的金鑰。You can optimize Premium SKUs where hardware-security-module-protected keys are required. 基礎硬體安全性模組 (Hsm) 符合 FIPS 140-2 層級2的規範。Underlying hardware security modules (HSMs) are FIPS 140-2 Level 2 compliant. 考慮支援的案例,以管理 FIPS 140-2 Level 3 合規性的 Azure 專用 HSM。Manage Azure dedicated HSM for FIPS 140-2 Level 3 compliance by considering the supported scenarios.

  • 金鑰輪替和密碼到期。Key rotation and secret expiration.

    • 使用 Key Vault 與 憑證來採購和簽署憑證。Certificate procurement and signing by using Key Vault about certificates.
    • 警示/通知和自動憑證續約。Alerting/notifications and automated certificate renewals.
  • 金鑰、憑證和秘密的嚴重損壞修復需求。Disaster recovery requirements for keys, certificates, and secrets.

    Key Vault 服務複寫和容錯移轉功能: 可用性和冗余Key Vault service replication and failover capabilities: availability and redundancy.

  • 監視金鑰、憑證和秘密使用方式。Monitoring key, certificate, and secret usage.

    使用金鑰保存庫或 Azure 監視器 Log Analytics 工作區偵測未經授權的存取: 監視和警示Detecting unauthorized access by using a key vault or Azure Monitor Log Analytics workspace: monitoring and alerting.

  • 委派的金鑰保存庫具現化和特殊許可權存取: 安全存取Delegated Key Vault instantiation and privileged access: secure access.

  • 針對原生加密機制(例如 Azure 儲存體加密)使用客戶管理金鑰的需求:Requirements for using customer-managed keys for native encryption mechanisms such as Azure Storage encryption:

    • 客戶管理的金鑰Customer-managed keys.
    • 虛擬機器 (Vm) 的完整磁片加密。Whole-disk encryption for virtual machines (VMs).
    • 傳輸中的資料加密。Data-in-transit encryption.
    • 待用資料加密。Data-at-rest encryption.

設計建議:Design recommendations:

  • 使用同盟的 Azure Key Vault 模型來避免交易規模限制。Use a federated Azure Key Vault model to avoid transaction scale limits.

  • 布建 Azure Key Vault 並啟用虛刪除和清除原則,以允許已刪除物件的保留保護。Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.

  • 藉由限制授權將金鑰、秘密和憑證永久刪除到特殊的自訂 Azure Active Directory (Azure AD) 角色,來遵循最低許可權的模型。Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles.

  • 使用公開憑證授權單位單位將憑證管理和更新程式自動化,以簡化系統管理。Automate the certificate management and renewal process with public certificate authorities to ease administration.

  • 建立金鑰和憑證輪替的自動化進程。Establish an automated process for key and certificate rotation.

  • 啟用保存庫上的防火牆和虛擬網路服務端點,以控制金鑰保存庫的存取權。Enable firewall and virtual network service endpoint on the vault to control access to the key vault.

  • 使用平臺中央 Azure 監視器 Log Analytics 工作區,以在每個金鑰保存庫實例中審核金鑰、憑證和秘密的使用方式。Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.

  • 委派金鑰保存庫具現化和特殊許可權存取,並使用 Azure 原則來強制執行一致的合規性設定。Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.

  • 預設為主要加密功能的 Microsoft 管理金鑰,並在必要時使用客戶管理的金鑰。Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.

  • 請勿將金鑰保存庫的集中式實例用於應用程式金鑰或秘密。Don't use centralized instances of Key Vault for application keys or secrets.

  • 請勿在應用程式之間共用 Key Vault 實例,以避免跨環境共用秘密。Don't share Key Vault instances between applications to avoid secret sharing across environments.

為控管做規劃Plan for governance

治理提供多項機制和流程,以便維持控制 Azure 中的應用程式與資源。Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. Azure 原則對於確保企業技術資產中的安全性和合規性而言是不可或缺的。Azure Policy is essential to ensuring security and compliance within enterprise technical estates. 它可以在 Azure 平臺服務中強制執行重要的管理和安全性慣例,並補充 Azure 角色型存取控制 (Azure RBAC) ,以控制授權使用者可執行檔動作。It can enforce vital management and security conventions across Azure platform services and supplement Azure role-based access control (Azure RBAC) that controls what actions authorized users can perform.

設計考慮:Design considerations:

  • 判斷所需的 Azure 原則。Determine what Azure policies are needed.

  • 強制執行管理和安全性慣例,例如使用私用端點。Enforce management and security conventions, such as the use of private endpoints.

  • 使用原則定義來管理和建立原則指派,可以在多個繼承的指派範圍內重複使用。Manage and create policy assignments by using policy definitions can be reused at multiple inherited assignment scopes. 您可以在管理群組、訂用帳戶和資源群組範圍中,擁有集中式的基準原則指派。You can have centralized, baseline policy assignments at management group, subscription, and resource group scopes.

  • 確保符合合規性報告和審核的持續性。Ensure continuous compliance with compliance reporting and auditing.

  • 瞭解 Azure 原則有限制,例如任何特定範圍的定義限制: 原則限制Understand that Azure Policy has limits, such as the restriction of definitions at any particular scope: policy limits.

  • 瞭解法規合規性原則。Understand regulatory compliance policies. 這些可能包括 HIPAA、PCI DSS 或 SOC 2 信任服務原則。These might include HIPAA, PCI-DSS, or SOC 2 trust service principles.

設計建議:Design recommendations:

  • 識別所需的 Azure 標記,並使用附加原則模式來強制使用。Identify required Azure tags and use the append policy mode to enforce usage.

  • 將法規和合規性需求對應至 Azure 原則定義和 Azure 角色指派。Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.

  • 在最上層根管理群組上建立 Azure 原則定義,以便在繼承的範圍指派這些定義。Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.

  • 如有必要,請在最高層級以最上層的排除專案管理原則指派。Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.

  • 使用 Azure 原則來控制訂用帳戶和/或管理群組層級的資源提供者註冊。Use Azure Policy to control resource provider registrations at the subscription and/or management group levels.

  • 使用內建原則,盡可能將作業的額外負荷降至最低。Use built-in policies where possible to minimize operational overhead.

  • 在特定範圍指派內建原則參與者角色,以啟用應用層級的治理。Assign the built-in Policy Contributor role at a particular scope to enable application-level governance.

  • 限制在根管理群組範圍所做的 Azure 原則指派數目,以避免在繼承的範圍內透過排除專案進行管理。Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.

定義安全性監視和稽核原則Define security monitoring and an audit policy

企業必須可以看到其技術雲端資產中的情況。An enterprise must have visibility into what's happening within their technical cloud estate. Azure 平臺服務的安全性監視和審核記錄是可擴充架構的重要元件。Security monitoring and audit logging of Azure platform services is a key component of a scalable framework.

設計考慮:Design considerations:

  • Audit data 的資料保留期限。Data retention periods for audit data. Azure AD Premium 報告有30天的保留期限。Azure AD Premium reports have a 30-day retention period.

  • 記錄的長期封存,例如 Azure 活動記錄、VM 記錄和平臺即服務 (PaaS) 記錄檔。Long-term archiving of logs such as Azure activity logs, VM logs, and platform as a service (PaaS) logs.

  • 透過 Azure in guest VM 原則的基準安全性設定。Baseline security configuration via Azure in-guest VM policy.

  • 重大弱點的緊急修補。Emergency patching for critical vulnerabilities.

  • 修補離線一段時間的 Vm。Patching for VMs that are offline for extended periods of time.

  • 即時監視和警示的需求。Requirements for real-time monitoring and alerting.

  • 安全性資訊和事件管理與 Azure 資訊安全中心和 Azure Sentinel 的整合。Security information and event management integration with Azure Security Center and Azure Sentinel.

  • Vm 的弱點評定。Vulnerability assessment of VMs.

設計建議:Design recommendations:

  • 使用 Azure AD 報告功能來產生存取控制審核報告。Use Azure AD reporting capabilities to generate access control audit reports.

  • 將 Azure 活動記錄匯出至 Azure 監視器記錄,以長期保留資料。Export Azure activity logs to Azure Monitor Logs for long-term data retention. 如有需要,請匯出至 Azure 儲存體,以長期儲存超過兩年的時間。Export to Azure Storage for long-term storage beyond two years, if necessary.

  • 針對所有訂用帳戶啟用安全中心標準,並使用 Azure 原則確保合規性。Enable Security Center Standard for all subscriptions, and use Azure Policy to ensure compliance.

  • 透過 Azure 監視器記錄和 Azure 安全性中心來監視基礎作業系統修補漂移。Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center.

  • 使用 Azure 原則透過 VM 擴充功能自動部署軟體設定,並強制執行符合規範的基準 VM 設定。Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.

  • 透過 Azure 原則監視 VM 安全性設定漂移。Monitor VM security configuration drift via Azure Policy.

  • 將預設資源設定連接到集中式 Azure 監視器 Log Analytics 工作區。Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.

  • 使用以 Azure 事件方格為基礎的解決方案來進行記錄導向的即時警示。Use an Azure Event Grid-based solution for log-oriented, real-time alerting.

規劃平臺安全性Plan for platform security

當您採用 Azure 時,您必須維持狀況良好的安全性狀況。You must maintain a healthy security posture as you adopt Azure. 除了可見度之外,您還必須能夠控制 Azure 服務發展時的初始設定和變更。Besides visibility, you have to be able to control the initial settings and changes as the Azure services evolve. 因此,規劃平臺安全性是關鍵的。Therefore, planning for platform security is key.

設計考慮:Design considerations:

  • 共同責任。Shared responsibility.

  • 高可用性和嚴重損壞修復。High availability and disaster recovery.

  • 在資料管理和控制平面作業方面,都能以一致的方式在 Azure 服務之間保持安全。Consistent security across Azure services in terms of data management and control plane operations.

  • 主要平臺元件的多租使用者。Multitenancy for key platform components. 這包括 Hyper-v、基礎金鑰保存庫和資料庫引擎的 Hsm。This includes Hyper-V, the HSMs underpinning Key Vault, and database engines.

設計建議:Design recommendations:

  • 在您的基礎需求內容中,進行每個必要服務的聯合檢查。In the context of your underlying requirements, conduct a joint examination of each required service. 如果您想要攜帶您自己的金鑰,則可能不會在所有已被視為的服務上受到支援。If you want to bring your own keys, this might not be supported across all considered services. 實行相關的緩和措施,讓不一致的結果不會妨礙預期的結果。Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. 選擇適當的區域配對和嚴重損壞修復區域,以將延遲降至最低。Choose appropriate region pairs and disaster recovery regions that minimize latency.

  • 開發安全性允許清單計畫來評估服務安全性設定、監視、警示,以及如何將這些服務與現有的系統整合。Develop a security allow-list plan to assess services security configuration, monitoring, alerts, and how to integrate these with existing systems.

  • 在允許 Azure 服務進入生產環境之前,請先判斷其事件回應計畫。Determine the incident response plan for Azure services before allowing it into production.

  • 使用 Azure AD 報告功能來產生存取控制審核報告。Use Azure AD reporting capabilities to generate access control audit reports.

  • 將您的安全性需求與 Azure 平臺藍圖保持一致,以保持最新發行的安全性控制。Align your security requirements with Azure platform roadmaps to stay current with newly released security controls.

  • 在適當的情況下,實以零信任方式存取 Azure 平臺。Implement a zero-trust approach for access to the Azure platform, where appropriate.

Azure 安全性效能評定Azure Security Benchmark

Azure 安全性基準測試包含一組高度影響的安全性建議,可用來協助保護您在 Azure 中使用的大部分服務。The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure most of the services you use in Azure. 您可以將這些建議視為「一般」或「組織」,因為它們適用于大部分的 Azure 服務。You can think of these recommendations as "general" or "organizational" as they are applicable to most Azure services. 接著會針對每個 Azure 服務自訂 Azure 安全性效能評定建議,而此自訂指導方針包含在服務建議文章中。The Azure Security Benchmark recommendations are then customized for each Azure service, and this customized guidance is contained in service recommendations articles.

Azure 安全性基準測試檔會指定安全性控制和服務建議。The Azure Security Benchmark documentation specifies security controls and service recommendations.

  • 安全性控制: Azure 安全性效能評定建議會依安全性控制進行分類。Security controls: The Azure Security Benchmark recommendations are categorized by security controls. 安全性控制代表高階廠商中立的安全性需求,例如網路安全性和資料保護。Security controls represent high-level vendor-agnostic security requirements, such as network security and data protection. 每個安全性控制都有一組安全性建議和指示,可協助您執行這些建議。Each security control has a set of security recommendations and instructions that help you implement those recommendations.
  • 服務建議:如果有的話,適用于 azure 服務的基準測試建議將包含專為該服務量身打造的 Azure 安全性基準測試建議。Service recommendations: When available, benchmark recommendations for Azure services will include Azure Security Benchmark recommendations that are tailored specifically for that service.

服務啟用架構Service enablement framework

當業務單位要求將工作負載部署至 Azure 時,您需要額外的工作負載可見度,以決定如何達到適當層級的治理、安全性和合規性。As business units request to deploy workloads to Azure, you need additional visibility into a workload to determine how to achieve appropriate levels of governance, security, and compliance. 需要新的服務時,您必須允許。When a new service is required, you need to allow it. 下表提供的架構可讓您評估 Azure 服務的企業安全性就緒程度:The following table provides a framework to assess enterprise security readiness of Azure services:

評量Assessment 類別Category 準則Criteria
安全性Security 網路端點Network endpoint 服務是否有可從虛擬網路外部存取的公用端點?Does the service have a public endpoint that is accessible outside of a virtual network?
它是否支援虛擬網路服務端點?Does it support virtual network service endpoints?
Azure 服務可以直接與服務端點互動嗎?Can Azure services interact directly with the service endpoint?
它是否支援 Azure Private Link 端點?Does it support Azure Private Link endpoints?
可以在虛擬網路內部署嗎?Can it be deployed within a virtual network?
預防資料外洩Data exfiltration prevention PaaS 服務在 Azure ExpressRoute Microsoft 對等互連中是否有 (BGP) 社區的個別邊界閘道協定?Does the PaaS service have a separate Border Gateway Protocol (BGP) community in Azure ExpressRoute Microsoft peering? ExpressRoute 是否會公開服務的路由篩選?Does ExpressRoute expose a route filter for the service?
服務是否支援私人連結端點?Does the service support Private Link endpoints?
針對管理和資料平面作業強制執行網路流量流程Enforce network traffic flow for management and data plane operations 是否可以檢查輸入/離開服務的流量?Is it possible to inspect traffic entering/exiting the service? 是否可以使用使用者定義的路由來強制 tunnelled 流量?Can traffic be force-tunnelled with user-defined routing?
管理作業會使用 Azure 共用的公用 IP 範圍嗎?Do management operations use Azure shared public IP ranges?
管理流量是透過主機上公開的連結本機端點來導向?Is management traffic directed via a link-local endpoint exposed on the host?
待用資料加密Data encryption at-rest 預設會套用加密嗎?Is encryption applied by default?
可以停用加密嗎?Can encryption be disabled?
使用 Microsoft 管理的金鑰或客戶管理的金鑰來執行加密嗎?Is encryption performed with Microsoft-managed keys or customer-managed keys?
傳輸中資料加密Data encryption in-transit 傳送至服務的流量是以通訊協定層級加密 (SSL/TLS) ?Is traffic to the service encrypted at a protocol level (SSL/TLS)?
是否有任何 HTTP 端點,是否可以停用?Are there any HTTP endpoints, and can they be disabled?
基礎服務通訊也會加密嗎?Is underlying service communication also encrypted?
使用 Microsoft 管理的金鑰或客戶管理的金鑰來執行加密嗎?Is encryption performed with Microsoft-managed keys or customer-managed keys? (支援自備加密嗎? ) (Is bring your own encryption supported?)
軟體部署Software deployment 應用程式軟體或協力廠商產品是否可部署至服務?Can application software or third-party products be deployed to the service?
軟體部署的執行與管理方式為何?How is software deployment performed and managed?
是否可以強制執行原則來控制來源或程式碼完整性?Can policies be enforced to control source or code integrity?
如果軟體是可部署的,則可使用反惡意程式碼功能、弱點管理和安全性監視工具嗎?If software is deployable, can antimalware capability, vulnerability management, and security monitoring tools be used?
服務是否會以原生方式提供這類功能,例如使用 Azure Kubernetes Service?Does the service provide such capabilities natively, such as with Azure Kubernetes Service?
身分識別和存取管理Identity and access management 驗證和存取控制Authentication and access control 所有控制平面作業是否由 Azure AD 控管?Are all control plane operations governed by Azure AD? 是否有嵌套的控制項平面,例如使用 Azure Kubernetes Service?Is there a nested control plane, such as with Azure Kubernetes Service?
有哪些方法可提供資料平面的存取權?What methods exist to provide access to the data plane?
資料平面是否與 Azure AD 整合?Does the data plane integrate with Azure AD?
驗證是否 bwtween Azure 服務使用受控識別或服務主體?Does authentication bwtween Azure services use managed identities or service principals?
Azure 對 IaaS (透過 Azure AD 進行的服務對虛擬網路) 驗證嗎?Is Azure-to-IaaS (service-to-virtual-network) authentication via Azure AD?
如何管理任何適用的金鑰或共用存取簽章?How are any applicable keys or shared access signatures managed?
如何撤銷存取權?How can access be revoked?
責任隔離Segregation of duties 服務是否會在 Azure AD 內分開控制平面和資料平面作業?Does the service separate control plane and data plane operations within Azure AD?
多重要素驗證和條件式存取Multi-factor authentication and conditional access 是否對使用者強制執行多重要素驗證以進行服務互動?Is multi-factor authentication enforced for user to service interactions?
控管Governance 資料匯出和匯入Data export and import 服務是否可讓您安全地匯入和匯出資料?Does service allow you to import and export data securely and encrypted?
資料隱私權和使用方式Data privacy and usage Microsoft 工程師可以存取資料嗎?Can Microsoft engineers access the data?
是否有任何 Microsoft 支援服務與服務互動?Is any Microsoft Support interaction with the service audited?
資料存留處Data residency 資料是否包含在服務部署區域中?Is data contained to the service deployment region?
作業Operations 監視Monitoring 服務會與 Azure 監視器整合嗎?Does the service integrate with Azure Monitor?
備份管理Backup management 需要備份哪些工作負載資料?Which workload data need to be backed up?
如何捕獲備份?How are backups captured?
備份的執行頻率為何?How frequently can backups be taken?
備份可以保留多久?How long can backups be retained for?
備份經過加密?Are backups encrypted?
使用 Microsoft 管理的金鑰或客戶管理的金鑰來執行備份加密嗎?Is backup encryption performed with Microsoft-managed keys or customer-managed keys?
災害復原Disaster recovery 如何使用區域多餘的方式來使用服務?How can the service be used in a regional redundant fashion?
可達到的復原時間目標和復原點目標為何?What is the attainable recovery time objective and recovery point objective?
SKUSKU 有哪些可用的 Sku?What SKUs are available? 它們有何不同?And how do they differ?
是否有任何與 Premium SKU 安全性相關的功能?Are there any features related to security for Premium SKU?
容量管理Capacity management 如何監視容量?How is capacity monitored?
水準調整的單位為何?What is the unit of horizontal scale?
修補和更新管理Patch and update management 服務需要進行中的更新,否則會自動進行更新嗎?Does the service require active updating or do updates happen automatically?
套用更新的頻率為何?How frequently are updates applied? 它們可以自動進行嗎?Can they be automated?
稽核Audit 是否已捕獲 (的嵌套控制項平面作業,例如 Azure Kubernetes Service 或 Azure Databricks) ?Are nested control plane operations captured (for example, Azure Kubernetes Service or Azure Databricks)?
是否記錄重要資料平面活動?Are key data plane activities recorded?
設定管理Configuration management 它是否支援標記並提供 put 所有資源的架構?Does it support tags and provide a put schema for all resources?
Azure 服務合規性Azure service compliance 服務證明、認證和外部審核Service attestation, certification, and external audits 服務 PCI/ISO/SOC 是否相容?Is the service PCI/ISO/SOC compliant?
服務可用性Service availability 服務是私人預覽、公開預覽還是正式推出?Is the service a private preview, a public preview, or generally available?
服務有哪些區域可用?In what regions is the service available?
服務的部署範圍為何?What is the deployment scope of the service? 它是區域或全域服務嗎?Is it a regional or global service?
服務等級協定 (Sla) Service-level agreements (SLAs) 服務可用性的 SLA 為何?What is the SLA for service availability?
如果適用的話,效能的 SLA 為何?If applicable, what is the SLA for performance?