Cloud App Security 最佳做法Cloud App Security best practices

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security


Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

此文章提供使用 Microsoft Cloud App Security 來保護貴組織的最佳做法。This article provides best practices for protecting your organization by using Microsoft Cloud App Security. 這些最佳做法來自我們的 Cloud App Security 經驗與客戶的經驗。These best practices come from our experience with Cloud App Security and the experiences of customers like you.

此文章中討論的最佳做法包括:The best practices discussed in this article include:

探索及評定雲端應用程式Discover and assess cloud apps

將 Cloud App Security 與 Microsoft Defender 進階威脅防護 (Microsoft Defender ATP) 整合可讓您將 Cloud Discovery 延伸到公司網路範圍之外,或保護 Web 閘道。Integrating Cloud App Security with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) gives you the ability to use Cloud Discovery beyond your corporate network or secure web gateways. 有了合併的使用者與電腦資訊,您就可以識別有風險的使用者或電腦、查看他們使用哪些應用程式,以及在 Microsoft Defender ATP 入口網站中進一步調查。With the combined user and machine information, you can identify risky users or machines, see what apps they are using, and investigate further in the Microsoft Defender ATP portal.

最佳做法:使用 Microsoft Defender ATP 啟用 Shadow IT DiscoveryBest practice: Enable Shadow IT Discovery using Microsoft Defender ATP
詳細資料:Cloud Discovery 會分析 Microsoft Defender ATP 所收集的流量記錄,並根據雲端應用程式目錄來評估識別的應用程式,以提供合規性與安全性資訊。Detail: Cloud Discovery analyzes traffic logs collected by Microsoft Defender ATP and assesses identified apps against the cloud app catalog to provide compliance and security information. 透過設定 Cloud Discovery,您可以了解雲端使用狀況與影子 IT,並持續監視使用者所使用的待批准應用程式。By configuring Cloud Discovery, you gain visibility into cloud use, Shadow IT, and continuous monitoring of the unsanctioned apps being used by your users.
如需詳細資訊For more information:

最佳做法:設定應用程式探索原則,以主動識別有風險、不符合規範與有流行趨勢的應用程式Best practice: Configure App Discovery policies to proactively identify risky, non-compliant, and trending apps
詳細資料:應用程式探索原則可讓您更輕鬆地追蹤頻繁在組織中的探索到的應用程式,以協助您有效率地管理這些應用程式。Details: App Discovery policies make it easier to track of the significant discovered applications in your organization to help you manage these applications efficiently. 建立原則,以在偵測到識別為有風險、不符合規範、有流行趨勢或高使用量的新應用程式時收到警示。Create policies to receive alerts when detecting new apps that are identified as either risky, non-compliant, trending, or high-volume.
如需詳細資訊For more information:

最佳做法:管理由您的使用者授權的 OAuth 應用程式Best practice: Manage OAuth apps that are authorized by your users
詳細資料:許多使用者會隨便將 OAuth 授權授與第三方應用程式來存取其帳戶資訊,而這樣做也會不小心將使用者在其他雲端中的資料存取權授與那些應用程式。Detail: Many users casually grant OAuth permissions to third-party apps to access their account information and, in doing so, inadvertently also give access to their data in other cloud apps. 通常,若 IT 無法 掌握這些應用程式,便難以根據應用程式能提供的生產力助益來衡量應用程式的安全性風險。Usually, IT has no visibility into these apps making it difficult to weigh the security risk of an app against the productivity benefit that it provides.

Cloud App Security 為您提供調查及監視您的使用者獲授權之應用程式權限的能力。Cloud App Security provides you with the ability to investigate and monitor the app permissions your users granted. 您可以使用此資訊來識別潛在可疑的應用程式,而且如果您判斷其有風險,您可以禁止存取。You can use this information to identify a potentially suspicious app and, if you determine that it is risky, you can be ban access to it.
如需詳細資訊For more information:

套用雲端治理原則Apply cloud governance policies

最佳做法:標記應用程式及匯出封鎖指令碼Best practice: Tag apps and export block scripts
詳細資料:在您檢閱組織中探索到的應用程式清單之後,就可以在您的環境中避免使用到不必要的應用程式。Detail: After you've reviewed the list of discovered apps in your organization, you can secure your environment against unwanted app use. 您可以將獲批准標記套用到組織所核准的應用程式,並將待批准標記套用到未獲組織核准的應用程式。You can apply the Sanctioned tag to apps that are approved by your organization and the Unsanctioned tag to apps that are not. 您可以使用探索篩選來監視待批准的應用程式,或匯出指令碼以封鎖使用您內部部署安全性設備的待批准應用程式。You can monitor unsanctioned apps using discovery filters or export a script to block unsanctioned apps using your on-premises security appliances. 使用標記及匯出指令碼可讓您組織應用程式,並透過只允許存取安全的應用程式來保護您的環境。Using tags and export scripts allows you to organize your apps and protect your environment by only allow safe apps to be accessed.
如需詳細資訊For more information:

禁止公開共用資料,並實施共同作業原則Limit exposure of shared data and enforce collaboration policies

最佳做法:連接 Office 365Best practice: Connect Office 365
詳細資料:將 Office 365 連線至 Cloud App Security 可讓您立即掌握使用者的活動與他們所存取的檔案,而且提供 Office 365、SharePoint、OneDrive、Teams、Power BI、Exchange 與 Dynamics 的治理動作。Detail: Connecting Office 365 to Cloud App Security gives you immediate visibility into your users' activities, files they are accessing, and provides governance actions for Office 365, SharePoint, OneDrive, Teams, Power BI, Exchange, and Dynamics.
如需詳細資訊For more information:

最佳做法:連結第三方應用程式Best practice: Connect third-party apps
詳細資料:將第三方應用程式連結到 Cloud App Security 可讓您進一步掌握使用者的活動、威脅偵測與治理功能。Detail: Connecting third-party apps to Cloud App Security gives you improved insights into your users' activities, threat detection, and governance capabilities. 支援下列第三方應用程式 API:Amazon Web Services (AWS)BoxDropboxG SuiteOktaSalesforceServiceNowWebExWorkdayThe following third-party app APIs are supported: Amazon Web Services (AWS), Box, Dropbox, G Suite, Okta, Salesforce, ServiceNow, WebEx, and Workday.
如需詳細資訊For more information:

最佳做法:檢閱貴組織的資料曝光狀況Best practice: Review your organization's data exposure
詳細資料:使用檔案曝光報表,掌握您的使用者與雲端應用程式共用檔案的方式。Detail: Use the file exposure reports to gain visibility into how your users are sharing files with cloud apps. 下列是可用的報表,這些報表可以匯出以在分析工具 (例如 Microsoft Power BI) 中進一步分析:The following reports are available and can be exported to for further analysis in tools such as Microsoft Power BI:

  • 資料共用概觀:依據儲存在每個雲端應用程式中的存取權限列出檔案Data sharing overview: Lists files by access permissions stored in each of your cloud apps

  • 域外共用 (依網域) :列出您的員工與其共用公司檔案的網域Outbound sharing by domain: Lists the domains with which corporate files are shared by your employees

  • 共用檔案的擁有者:列出在外界共用公司檔案的使用者Owners of shared files: Lists users who are sharing corporate files with the outside world
    如需詳細資訊For more information:

  • 產生資料管理報表Generate data management reports

最佳做法:建立原則以移除與個人帳戶的共用Best practice: Create policies to remove sharing with personal accounts
詳細資料:將 Office 365 連線至 Cloud App Security 可讓您立即掌握使用者的活動與他們所存取的檔案,而且提供 Office 365、SharePoint、OneDrive、Teams、Power BI、Exchange 與 Dynamics 的治理動作。Detail: Connecting Office 365 to Cloud App Security gives you immediate visibility into your users' activities, files they are accessing, and provides governance actions for Office 365, SharePoint, OneDrive, Teams, Power BI, Exchange, and Dynamics.
如需詳細資訊For more information:

探索、分類、標記及保護儲存在雲端的管制資料及敏感性資料Discover, classify, label, and protect regulated and sensitive data stored in the cloud

最佳做法:與 Azure 資訊保護整合Best practice: Integrate with Azure Information Protection
詳細資料:與 Azure 資訊保護整合讓您能夠自動套用分類標籤,並視需要新增加密保護。Detail: Integrating with Azure Information Protection gives you the capability to automatically apply classification labels and optionally add encryption protection. 開啟整合之後,您可以將標籤套用為治理動作、依分類來檢視檔案、依分類層級來調查檔案,以及建立細微的原則,以確定已正確處理已分類的檔案。Once the integration is turned on, you can apply labels as a governance action, view files by classification, investigate files by classification level, and create granular policies to make sure classified files are being handled properly. 如果您未開啟整合,就無法從自動掃描、標記及加密雲端檔案的功能中獲益。If you do not turn on the integration, you cannot benefit from the ability to automatically scan, label, and encrypt files in the cloud.
如需詳細資訊For more information:

最佳做法:建立資料曝光原則Best practice: Create data exposure policies
詳細資料:使用檔案原則來偵測資訊共用,以及掃描雲端應用程式中的機密資訊。Detail: Use file policies to detect information sharing and scan for confidential information in your cloud apps. 建立下列檔案原則,以在偵測到資料曝光時向您發出警示:Create the following file policies to alert you when data exposures are detected:

  • 外部共用的檔案包含機密資料Files shared externally containing sensitive data
  • 外部共用的檔案,並標示為機密Files shared externally and labeled as Confidential
  • 與未獲授權之網域共用的檔案Files shared with unauthorized domains
  • 保護 SaaS 應用程式上的機密檔案Protect sensitive files on SaaS apps

如需詳細資訊For more information:

最佳做法:在 [檔案] 頁面中檢閱報表Best practice: Review reports in the Files page
詳細資料:一旦您使用應用程式連接器連接各種 SaaS 應用程式,Cloud App Security 就會掃描這些應用程式儲存的檔案。Detail: Once you've connected various SaaS apps using app connectors, Cloud App Security scans files stored by these apps. 此外,每次修改檔案時,都會再次掃描該檔案。In addition, each time a file is modified it is scanned again. 您可以使用 [檔案] 頁面,了解並調查雲端應用程式中所儲存的資料類型。You can use the Files page to understand and investigate the types of data being stored in your cloud apps. 為了協助您進行調查,您可以依網域、群組、使用者、建立日期、副檔名、檔案名稱與類型、檔案識別碼、分類標籤等條件進行篩選。To help you investigate, you can filter by domains, groups, users, creation date, extension, file name and type, file ID, classification label, and more. 使用這些篩選可讓您控制您選擇調查檔案的方式,以確保沒有任何資料有風險。Using these filters puts you in control of how you choose to investigate files to make sure none of your data is at risk. 一旦您進一步了解資料的使用狀況,就可以建立原則來掃描這些檔案中的機密內容。Once you have a better understanding of how your data is being used, you can create policies to scan for sensitive content in these files.
如需詳細資訊For more information:

對儲存在雲端的資料實施 DLP 與合規性原則Enforce DLP and compliance policies for data stored in the cloud

最佳做法:保護機密資料,使其無法與外部使用者共用Best practice: Protect confidential data from being shared with external users
詳細資料:建立檔案原則,以偵測使用者何時嘗試與您組織外部的人員共用具有機密分類標籤的檔案,並設定其治理動作以移除外部使用者。Detail: Create a file policy that detects when a user tries to share a file with the Confidential classification label with someone external to your organization, and configure its governance action to remove external users. 此原則可確保您的機密資料不會離開您的組織,且外部使用者也無法取得其存取權。This policy ensures your confidential data doesn't leave your organization and external users cannot gain access to it.
如需詳細資訊For more information:

禁止將敏感性資料下載到未受控或具風險的裝置Block and protect download of sensitive data to unmanaged or risky devices

最佳做法:管理及控制高風險裝置的存取權Best practice: Manage and control access to high risk devices
詳細資料:使用條件式存取應用程式控制在您的 SaaS 應用程式上設定控制措施。Detail: Use Conditional Access App Control to set controls on your SaaS apps. 您可以建立工作階段原則來監視高風險、低信任工作階段。You can create session policies to monitor your high risk, low trust sessions. 同樣地,您可以建立工作階段原則,以在使用者嘗試從受控或有風險的裝置存取機密資料時封鎖下載及進行保護。Similarly, you can create session policies to block and protect downloads by users trying to access sensitive data from unmanaged or risky devices. 如果您不想建立工作階段原則來監視高風險工作階段,將無法在 Web 用戶端中封鎖及保護下載,而且也無法在 Microsoft 與第三方應用程式中監視低信任工作階段。If you do not to create session policies to monitor high-risk sessions, you will lose the ability to block and protect downloads in the web client, as well as the ability to monitor low-trust session both in Microsoft and third-party apps.
如需詳細資訊For more information:

實施即時工作階段控制,保護與外部使用者共同作業時的安全Secure collaboration with external users by enforcing real-time session controls

最佳做法:使用條件式存取應用程式控制來監視與外部使用者之間的工作階段Best practice: Monitor sessions with external users using Conditional Access App Control
詳細資料:若要在您的環境中保護共同作業,您可以建立工作階段原則來監視內部與外部使用者之間的工作階段。Detail: To secure collaboration in your environment, you can create a session policy to monitor sessions between your internal and external users. 這不僅可讓您監視使用者之間的工作階段 (並通知他們其工作階段活動已受監視),同時也可讓您限制特定活動。This not only gives you the ability to monitor the session between your users (and notify them that their session activities are being monitored), but it also enables you to limit specific activities as well. 建立工作階段原則來監視活動時,您可以選擇想要監視的應用程式與使用者。When creating session policies to monitor activity, you can choose the apps and users you'd like to monitor.
如需詳細資訊For more information:

偵測雲端威脅、遭外洩的帳戶、惡意的測試人員及勒索軟體Detect cloud threats, compromised accounts, malicious insiders, and ransomware

最佳做法:調整異常原則、設定 IP 範圍、傳送警示的意見反應Best practice: Tune Anomaly policies, set IP ranges, send feedback for alerts
詳細資料:異常偵測原則提供立即可用的使用者與實體行為分析 (UEBA) 和機器學習 (ML),讓您可以在雲端環境中立即執行進階威脅偵測。Detail: Anomaly detection policies provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) so that you can immediately run advanced threat detection across your cloud environment.

當環境中的使用者執行了不尋常的活動時,就會觸發異常偵測原則。Anomaly detection policies are triggered when there are unusual activities performed by the users in your environment. Cloud App Security 會持續監視您的使用者活動,並使用 UEBA 與 ML 來學習並了解使用者的正常 行為。Cloud App Security continually monitors your users activities and uses UEBA and ML to learn and understand the normal behavior of your users. 您可以調整原則設定以符合組織需求,例如,您可以設定原則的敏感度,以及將原則的範圍限定於特定的群組。You can tune policy settings to fit your organizations requirements, for example, you can set the sensitivity of a policy, as well as scope a policy to a specific group.

  • 調整異常偵測原則及限定其範圍:例如,若要減少不可能的移動警示中的誤判為真數目,您可以將原則的敏感度滑桿設定為 [低]。Tune and Scope Anomaly Detection Policies: As an example, to reduce the number of false positives within the impossible travel alert, you can set the policy's sensitivity slider to low. 如果您的組織中有經常進行商業出差的使用者,您可以將他們新增至使用者群組,然後在原則的範圍中選取該群組。If you have users in your organization that are frequent corporate travelers, you can add them to a user group and select that group in the scope of the policy.

  • 設定 IP 範圍:設定 IP 位址範圍之後,Cloud App Security 可以識別已知的 IP 位址。Set IP Ranges: Cloud App Security can identify known IP addresses once IP address ranges are set. 設定 IP 位址範圍之後,您可以標記、分類及自訂記錄檔與警示的顯示及調查方式。With IP address ranges configured, you can tag, categorize, and customize the way logs and alerts are displayed and investigated. 新增 IP 位址範圍有助於減少誤判為真偵測,並改善警示的正確性。Adding IP address ranges helps to reduce false positive detections and improve the accuracy of alerts. 如果您選擇不新增您的 IP 位址,可能會看到更多可能的誤判為真與要調查的警示。If you choose not to add your IP addresses, you may see an increased number of possible false positives and alerts to investigate.

  • 傳送警示的意見反應Send Feedback for alerts

    當您關閉或解決警示時,請務必傳送含關閉警示原因或警示解決方式的意見反應。When dismissing or resolving alerts, make sure to send feedback with the reason you dismissed the alert or how it's been resolved. 此資訊可協助 Cloud App Security 改善我們的警示,並降低誤判為真的情況。This information assists Cloud App Security to improve our alerts and reduce false positives.

如需詳細資訊For more information:

最佳做法:偵測來自非預期位置或國家/地區的活動Best practice: Detect activity from unexpected locations or countries
詳細資料:建立活動原則,以在使用者從非預期的位置或國家/地區登入時接收通知。Detail: Create an activity policy to notify you when users sign in from unexpected locations or countries/regions. 這些通知可以提醒您環境中可能遭入侵的工作階段,讓您可以在威脅發生之前加以偵測並補救。These notifications can alert you to possibly compromised sessions in your environment so that you can detect and remediate threats before they occur.
如需詳細資訊For more information:

最佳做法:建立 OAuth 應用程式原則Best practice: Create OAuth app policies
詳細資料:建立 OAuth 應用程式原則,以在 OAuth 應用程式符合特定條件時通知您。Detail: Create an OAuth app policy to notify you when an OAuth app meets certain criteria. 例如,您可以選擇當需要高權限層級的特定應用程式由超過 100 個使用者存取時接收通知。For example, you can choose to be notified when a specific app that requires a high permission level was accessed by more than 100 users.
如需詳細資訊For more information:

使用活動的稽核線索進行取證調查Use the audit trail of activities for forensic investigations

最佳做法:調查警示時使用活動的稽核線索Best practice: Use the audit trail of activities when investigating alerts
詳細資料:當使用者、系統管理員或登入活動不符合您的原則時,就會觸發警示。Detail: Alerts are triggered when user, admin, or sign-in activities don't comply with your policies. 請務必調查警示,以了解您的環境中是否有可能的威脅。It is important to investigate alerts to understand if there is a possible threat in your environment.

您可以在 [警示] 頁面上選取警示,並檢閱與該警示相關之活動的稽核線索,來調查警示。You can investigate an alert by selecting it on the Alerts page and reviewing the audit trail of activities relating to that alert. 稽核線索可讓您掌握相同類型、相同使用者、相同 IP 位址與位置的活動,以提供警示的整體狀況。The audit trail gives you visibility into activities of the same type, same user, same IP address and location, to provide you with the overall story of an alert. 如果警示需要進一步調查,請建立方案來解決組織中的這些警示。If an alert warrants further investigation, create a plan to resolve these alerts in your organization.

當您關閉警示時,請務必調查並了解其為何不重要,或其是否為誤判為真。When dismissing alerts, it's important to investigate and understand why they are of no importance or if they are false positives. 如果有大量的此類活動,您可能也會想要考慮檢閱並調整觸發警示的原則。If there is a high volume of such activities, you may also want to consider reviewing and tuning the policy triggering the alert.
如需詳細資訊For more information:

保護 IaaS 服務與自訂應用程式的安全Secure IaaS services and custom apps

最佳做法:連結 Azure、AWS 與 GCPBest practice: Connect Azure, AWS and GCP
詳細資料:將每個雲端平台連結到 Cloud App Security 可協助您改善威脅偵測功能。Detail: Connecting each of these cloud platforms to Cloud App Security helps you improve your threat detections capabilities. 透過監視這些服務的管理及登入活動,您可以偵測並收到下列通知:可能的暴力密碼破解攻擊、特殊權限使用者帳戶的惡意使用,以及您環境中的其他威脅。By monitoring administrative and sign-in activities for these services, you can detect and be notified about possible brute force attack, malicious use of a privileged user account, and other threats in your environment. 例如,您可以識別風險,例如 VM 的異常刪除,或甚至是這些應用程式中的模擬活動。For example, you can identify risks such as unusual deletions of VMs, or even impersonation activities in these apps.
如需詳細資訊For more information:

最佳做法:檢閱 Azure、AWS 與 GCP 的安全性設定評量Best practice: Review security configuration assessments for Azure, AWS and GCP
詳細資料:與 Azure 資訊安全中心整合可為您提供 Azure 環境的安全性設定評量。Detail: Integrating with Azure Security Center provides you with a security configuration assessment of your Azure environment. 此評量針對缺少的設定與安全性控制提供建議。The assessment provides recommendations for missing configuration and security control. 檢閱這些建議可協助您找出環境中的異常與潛在弱點,而且您可以直接瀏覽至 Azure 安全性入口網站中的相關位置來解決這些問題。Reviewing these recommendations helps you identify anomalies and potential vulnerabilities in your environment, and navigate directly in the relevant location in the Azure Security portal to resolve them.

AWS 與 GCP 可讓您掌握有關如何改善雲端安全性的安全性設定建議。AWS and GCP give you the ability to gain visibility into your security configurations recommendations on how to improve your cloud security.

使用這些建議來監視整個組織的合規性狀態與安全性狀態,包括 Azure 訂用帳戶、AWS 帳戶與 GCP 專案。Use these recommendations to monitor the compliance status and security posture of your entire organization, including Azure subscriptions, AWS accounts, and GCP projects.
如需詳細資訊For more information:

最佳做法:讓自訂應用程式上架Best practice: Onboard custom apps
詳細資料:若要進一步了解來自您企業營運應用程式的活動,您可以將自訂應用程式上架到 Cloud App Security。Detail: To gain additional visibility into activities from your line-of-business apps, you can onboard custom apps to Cloud App Security. 設定自訂應用程式之後,您會看到應用程式使用者、使用應用程式的 IP 位址,以及應用程式傳入及傳出流量的相關資訊。Once custom apps are configured, you see information about whose using them, the IP addresses they are being used from, and how much traffic is coming into and out of the app.

此外,您可以將自訂應用程式上架為條件式存取應用程式控制應用程式,以監視其低信任度工作階段。Additionally, you can onboard a custom app as a Conditional Access App Control app to monitor their low-trust sessions.
如需詳細資訊For more information: