Azure security baseline for Intelligent Recommendations
आलेख
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Intelligent Recommendations. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Intelligent Recommendations.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
Network Security Group Support
Description: Service network traffic respects Network Security Groups rule assignment on its subnets. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
NS-2: Secure cloud services with network controls
Features
Azure Private Link
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
Disable Public Network Access
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
PA-1: Separate and limit highly privileged/administrative users
Features
Local Admin Accounts
Description: Service has the concept of a local administrative account. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
PA-7: Follow just enough administration (least privilege) principle
Features
Azure RBAC for Data Plane
Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed access to service's data plane actions. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
PA-8: Determine access process for cloud provider support
Features
Customer Lockbox
Description: Customer Lockbox can be used for Microsoft support access. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review, then approve or reject each of Microsoft's data access requests.
DP-1: Discover, classify, and label sensitive data
Features
Sensitive Data Discovery and Classification
Description: Tools (such as Azure Purview or Azure Information Protection) can be used for data discovery and classification in the service. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
DP-2: Monitor anomalies and threats targeting sensitive data
Features
Data Leakage/Loss Prevention
Description: Service supports DLP solution to monitor sensitive data movement (in customer's content). Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Feature notes: Because the authoritative source of customer content is stored on the customer managed subscription and the service uses a copy which is not kept for more than 48 hours.
Configuration Guidance: This feature is not supported to secure this service.
DP-3: Encrypt sensitive data in transit
Features
Data in Transit Encryption
Description: Service supports data in-transit encryption for data plane. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
True
Microsoft
Feature notes: Data at transit is encrypted by default using TLS 1.2.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
DP-4: Enable data at rest encryption by default
Features
Data at Rest Encryption Using Platform Keys
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
True
Microsoft
Feature notes: Customer content at rest is encrypted with Microsoft managed keys by default.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
DP-5: Use customer-managed key option in data at rest encryption when required
Features
Data at Rest Encryption Using CMK
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
DP-7: Use a secure certificate management process
Features
Certificate Management in Azure Key Vault
Description: The service supports Azure Key Vault integration for any customer certificates. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
LT-4: Enable logging for security investigation
Features
Azure Resource Logs
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Feature notes: Azure Intelligent Recommendation does not support Resource Log. However, you can see error logs related to the data ingestion process, and modeling evaluation logs that allow you to analyze the performance of your models. Refer to:
Set up error logging in Azure Data Lake Storage
Configuration Guidance: This feature is not supported to secure this service.
Network Security Group के साथ नेटवर्क ट्रैफ़िक फ़िल्टरिंग का अन्वेषण करें, क्लाउड के लिए Microsoft डिफ़ेंडर सेट करें, लॉग विश्लेषण कार्यस्थान बनाएँ, लॉग विश्लेषण एजेंट एकीकरण, Azure कुंजी वॉल्ट नेटवर्किंग कॉन्फ़िगर करें और Azure पोर्टल में Azure निजी समापन बिंदु का उपयोग करके Azure SQL सर्वर कनेक्ट करें. क्लाउड सुरक्षा को प्रभावी ढंग से बढ़ाएँ। (एससी-5002)