您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

云中的标识和密钥管理功能Function of identity and key management in the cloud

处理身份管理的安全团队的主要目标是提供人类、服务、设备和应用程序的身份验证和授权。The main objective of a security team working on identity management is to provide authentication and authorization of humans, services, devices, and applications. 密钥和证书管理为加密操作提供安全分发和访问密钥材料 (通常支持类似于标识管理) 的结果。Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

现代化Modernization

正在对数据标识和密钥管理的现代化进行整形:Data identity and key management modernization is being shaped by:

  • 标识和密钥/证书管理专业在一起,因为它们都提供身份验证和授权的保证以实现安全通信。Identity and key/certification management disciplines are coming closer together as they both provide assurances for authentication and authorization to enable secure communications.
  • 标识控件作为云应用程序的主要安全外围出现Identity controls are emerging as a primary security perimeter for cloud applications
  • 云服务的基于密钥的身份验证被替换为标识管理,因为存储和安全地提供对这些密钥的访问很困难。Key-based authentication for cloud services is being replaced with identity management because of the difficulty of storing and securely providing access to those keys.
  • 从本地标识体系结构(例如单一标识、单一登录 (SSO) 和本机应用程序集成)中学到的正面课程至关重要。Critical importance of carrying positive lessons learned from on-premises identity architectures such as single identity, single sign-on (SSO), and native application integration.
  • 这项重要的重要性:避免了经常 overcomplicated 它们的本地体系结构的常见错误,从而使支持变得更容易。Critical importance of avoiding common mistakes of on-premises architectures that often overcomplicated them, making support difficult and attacks easier. 其中包括:These include:
    • (Ou) 的扩建组和组织单位。Sprawling groups and organizational units (OUs).
    • 第三方目录和标识管理系统的扩建集。Sprawling set of third-party directories and identity management systems.
    • 缺少应用程序标识策略的明确标准化和所有权。Lack of clear standardization and ownership of application identity strategy.
  • 凭据被盗攻击会带来很大的影响,并且可能会有很大的风险,从而降低Credential theft attacks remain a high impact and high likelihood threat to mitigate.
  • 服务帐户和应用程序帐户遗留了最大的挑战,但更易于解决。Service accounts and application accounts remaining a top challenge, but becoming easier to solve. 标识团队应积极地采用开始解决这类功能(如 Azure AD 托管标识)的云功能。Identity teams should actively embrace the cloud capabilities that are beginning to solve this like Azure AD managed identities.

团队组合和键关系Team composition and key relationships

标识和密钥管理团队需要构建具有以下角色的强关系:Identity and key management teams need to build strong relationships with the following roles:

  • IT 体系结构和操作IT architecture and operations
  • 安全体系结构和操作Security architecture and operations
  • 开发团队Development teams
  • 数据安全团队Data security teams
  • 隐私团队Privacy teams
  • 法律团队Legal teams
  • 合规性/风险管理团队Compliance/risk management teams

后续步骤Next steps

查看基础结构和终结点安全性的功能Review the function of infrastructure and endpoint security