您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 数据安全与加密最佳做法Azure data security and encryption best practices

本文介绍了针对数据安全和加密的最佳做法。This article describes best practices for data security and encryption.

最佳做法以观点的共识以及 Azure 平台功能和特性集为基础。The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. 观点和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.

保护数据Protect data

为了帮助保护云中的数据,需要考虑数据可能出现的状态以及可用于该状态的控件。To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Azure 数据安全与加密的最佳做法与以下数据状态相关:Best practices for Azure data security and encryption relate to the following data states:

  • 静态:包括物理媒体(磁盘或光盘)上以静态方式存在的所有信息存储对象、容器和类型。At rest: This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk.
  • 传输中:在各组件、位置或程序间传输数据时,数据处于“传输中”状态。In transit: When data is being transferred between components, locations, or programs, it’s in transit. 例如通过网络、通过服务总线(从本地到云,反之亦然,包括诸如 ExpressRoute 的混合连接)进行传输,或在输入/输出过程。Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.

选择密钥管理解决方案Choose a key management solution

保护密钥对保护云中的数据至关重要。Protecting your keys is essential to protecting your data in the cloud.

Azure Key Vault 可帮助保护云应用程序和服务使用的加密密钥和机密。Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault 简化了密钥管理过程,可让我们控制用于访问和加密数据的密钥。Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. 开发人员可以在几分钟内创建用于开发和测试的密钥,然后将其迁移到生产密钥。Developers can create keys for development and testing in minutes, and then migrate them to production keys. 安全管理员可以根据需要授予(和吊销)密钥权限。Security administrators can grant (and revoke) permission to keys, as needed.

可以使用 Key Vault 创建多个安全容器(称为保管库)。You can use Key Vault to create multiple secure containers, called vaults. 这些保管库受 HSM 支持。These vaults are backed by HSMs. 保管库可以集中存储应用程序机密,降低安全信息意外丢失的可能性。Vaults help reduce the chances of accidental loss of security information by centralizing the storage of application secrets. Key vault 还控制并记录外界对其所存储内容的访问。Key vaults also control and log the access to anything stored in them. Azure Key Vault 负责处理传输层安全性 (TLS) 证书的请求和续订事宜。Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates. 它为可靠的证书生命周期管理解决方案提供相关功能。It provides features for a robust solution for certificate lifecycle management.

Azure Key Vault 旨在支持应用程序密钥和机密。Azure Key Vault is designed to support application keys and secrets. Key Vault 不应用于存储用户密码。Key Vault is not intended to be a store for user passwords.

以下是使用 Key Vaul 的安全最佳做法。Following are security best practices for using Key Vault.

最佳做法:向特定范围内的用户、组和应用程序授予访问权限。Best practice: Grant access to users, groups, and applications at a specific scope.
详细信息:使用 RBAC 的预定义角色。Detail: Use RBAC’s predefined roles. 例如,要向用户授予管理密钥保管库的访问权限,需要将预定义的角色密钥保管库参与者分配给位于特定范围内的此用户。For example, to grant access to a user to manage key vaults, you would assign the predefined role Key Vault Contributor to this user at a specific scope. 在此情况下,该范围可以是订阅、资源组,或只是特定的密钥保管库。The scope in this case would be a subscription, a resource group, or just a specific key vault. 如果预定义角色不符合需求,可以定义自己的角色If the predefined roles don’t fit your needs, you can define your own roles.

最佳做法:控制用户有权访问的内容。Best practice: Control what users have access to.
详细信息:可通过以下两个独立接口来控制对密钥保管库的访问:管理平面和数据平面。Detail: Access to a key vault is controlled through two separate interfaces: management plane and data plane. 管理平面和数据平面访问独立控制工作。The management plane and data plane access controls work independently.

使用 RBAC 控制用户有权访问的内容。Use RBAC to control what users have access to. 例如,如果想要授予应用程序使用密钥保管库中的密钥的访问权限,只需使用密钥保管库访问策略授予数据平面访问权限,而无需授予此应用程序的管理平面访问权限。For example, if you want to grant an application access to use keys in a key vault, you only need to grant data plane access permissions by using key vault access policies, and no management plane access is needed for this application. 相反,如果希望用户能够读取保管库属性和标记,但不让其具有任何访问密钥、机密或证书的权限,则可以使用 RBAC 向此用户授予“读取”访问权限,而无需授予数据平面访问权限。Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates, you can grant this user read access by using RBAC, and no access to the data plane is required.

最佳做法:将证书存储在密钥保管库中。Best practice: Store certificates in your key vault. 证书的价值很高。Your certificates are of high value. 如果落入他人之手,应用程序或数据的安全性可能会受到损害。In the wrong hands, your application's security or the security of your data can be compromised.
详细信息:Azure 资源管理器可以在部署 VM 时,将存储在 Azure Key Vault 中的证书安全地部署到 Azure VM。Detail: Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. 通过为密钥保管库设置适当的访问策略,还可以控制有权访问证书的人员。By setting appropriate access policies for the key vault, you also control who gets access to your certificate. 另一个好处是,可以在 Azure Key Vault 中的一个位置管理所有证书。Another benefit is that you manage all your certificates in one place in Azure Key Vault. 有关详细信息,请参阅将证书从客户托管的 Key Vault 部署到 VMSee Deploy Certificates to VMs from customer-managed Key Vault for more information.

最佳做法:确保可以恢复删除的密钥保管库或密钥保管库对象。Best practice: Ensure that you can recover a deletion of key vaults or key vault objects.
详细信息:删除密钥保管库或密钥保管库对象可以是无意或恶意的。Detail: Deletion of key vaults or key vault objects can be inadvertent or malicious. 启用 Key Vault 的软删除和清除保护功能,尤其是对用于加密静态数据的密钥。Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. 删除这些密钥相当于丢失数据,因此可以在需要时恢复已删除的保管库和保管库对象。Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. 定期练习 Key Vault 恢复操作。Practice Key Vault recovery operations on a regular basis.

备注

如果用户具有密钥保管库管理平面的参与者权限 (RBAC),则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has contributor permissions (RBAC) to a key vault management plane, they can grant themselves access to the data plane by setting a key vault access policy. 建议严格控制具有密钥保管库“参与者”权限的人员,以确保只有获得授权的人员可以访问和管理密钥保管库、密钥、机密和证书。We recommend that you tightly control who has contributor access to your key vaults, to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

使用安全工作站进行管理Manage with secure workstations

备注

订阅管理员或所有者应使用安全访问工作站或特权访问工作站。The subscription administrator or owner should use a secure access workstation or a privileged access workstation.

因为绝大多数的攻击以最终用户为目标,所以终结点将成为主要攻击点之一。Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack. 入侵终结点的攻击者可以使用用户的凭据来访问组织的数据。An attacker who compromises the endpoint can use the user’s credentials to gain access to the organization’s data. 大多数终结点攻击都利用了用户是其本地工作站的管理员这一事实。Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.

最佳做法:使用安全管理工作站来保护敏感帐户、任务和数据。Best practice: Use a secure management workstation to protect sensitive accounts, tasks, and data.
详细信息:使用特权访问工作站来减小工作站的受攻击面。Detail: Use a privileged access workstation to reduce the attack surface in workstations. 这些安全管理工作站可帮助减轻其中一些攻击,以确保数据更为安全。These secure management workstations can help you mitigate some of these attacks and ensure that your data is safer.

最佳做法:确保实施终结点保护。Best practice: Ensure endpoint protection.
详细信息:在用于使用数据的所有设备上强制实施安全策略(无论数据位于云中还是本地)。Detail: Enforce security policies across all devices that are used to consume data, regardless of the data location (cloud or on-premises).

保护静止的数据Protect data at rest

静态数据加密是实现数据隐私性、符合性和数据主权的必要措施。Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.

最佳做法:使用磁盘加密来帮助保护数据。Best practice: Apply disk encryption to help safeguard your data.
详细信息:使用 Azure 磁盘加密Detail: Use Azure Disk Encryption. 它使 IT 管理员能够加密 Windows 和 Linux IaaS VM 磁盘。It enables IT administrators to encrypt Windows and Linux IaaS VM disks. 磁盘加密利用符合行业标准的 Windows BitLocker 功能和 Linux dm-crypt 功能为 OS 和数据磁盘提供卷加密。Disk Encryption combines the industry-standard Windows BitLocker feature and the Linux dm-crypt feature to provide volume encryption for the OS and the data disks.

Azure 存储和 Azure SQL 数据库默认对静态数据进行加密,并且许多服务都将加密作为选项提供。Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an option. 可以使用 Azure Key Vault 来持续控制用于访问和加密数据的密钥。You can use Azure Key Vault to maintain control of keys that access and encrypt your data. 有关详细信息,请参阅 Azure 资源提供程序加密模型支持See Azure resource providers encryption model support to learn more.

最佳做法:使用加密来帮助降低与未经授权访问数据相关的风险。Best practices: Use encryption to help mitigate risks related to unauthorized data access.
详细信息:在将敏感数据写入驱动器之前先将驱动器加密。Detail: Encrypt your drives before you write sensitive data to them.

未实施数据加密的组织面临的数据保密性问题风险更大。Organizations that don’t enforce data encryption are more exposed to data-confidentiality issues. 例如,未经授权的用户或恶意用户可能会窃取已入侵帐户中的数据,或者未经授权访问以明文格式编码的数据。For example, unauthorized or rogue users might steal data in compromised accounts or gain unauthorized access to data coded in Clear Format. 公司还必须证明,为了遵守行业法规,他们在不断作出相应努力并使用正确的安全控件来增强其数据安全性。Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.

保护传输中的数据Protect data in transit

保护传输中的数据应该是数据保护策略中不可或缺的部分。Protecting data in transit should be an essential part of your data protection strategy. 由于数据将从许多位置来回移动,因此我们一般建议始终使用 SSL/TLS 协议来交换不同位置的数据。Because data is moving back and forth from many locations, we generally recommend that you always use SSL/TLS protocols to exchange data across different locations. 在某些情况下,可能需要使用 VPN 隔离本地与云基础结构之间的整个信道。In some circumstances, you might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN.

对于在本地基础结构与 Azure 之间移动的数据,请考虑适当的防护措施,例如 HTTPS 或 VPN。For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. 通过公共 Internet 在 Azure 虚拟网络和本地位置之间发送加密流量时,请使用 Azure VPN 网关When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use Azure VPN Gateway.

以下是特定于使用 Azure VPN 网关、SSL/TLS 和 HTTPS 的最佳做法。Following are best practices specific to using Azure VPN Gateway, SSL/TLS, and HTTPS.

最佳做法:从位于本地的多个工作站安全访问 Azure 虚拟网络。Best practice: Secure access from multiple workstations located on-premises to an Azure virtual network.
详细信息:使用站点到站点 VPNDetail: Use site-to-site VPN.

最佳做法:从位于本地的单个工作站安全访问 Azure 虚拟网络。Best practice: Secure access from an individual workstation located on-premises to an Azure virtual network.
详细信息:使用点到站点 VPNDetail: Use point-to-site VPN.

最佳做法:通过专用高速 WAN 链路移动大型数据集。Best practice: Move larger data sets over a dedicated high-speed WAN link.
详细信息:使用 ExpressRouteDetail: Use ExpressRoute. 如果选择使用 ExpressRoute,则还可以使用 SSL/TLS 或其他协议在应用程序级别加密数据,以提供额外的保护。If you choose to use ExpressRoute, you can also encrypt the data at the application level by using SSL/TLS or other protocols for added protection.

最佳做法:通过 Azure 门户与 Azure 存储进行交互。Best practice: Interact with Azure Storage through the Azure portal.
详细信息:所有事务都通过 HTTPS 进行。Detail: All transactions occur via HTTPS. 此外可以使用存储 REST API通过 HTTPS 与进行交互Azure 存储You can also use Storage REST API over HTTPS to interact with Azure Storage.

无法保护传输中数据的组织更容易遭受中间人攻击窃听和会话劫持。Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. 这些攻击可能是获取机密数据访问权限的第一步。These attacks can be the first step in gaining access to confidential data.

保护电子邮件、文档和敏感数据Secure email, documents, and sensitive data

你希望控制并帮助保护在公司外部共享的电子邮件、文档和敏感数据。You want to control and secure email, documents, and sensitive data that you share outside your company. Azure 信息保护是基于云的解决方案,可帮助组织对其文档和电子邮件进行分类、标记和保护。Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. 这可以由定义了规则和条件的管理员自动执行、由用户手动执行,或者以组合方式执行,在组合方式中,用户可获得建议。This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.

分类始终是可标识的,而无论数据的存储位置或数据的共享人员。Classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. 标签包括视觉标记,如页眉、页脚或水印。The labels include visual markings such as a header, footer, or watermark. 元数据以明文形式添加到文件和电子邮件标题中。Metadata is added to files and email headers in clear text. 明文形式确保其他服务(如防止数据丢失的解决方案)可以识别分类并采取相应的操作。The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.

保护技术使用 Azure Rights Management (Azure RMS)。The protection technology uses Azure Rights Management (Azure RMS). 此技术与其他 Microsoft 云服务和应用程序(如 Office 365 和 Azure Active Directory)集成。This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. 此保护技术使用加密、标识和授权策略。This protection technology uses encryption, identity, and authorization policies. 通过 Azure RMS 应用的保护与文档和电子邮件保留在一起,不受位置影响,也无论是在组织、网络、文件服务器和应用程序内部还是外部。Protection that is applied through Azure RMS stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications.

此信息保护解决方案可用于控制数据,即使是与他人共享的数据,也可控制。This information protection solution keeps you in control of your data, even when it’s shared with other people. 还可以将 Azure RMS 用于自己的业务线应用程序和软件供应商提供的信息保护解决方案,而无论这些应用程序和解决方案是在本地还是在云中。You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.

建议:We recommend that you:

  • 为组织部署 Azure 信息保护Deploy Azure Information Protection for your organization.
  • 应用可反映业务需求的标签。Apply labels that reflect your business requirements. 例如:将名为“高度机密”的标签应用于包含绝密数据的所有文档和电子邮件,以对这些数据进行分类和保护。For example: Apply a label named “highly confidential” to all documents and emails that contain top-secret data, to classify and protect this data. 然后,只有授权的用户才能访问此数据,并具有指定的任何限制。Then, only authorized users can access this data, with any restrictions that you specify.
  • 配置 Azure RMS 的使用情况日志记录,以便监视组织使用保护服务的方式。Configure usage logging for Azure RMS so that you can monitor how your organization is using the protection service.

数据分类和文件保护能力不佳的组织可能更容易遭到数据泄漏或数据滥用。Organizations that are weak on data classification and file protection might be more susceptible to data leakage or data misuse. 使用适当的文件保护,可以分析数据流,以深入了解业务、检测风险行为并采取纠正措施、跟踪对文档的访问等等。With proper file protection, you can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, and so on.

后续步骤Next steps

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

以下资源提供了有关 Azure 安全性及相关 Microsoft 服务的更多常规信息:The following resources are available to provide more general information about Azure security and related Microsoft services: