您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 的端到端安全服务End-to-end security in Azure

将 Azure 用于应用程序和服务的最合理原因之一是可以利用其各种安全工具和功能。One of the best reasons to use Azure for your applications and services is to take advantage of its wide array of security tools and capabilities. 这些工具和功能可帮助在安全的 Azure 平台上创建安全的解决方案。These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure 提供具备保密性、完整性和可用性的客户数据,同时还能实现透明的问责制。Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.

下面的图表和文档介绍了 Azure 中的安全服务。The following diagram and documentation introduces you to the security services in Azure. 这些安全服务有助于你满足业务的安全需求,并在云中保护用户、设备、资源、数据和应用程序。These security services help you meet the security needs of your business and protect your users, devices, resources, data, and applications in the cloud.

Microsoft 安全服务图Microsoft security services map

此安全服务图按服务所保护的资源(列)组织服务。The security services map organizes services by the resources they protect (column). 此图表还将服务分为以下类别(行):The diagram also groups services into the following categories (row):

  • 保护 - 支持在标识、主机、网络和数据层面实现分层深度防护策略的服务。Secure and protect - Services that let you implement a layered, defense in-depth strategy across identity, hosts, networks, and data. 此安全服务和功能集合提供了一种了解和改善整个 Azure 环境安全状况的方法。This collection of security services and capabilities provides a way to understand and improve your security posture across your Azure environment.
  • 检测威胁 - 用于识别可疑活动并帮助缓解威胁的服务。Detect threats – Services that identify suspicious activities and facilitate mitigating the threat.
  • 调查和响应 - 用于拉取日志记录数据,以便你评估可疑活动并做出响应的服务。Investigate and respond – Services that pull logging data so you can assess a suspicious activity and respond.

此图表包含 Azure 安全基准计划,其中包括一系列具有高影响力的安全建议,你可以使用它们保护在 Azure 中使用的服务。The diagram includes the Azure Security Benchmark program, a collection of high-impact security recommendations you can use to help secure the services you use in Azure.

显示 Azure 端到端安全服务的图表。

安全控制和基线Security controls and baselines

Azure 安全基准计划包括一系列具有高影响力的安全建议,你可以使用它们保护在 Azure 中使用的服务:The Azure Security Benchmark program includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

  • 安全控制 - 一般而言,在你的 Azure 租户和 Azure 服务中,这些建议都是适用的。Security controls - These recommendations are generally applicable across your Azure tenant and Azure services. 每个建议都会标识出利益干系人的列表,这些利益干系人通常会涉及到基准的规划、审批或实现。Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
  • 服务基线 - 这些基线将控制应用于单个 Azure 服务,以提供有关该服务的安全配置的建议。Service baselines - These apply the controls to individual Azure services to provide recommendations on that service’s security configuration.

保护Secure and protect

显示有助于保护云资源的 Azure 服务的图表。

服务Service 说明Description
Azure 安全中心Azure Security Center 一个统一的基础结构安全管理系统,可以增强数据中心的安全状况,以及为云中(无论是否在 Azure 中)和本地的混合工作负荷提供高级威胁防护。A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
标识 & 访问 管理Identity & Access Management
Azure Active Directory (AD)Azure Active Directory (AD) Microsoft 基于云的标识和访问管理服务。Microsoft’s cloud-based identity and access management service.
条件访问是 Azure AD 用来统合信号、做出决策以及强制执行组织策略的工具。Conditional Access is the tool used by Azure AD to bring identity signals together, to make decisions, and enforce organizational policies.
域服务是 Azure AD 用来提供托管域服务(例如域加入、组策略、轻型目录访问协议 (LDAP) 和 Kerberos/NTLM 身份验证)的工具。Domain Services is the tool used by Azure AD to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.
Privileged Identity Management (PIM) 是一种 Azure AD 服务,你可以通过该服务管理、控制和监视对组织中重要资源的访问。Privileged Identity Management (PIM) is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization.
多重身份验证是 Azure AD 用来帮助保护对数据和应用程序的访问(通过要求完成第二种身份验证方法)的工具。Multi-factor authentication is the tool used by Azure AD to help safeguard access to data and applications by requiring a second form of authentication.
Azure AD 标识保护Azure AD Identity Protection 借助该工具,组织可以自动检测和修复基于标识的风险,使用门户中的数据调查风险,以及将风险检测数据导出到第三方实用工具来进行进一步分析。A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis.
基础结构 & 网络Infrastructure & Network
VPN 网关VPN Gateway 这是一种虚拟网络网关,用于通过公共 Internet 发送 Azure 虚拟网络和本地位置之间的加密流量,以及通过 Microsoft 网络发送 Azure 虚拟网络之间的加密流量。A virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet and to send encrypted traffic between Azure virtual networks over the Microsoft network.
Azure DDoS 保护标准Azure DDoS Protection Standard 提供增强的 DDoS 缓解功能来抵御 DDoS 攻击。Provides enhanced DDoS mitigation features to defend against DDoS attacks. 这种防护自动经过优化,可帮助保护虚拟网络中的特定 Azure 资源。It is automatically tuned to help protect your specific Azure resources in a virtual network.
Azure Front DoorAzure Front Door 可缩放的全局入口点,它使用 Microsoft 全球边缘网络来创建快速、安全且可大规模缩放的 Web 应用程序。A global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
Azure 防火墙Azure Firewall 是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。A managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Azure Key VaultAzure Key Vault 一种安全的机密存储,适用于令牌、密码、证书、API 密钥以及其他机密。A secure secrets store for tokens, passwords, certificates, API keys, and other secrets. 通过 Key Vault,还可以创建和控制用于加密数据的加密密钥。Key Vault can also be used to create and control the encryption keys used to encrypt your data.
Key Vault 托管 HSM(预览版)Key Vault Managed HSM (preview) 一项完全托管、高度可用、单租户、符合标准的云服务,通过该服务,你可以使用 FIPS 140-2 级别 3 验证的 HSM 保护云应用程序的加密密钥。A fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
Azure 专用链接Azure Private Link 借助该服务,可以通过虚拟网络中的专用终结点访问 Azure PaaS 服务(例如,Azure 存储和 SQL 数据库)和 Azure 托管的客户拥有的服务/合作伙伴服务。Enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure 应用程序网关Azure Application Gateway 一种高级 Web 流量负载均衡器,可用于管理 Web 应用程序的流量。An advanced web traffic load balancer that enables you to manage traffic to your web applications. 应用程序网关可以根据 HTTP 请求的其他属性(例如 URI 路径或主机头)进行路由决策。Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
Azure 服务总线Azure Service Bus 一个完全托管的企业消息中转站,其中包含消息队列和发布订阅主题。A fully managed enterprise message broker with message queues and publish-subscribe topics. 可使用服务总线将应用程序和服务相互分离。Service Bus is used to decouple applications and services from each other.
Web 应用程序防火墙Web Application Firewall 可在出现常见攻击和漏洞时为 Web 应用程序提供集中保护。Provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 可以通过 Azure 应用程序网关和 Azure Front Door 部署。WAF can be deployed with Azure Application Gateway and Azure Front Door.
数据和应用程序Data & Application
Azure 备份Azure Backup 提供简单、安全且经济高效的解决方案来备份数据,并从 Microsoft Azure 云恢复数据。Provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud.
Azure 存储服务加密Azure Storage Service Encryption 在存储数据前自动加密数据,并在你检索数据时自动解密数据。Automatically encrypts data before it is stored and automatically decrypts the data when you retrieve it.
Azure 信息保护Azure Information Protection 一种基于云的解决方案,使组织能够通过将标签应用于内容来发现文档及电子邮件并进行分类和保护。A cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content.
API 管理API Management 一种为现有后端服务创建一致且现代化的 API 网关的方法。A way to create consistent and modern API gateways for existing back-end services.
Azure 机密计算Azure confidential computing 通过该服务,可在云中处理敏感数据时将这些数据隔离。Allows you to isolate your sensitive data while it's being processed in the cloud.
Azure DevOpsAzure DevOps 当开发项目存储在 Azure DevOps 中时,它们会从多个层面的安全和管理技术、操作做法和合规策略中受益。Your development projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies when stored in Azure DevOps.
客户访问Customer Access
Azure AD 外部标识Azure AD External Identities 借助 Azure AD 中的外部标识,可以允许组织外部人员访问应用和资源,而让他们使用所需的任何标识进行登录。With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer.
可以通过 Azure AD B2B 协作与外部用户共享应用和资源。You can share your apps and resources with external users via Azure AD B2B collaboration.
使用 Azure AD B2C 时,每天能够支持数百万个用户以及几十亿次身份验证,并监视和自动处理拒绝服务、密码喷射或暴力攻击之类的威胁。Azure AD B2C lets you support millions of users and billions of authentications per day, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks.

检测威胁Detect threats

显示用于检测威胁的 Azure 服务的图表。

服务Service 说明Description
Azure DefenderAzure Defender 为 Azure 和混合资源及工作负载提供高级智能保护。Brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. 可在你的环境中使用安全中心的 Azure Defender 仪表板显示和控制云工作负载保护功能。The Azure Defender dashboard in Security Center provides visibility and control of the cloud workload protection features for your environment.
Azure SentinelAzure Sentinel 可缩放的云原生安全信息事件管理 (SIEM) 和安全业务流程自动响应 (SOAR) 解决方案。A scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Sentinel 在整个企业范围内提供智能安全分析和威胁智能,为警报检测、威胁可见性、主动搜寻和威胁响应提供单一解决方案。Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
标识 & 访问 管理Identity & Access Management
Microsoft 365 DefenderMicrosoft 365 Defender 一款统一的破坏前/后企业防御套件,它以本机方式协调各终结点、标识、电子邮件和应用程序中的威胁检测、阻止、调查和响应,以提供针对复杂攻击的综合保护。A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender for Endpoint 是一个企业终结点安全平台,专门用于帮助企业网络防御、检测、调查和响应高级威胁。Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender for Identity 是一个基于云的安全解决方案,可利用本地 Active Directory 信号识别、检测并调查针对组织的高级威胁、身份盗用和恶意内部操作。Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure AD 标识保护Azure AD Identity Protection 可发送两种类型的自动通知电子邮件,来帮助你管理用户风险和风险检测:“检测到有风险的用户”电子邮件以及“每周摘要”电子邮件。Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email.
基础结构和网络Infrastructure & Network
适用于 IoT 的 Azure DefenderAzure Defender for IoT 一种统一的安全解决方案,用于识别 IoT/OT 设备、漏洞和威胁。A unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. 无论你是需要保护现有的 IoT/OT 设备还是为新的 IoT 创新构建安全性,它都使你能够保护整个 IoT/OT 环境。It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations.
Azure 网络观察程序Azure Network Watcher 提供所需的工具用于监视、诊断 Azure 虚拟网络中的资源并查看其指标,以及为其启用或禁用日志。Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. 网络观察程序用于监视和修复 IaaS 产品的网络运行状况,其中包括虚拟机、虚拟网络、应用程序网关和负载均衡器。Network Watcher is designed to monitor and repair the network health of IaaS products which includes virtual machines, virtual networks, application gateways, and load balancers.
Azure Policy 审核日志记录Azure Policy audit logging 可帮助强制执行组织标准并大规模评估合规性。Helps to enforce organizational standards and to assess compliance at-scale. Azure Policy 使用自动启用的活动日志来包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用的元素。Azure Policy uses activity logs, which are automatically enabled to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
数据和应用程序Data & Application
适用于容器注册表的 Azure DefenderAzure Defender for container registries 包含一个漏洞扫描程序,可扫描基于 Azure 资源管理器的 Azure 容器注册表中的映像,使你能够更深入地了解映像的漏洞。Includes a vulnerability scanner to scan the images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities.
适用于 Kubernetes 的 Azure DefenderAzure Defender for Kubernetes 通过 Azure Kubernetes 服务 (AKS) 检索到的日志来监视 AKS 托管服务,从而提供群集级别的威胁防护。Provides cluster-level threat protection by monitoring your AKS-managed services through the logs retrieved by Azure Kubernetes Service (AKS).
Microsoft Cloud App SecurityMicrosoft Cloud App Security 可在多个云中运行的云访问安全代理 (CASB)。A Cloud Access Security Broker (CASB) that operates on multiple clouds. 它提供了丰富的显示效果、数据旅程控制和成熟分析服务,用于跨所有云服务发现和防范网络威胁。It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

调查和响应Investigate and respond

显示有助于调查和响应威胁的 Azure 服务的图表。

服务Service 说明Description
Azure SentinelAzure Sentinel 强大的搜索和查询工具,可用于在整个组织的数据源中搜寻安全威胁。Powerful search and query tools to hunt for security threats across your organization's data sources.
Azure Monitor 日志和指标  Azure Monitor logs and metrics 提供了一个全面的解决方案,用于从云和本地环境收集、分析和处理遥测数据。Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor 会将各种源中的数据收集并聚合到一个通用数据平台,在该平台中,可以使用这些数据进行分析、实现可视化和发出警报。Azure Monitor collects and aggregates data from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.
标识 & 访问 管理Identity & Access Management
Azure AD 报表和监视  Azure AD reports and monitoring 可以通过 Azure AD 报表全面了解环境中的活动。Azure AD reports provide a comprehensive view of activity in your environment.
可以通过 Azure AD 监视将 Azure AD 活动日志路由到其他终结点。Azure AD monitoring lets you route your Azure AD activity logs to different endpoints.
Azure AD PIM 审核历史记录Azure AD PIM audit history 显示过去 30 天内对所有特权角色的所有角色分配和激活情况。Shows all role assignments and activations within the past 30 days for all privileged roles.
数据和应用程序Data & Application
Microsoft Cloud App SecurityMicrosoft Cloud App Security 提供可让你深入了解云环境中活动的工具。Provides tools to gain a deeper understanding of what's happening in your cloud environment.

后续步骤Next steps