您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 存储安全概述Azure Storage security overview

本文概述可与 Azure 存储配合使用的 Azure 安全功能。This article provides an overview of Azure security features that you can use with Azure Storage. Azure 存储是依赖于持续性、可用性和伸缩性来满足客户需求的现代应用程序的云存储解决方案。Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure 存储提供全面的安全功能。Azure Storage provides a comprehensive set of security capabilities. 可以:You can:

  • 使用基于角色的访问控制 (RBAC) 和 Azure Active Directory 对存储帐户进行安全保护。Secure the storage account by using Role-Based Access Control (RBAC) and Azure Active Directory.
  • 使用客户端加密、HTTPS 或 SMB 3.0 对应用程序和 Azure 之间传输的数据进行安全保护。Secure data in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0.
  • 可将数据设置为在写入 Azure 存储时使用存储服务加密自动进行加密。Set data to be automatically encrypted when it's written to Azure Storage by using Storage Service Encryption.
  • 将虚拟机 (VM) 使用的 OS 和数据磁盘设置为使用 Azure 磁盘加密进行加密。Set OS and data disks used by virtual machines (VMs) to be encrypted by using Azure Disk Encryption.
  • 使用共享访问签名 (SAS) 授予对 Azure 存储中数据对象的委派访问权限。Grant delegated access to the data objects in Azure Storage by using shared access signatures (SASs).
  • 使用分析来跟踪某人访问存储时使用的身份验证方法。Use analytics to track the authentication method that someone is using when they access Storage.

有关 Azure 存储中安全性的详细信息,请参阅 Azure 存储安全指南For a more detailed look at security in Azure Storage, see the Azure Storage security guide. 本指南深入介绍了 Azure 存储的安全功能。This guide provides a deep dive into the security features of Azure Storage. 这些功能包括存储帐户密钥、传输中和静态中的数据加密以及存储分析。These features include storage account keys, data encryption in transit and at rest, and storage analytics.

基于角色的访问控制Role-Based Access Control

可使用基于角色的访问控制来帮助保护存储帐户。You can help secure your storage account by using Role-Based Access Control. 对于想要实施数据访问安全策略的组织而言,必须根据需要知道最低权限安全策略限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. 这些访问权限是通过将相应的 RBAC 角色分配给特定范围内的组和应用程序来授予的。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 可以使用内置 RBAC 角色(例如存储帐户参与者)将权限分配给用户。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

了解更多:Learn more:

存储对象的委托访问权限Delegated access to storage objects

共享访问签名对存储帐户中的资源提供委托访问。A shared access signature provides delegated access to resources in your storage account. 使用 SAS,意味着可以授权客户端在指定时间段内,以一组指定权限有限访问存储帐户中的对象。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。You can grant these limited permissions without having to share your account access keys.

SAS 是一个 URI,在其查询参数中包含对存储资源已验证访问所需的所有信息。The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. 要使用 SAS 访问存储资源,客户端只需将 SAS 提供给相应的构造函数或方法。To access storage resources with the SAS, the client only needs to provide the SAS to the appropriate constructor or method.

了解更多:Learn more:

传输中加密Encryption in transit

传输中加密是通过网络传输数据时保护数据的一种机制。Encryption in transit is a mechanism of protecting data when it's transmitted across networks. 在 Azure 存储中,可使用以下功能保护数据:With Azure Storage, you can secure data by using:

  • 传输级别加密,例如将数据传入或传出 Azure 存储时使用的 HTTPS。Transport-level encryption, such as HTTPS, when you transfer data into or out of Azure Storage.
  • 线路加密,例如 Azure 文件共享的 SMB 3.0 加密。Wire encryption, such as SMB 3.0 encryption, for Azure file shares.
  • 客户端加密,在将数据传输到存储之前加密数据,以及从存储传出数据后解密数据。Client-side encryption, to encrypt the data before it's transferred into Storage and to decrypt the data after it is transferred out of Storage.

了解有关客户端加密的详细信息:Learn more about client-side encryption:

静态加密Encryption at rest

对许多组织而言,静态数据加密是实现数据隐私性、符合性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. 可通过三种 Azure 功能进行静态数据加密:Three Azure features provide encryption of data that's at rest:

了解有关存储服务加密的详细信息:Learn more about Storage Service Encryption:

Azure 磁盘加密Azure Disk Encryption

适用于虚拟机的 Azure 磁盘加密有助于解决组织安全性和符合性要求。Azure Disk Encryption for virtual machines helps you address organizational security and compliance requirements. 它使用 Azure Key Vault 中控制的密钥和策略来加密 VM 磁盘(包括启动盘和数据磁盘)。It encrypts your VM disks (including boot and data disks) by using keys and policies that you control in Azure Key Vault.

适用于 VM 的磁盘加密可用于 Linux 与 Windows 操作系统。Disk Encryption for VMs works for Linux and Windows operating systems. 它也使用密钥保管库帮助你保护、管理和审核磁盘加密密钥的使用。It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. 在 Azure 存储帐户中使用行业标准加密技术,对 VM 磁盘中的所有数据进行静态加密。All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure storage accounts. 适用于 Windows 的磁盘加密解决方案是基于 Microsoft BitLocker 驱动器加密技术,Linux 解决方案基于 dm-cryptThe Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

了解详细信息Learn more

防火墙和虚拟网络Firewalls and Virtual networks

Azure 存储允许你为存储帐户启用防火墙规则。Azure storage allows you to enable firewall rules for your storage accounts. 启用后,它们将阻止传入的数据请求,包括来自其他 Azure 服务的请求。Once enabled they will block incoming requests for data, including requests from other Azure services. 可以配置例外以允许流量。You can configure exceptions to allow traffic. 可以在现有存储帐户上或在创建时启用防火墙规则。Firewall rules may be enabled on existing storage accounts or during creation time.

应该使用此功能将存储帐户保护到一组特定的允许网络。You should use this functionality to secure your storage accounts to a specific set of allowed networks.

有关 Azure 存储防火墙和虚拟网络的详细信息,请查看文章配置 Azure 存储防火墙和虚拟网络For more information on Azure storage firewalls and virtual networks review the article Configure Azure Storage Firewalls and Virtual Networks

Azure Data BoxAzure Data Box

Data Box、Data Box Disk 和 Data Box Heavy 设备可在网络不可用时将大量数据传输到 Azure。Data Box, Data Box Disk, and Data Box Heavy devices help you transfer large amounts of data to Azure when the network isn’t an option. 这些脱机数据传输设备在组织和 Azure 数据中心之间往返运输。These offline data transfer devices are shipped between your organization and the Azure data center. 它们使用 AES 加密来帮助保护传输中的数据,还在上传后执行一个清理过程,从设备中删除你的数据。They use AES encryption to help protect your data in transit, and they undergo a thorough post-upload sanitization process to delete your data from the device.

Data Box Edge 和 Data Box Gateway 是联机数据传输产品,它们用作网络存储网关来管理站点和 Azure 之间的数据。Data Box Edge and Data Box Gateway are online data transfer products that act as network storage gateways to manage data between your site and Azure. Data Box Edge 是一种本地网络设备,可将数据传入和传出 Azure,并使用支持人工智能 (AI) 的边缘计算来处理数据。Data Box Edge, an on-premises network device, transfers data to and from Azure and uses artificial intelligence (AI)-enabled edge compute to process data. Data Box Gateway 是具有存储网关功能的虚拟设备。Data Box Gateway is a virtual appliance with storage gateway capabilities.

了解更多:Learn more:

高级威胁防护Advanced Threat Protection

Azure 存储提供了高级威胁防护来实现额外的一层安全智能,用于检测试图访问或利用你的存储帐户的异常或可能有害的企图。Azure Storage provides Advanced Threat Protection for an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage account. 高级威胁防护监视 Azure 存储诊断日志来获取针对 Blob 存储的可疑读取、写入或删除请求。Advanced Threat Protection monitors Azure Storage diagnostic logs for suspicious read, write, or delete requests to Blob storage.

可以从 Azure 安全中心查看高级威胁防护警报。Advanced Threat Protection alerts can be viewed from Azure Security Center. Azure 安全中心会提供有关检测到的任何可疑活动的详细信息,并提供用于针对潜在威胁进行调查和补救的建议操作。Azure Security Center provides details on any suspicious activity detected and recommends actions to investigate and remediate the potential threat.

了解更多:Learn more:

Azure 密钥保管库Azure Key Vault

Azure Disk Encryption 使用 Azure Key Vault 来帮助控制和管理 Key Vault 订阅中的磁盘加密密钥和机密。Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription. 它还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。It also ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage. 应使用密钥保管库来审核密钥和策略的使用。You should use Key Vault to audit keys and policy usage.

了解详细信息Learn more