有关保护公司电子邮件和文档的体系结构指南Architecture guidance for protecting company email and documents

本主题首先概述了如何在确保最终用户体验简单且不影响工作效率的同时,为公司提供数据保护。This topic starts with an overview of how you can provide data protection for your company while ensuring that the end-user experience is simple and does not impact productivity. 然后,我们将专门重点介绍如何使用 Microsoft 企业移动性 + 安全性解决方案,帮助提供对公司电子邮件的安全访问,以及帮助保护电子邮件和附件中的公司数据。Then, we will focus specifically on how you can help provide secure access to your corporate email and help protect company data in email and attachments using the Microsoft Enterprise Mobility + Security solution.

本节讨论用于保护公司电子邮件和文档的体系结构。This section discusses the architecture for protecting company email and documents. 有关部署解决方案的指南,请参阅详细了解如何部署用于保护公司电子邮件和文档的解决方案See Learn more about how to deploy a solution for protecting company email and documents for guidance on deploying a solution.


请从 TechNet 库中获取此完整主题的可下载副本。Get a downloadable copy of this entire topic at the TechNet Gallery.

员工希望使用自己的设备访问公司资源和实用工具。Employees want to be able to use their own devices to access company resources and productivity tools. IT 部门需要确保员工能够这样做,但同时保护好公司的敏感数据。IT needs to make sure that employees have this ability but sensitive company data is protected. 自带设备办公 (BYOD) 带来了一项特殊挑战,即需要在个人设备上区分个人数据和工作数据,并防止有意或无意中共享公司数据。BYOD, or Bring your own device, poses a specific challenge in that there needs to be a separation of personal and work data on personal devices and prevent intentional or unintentional sharing of company data.

研究表明:Studies have shown that:

  • 全球 37% 的劳动力都采用移动办公方式37% of the world’s workforce is mobile

  • 2014 年第 3 季度 53% 的电子邮件是在手机或平板电脑上打开的53% of total email opens occurred on a mobile phone or tablet in Q3 2014

  • 61% 的员工在个人设备上处理个人事务和工作任务61% of workers mix personal and work tasks in their devices

考虑这一点:Consider this:

  • 电子邮件是所有设备上最常用的应用程序。Email is often the most used application on any device.

  • 电子邮件中的内容和邮件附件可复制、共享或移动到 IT 部门监控范围之外的地方,进而危及公司安全。Content in email and email attachments can be copied, shared, or moved to other locations outside of your IT department purview, which can lead to compromising your company's security.

由于最终用户想要使用自己的个人设备处理公司事务,且电子邮件是最常访问的应用程序,IT 部门的第一步是确保最终用户可以在其自己的设备上访问公司电子邮件,同时确保邮件中的敏感数据不会被泄露。Since end-users want to do company work using their own personal devices and email is the most often accessed application, the first step for your IT is to make sure that end-users can access corporate email on their devices while making sure that sensitive data in email is not compromised.


Microsoft 推出了企业移动性 + 安全性 (EMS),这是用于识别身份、管理移动设备、管理应用和保护数据的全面解决方案。Microsoft offers the Enterprise Mobility + Security (EMS), a comprehensive solution for identity, mobile device management, app management, and data protection. EMS 提供分层的安全模型,可让你的 IT 部门管理几乎任何设备对电子邮件、数据和企业应用程序的访问。EMS provides a layered security model which allows your IT department to manage access to email, data, and corporate applications from almost any device.

EMS 由以下云服务组成:EMS is composed of the following cloud services:

显示 EMS 所含云服务的图形:Microsoft Azure AD Premium、Microsoft Intune 和 Microsoft Azure 信息保护

使用 EMS 可从企业网络内外保护数据:Using EMS, data is protected both inside and outside of your corporate network:

  • 员工可使用自选的设备访问公司的电子邮件、工作相关的应用程序和公司数据,无需担心泄露公司的敏感信息。Employees have access to corporate email, work-related applications, and company data on the device of their choice without worrying about compromising sensitive company information.

  • 公司数据在每个层级得到保护:用户、设备、应用程序以及数据本身。Company data is protected at every level: user, device, application and finally, at the level of the data itself.

  • IT 管理员可以确保只有受信任的用户通过托管的合规设备在托管的应用程序环境下才可以访问公司数据。Your IT admin can make sure that corporate data is accessed only by trusted users on managed and compliant devices, and in the context of managed applications.

Intune 托管的应用包括 Office 移动应用,这正是此解决方案的核心。Intune-managed apps include Office mobile apps, which are central to this solution. 利用 Office 移动应用,你可以在防止数据泄露的同时,帮助最大限度提高员工的工作效率。With Office mobile apps, you can help maximize employee productivity while preventing data leakage. 例如,IT 管理员可以设置阻止策略,阻止将公司数据复制到 Dropbox 等个人云存储器。For example, your IT admin can set policies that prevent copying company data to personal cloud storage like Dropbox.

当员工移动或更改作业或者丢失设备时,EMS 可帮助远程并选择性地擦除设备中的公司数据。When employees move or change jobs, or lose their device, EMS provides the option to remotely and selectively wipe corporate data from the device. 最终用户或 IT 管理员都可执行此操作。This can be done by the end-user or by your IT admin.

EMS 如何帮助保护你的数据How EMS can help protect your data

4 层的身份识别、设备、应用和数据安全模型旨在确保只有目标用户,通过满足你所配置的一组合规性策略的设备,在托管应用内才能访问公司资源。The 4 layered security model for identity, devices, apps, and data is about making sure that your company resources are only accessed by the intended user, on a device that meets a set of compliance policies configured by you, and within the boundaries of managed apps.


保护数据始于建立和验证用户身份。Protecting your data starts with establishing and validating the user identity. Azure AD/ 是一款企业级身份验证和访问管理工具,可提供单一登录、多重身份验证、自助服务密码等功能。Azure AD/, an enterprise-grade identity and access management tool delivers single sign-on, multi-factor authentication, self-service passwords, and more. 它为安全模型的 身份识别层 提供功能。It provides the functionality for the identity layer of the security model.

构建于身份识别基线,IT 管理员可以使用 Microsoft Intune 确保移动设备已注册、托管并符合你的公司策略。Building on the identity baseline, your IT admin can use Microsoft Intune to make sure that mobile devices are enrolled, managed and compliant with your corporate policies. 这是设备层This is the device layer.

第三层是采用由 Intune 托管的应用生态系统的应用管理层The third layer is the app management layer with the Intune-managed app ecosystem. 利用这个生态系统,用户可以提高工作效率并使用他们所需和所知的工具(如 Office),同时你的 IT 部门可以确保托管应用生态系统中的敏感数据不会泄露。This ecosystem, while enabling users to be productive and use the tools that they need and know like Office, also enables your IT to keep sensitive data within the managed app ecosystem.

Azure 信息保护(原 Azure RMS)在安全模型的文件级别对数据进行保护。Azure Information Protection (formerly: Azure RMS) completes the security model by protecting data at the file level. 应用于数据的安全策略与数据一起传送、帮助保护传输中和未使用数据的安全,不受访问数据的设备影响。The security policies that are applied to the data, travel with the data, help keep the data secure in transit and at rest, regardless of the device that is used to access it. 这是安全模型的数据层This is the data layer of the security model.

后续步骤Where to go from here

此外,如果你希望了解有关 EMS 和 Azure Active Directory 的详细信息,你可以从以下这些文章中获取更多相关信息:Also, if you'd like to learn more about EMS and Azure Active Directory, you can get more information from any of these articles: