Azure 信息保护在保护数据方面的角色The role of Azure Information Protection in securing data

Azure 信息保护 (AIP) 让客户能够对数据进行分类和标记,并能使用加密来保护数据。Azure Information Protection (AIP) provides customers with the ability to classify, label their data, and protect it using encryption. Azure 信息保护使 IT 管理员能够:Azure Information Protection enables IT Administrators to:

  • 基于预设规则对电子邮件和文档进行自动分类Automatically classify emails and documents based on preset rules
  • 向文档添加标记,如自定义标头、页脚和水印Add markers to content like custom headers, footers, and watermarks
  • 使用权限管理保护公司的机密文件,这使得他们能够:Protect company's confidential files with Rights Management, which allows them to:
    • 将 RSA 2048 位密钥用于公钥加密,将 SHA 256 用于签名操作。Use RSA 2048-bit keys for public key cryptography and SHA-256 for signing operations.
    • 针对组织内外某些特定接受者来加密文件Encrypt the files to a specific set of recipients both inside and outside their organization
    • 应用一组特定的权限来限制文件的可用性Apply specific set of rights to restrict the usability of the file
    • 基于权限策略中用户的标识和授权来解密内容Decrypt content based on the user’s identity and authorization in the rights policy

这些功能使企业能够对其数据进行更好的端到端控制。These capabilities enable enterprises to have a greater end-to-end control over their data. 就此而论,Azure 信息保护在保护公司数据中扮演很重要的角色。In this context, Azure Information Protection plays an important role in securing company's data.

重要

若要详细了解 Azure 信息保护的工作原理,请参阅 Azure RMS 的工作原理揭秘For more information on how Azure Information Protection works, read How does Azure RMS work? Under the hood.

当今企业保护的状态The state of enterprise protection today

许多企业目前没有任何保护技术,其文档和电子邮件以明文形式共享,而数据管理员不明确哪些用户能够访问特别保密的内容。Many enterprises today do not have any protection technology in place, with documents and emails being shared in cleartext and data custodians not having the clarity on which users have access to privileged content. SMIME 等保护技术非常复杂,而 ACL 不一定处理电子邮件和文档。Protection technologies like SMIME are complicated and ACLs do not necessarily travel with emails and documents.

无文档保护

在很大程度上未受保护的环境中,Azure 信息保护提供以前没有的安全措施。In a largely unprotected environment, Azure Information Protection provides a measure of security that was not available earlier. 安全性是一个不断发展的主题,没有组织可声称任何时候都有 100% 保护,而 Azure 信息保护如果部署适当会增加组织的安全性。And while security is a constantly evolving subject and no organization can claim 100% protection at any point in time, Azure Information Protection when properly deployed increases the security footprint of an organization.

有关共享内容的安全原则Security principles for sharing content

IT 管理员在组织内使用 Azure 信息保护时,对客户端设备和用户身份管理具有完全的控制,这为组织内部共享搭建适当平台。When using Azure Information Protection within the organization, IT administrators have full control over the client device and over user identity management, and this builds the right platform of trust for sharing within the organization. 组织外部发送信息本来可信度就较低。Sending information outside the organization is inherently less trustworthy. 考虑保护信息的方法时有一些原则 - 你必须执行风险评估。In thinking about the approach to information protection, there are some principles that you must perform a risk assessment. 执行此风险评估时请考虑以下几点:While performing this risk assessment, consider the following points:

  • 接受者可以实际接触到非托管设备,因此可以控制该设备上发生的任何情况。The recipient has physical access to an unmanaged device, and is therefore in control of everything that happens on the device.
  • 接受者通过身份验证,可能获得一定程度的与非模拟相关的信任。The recipient is authenticated to a degree of confidence related to non-impersonation.

如果 IT 管理员不控制设备或标识,IT 就不能控制受保护信息会发生什么情况。In a situation where the IT administrator doesn’t control the device or the identity, IT cannot control what happens to the protected information. 一旦用户通过身份验证,并打开受保护的信息,你就不能再控制你的信息。Once a user authenticates and opens protected information, it’s no longer your information to control. 在这种情况下,将信任不执行内容策略的接受者。At this point, you’re trusting the recipient that they honor the policies placed on the content.

如果恶意的外部接受者对受保护内容有权进行访问,则不可能完全停止他们。It is not possible to completely stop a malicious external recipient with authorized access to the protected content. Azure 信息保护帮助建立道德界限,并借助智慧的应用程序让人们在访问文档的方式上保持真诚。Azure Information Protection helps establish ethical boundaries and with the use of enlightened applications helps keep people honest on how they access the document. 当基于标识提供的访问权限的已定义边界内存在绝对信任时,Azure 信息保护可提供帮助。Azure Information Protection helps when there is implicit trust within the defined boundary of access given based on identity.

但检测并缓解未来的访问更简单。However, detecting and mitigating future access is simpler. Azure 信息保护服务的文档跟踪功能可以跟踪访问,组织可撤消对特定文档的访问或撤消用户的访问权限。The Document Tracking feature of the Azure Information Protection service can track access and the organization can act by revoking access to the specific document or revoking the access of the user.

如果内容非常敏感,组织无法信任接受者,额外的内容安全性变得极为重要。If the content is very sensitive and the organization cannot trust the recipient, additional security of the content becomes paramount. 建议打开有利于安全性的拨号,使文档具有访问控制。The recommendation is to turn the dial in favor of security and place access controls on the document.

基于标识的安全性Identity based security

接下来的部分将探讨攻击受保护内容的三种主要情况,以及可以如何使用环境控制和 Azure 信息保护的组合来缓解对内容的恶意访问。The sections that follow will explore three major scnearios of attacks on protected content, and how a combination of environment controls and Azure Information Protection can be used to mitigate malicious access to the content.

未经授权用户的攻击Attacks by unauthorized users

Azure 信息保护中保护的基础是 - 对受保护内容的访问基于已通过身份验证的标识和授权。The basis of protection in Azure Information Protection is that access to protected content is based on authenticated identity and authorization. 这意味着使用 Azure 信息保护,无身份验证或授权表示不能访问。This means that with Azure Information Protection no authentication or authorization implies no access. 这是部署 Azure 信息保护的主要原因,它使企业能够从无限制访问状态转到根据用户身份验证和授权访问信息的状态。This is the primary reason to deploy Azure Information Protection, it enables enterprises to go from a state of unrestricted access to a state where access to information is based on user authentication and authorization.

通过使用此 Azure 信息保护功能,企业能够分隔信息。By using this Azure Information Protection capability, enterprises are able to compartmentalize information. 例如,将人力资源 (HR) 部门的敏感信息分隔在部门内部;使财务部门的数据仅供财务部门访问。For example: keeping sensitive information of the Human Resources (HR) department isolated within the department; and keeping the finance department’s data restricted to the finance department. Azure 信息保护提供了基于标识的访问,杜绝没有限制的随意访问。Azure Information Protection provides access based on identity, rather than nothing at all.

下图提供向 Tom 发送文档的用户 (Bob) 的示例。The diagram below has an example of an user (Bob) sending a document to Tom. 这里,Bob 来自财务部门,Tom 来自销售部门。In this case Bob is from the Finance department and Tom is from the Sales department. 如果不授予任何权限,Tom 无法访问该文档。Tom cannot get access to the document, if no rights were granted.

无访问权限

这种情况中的关键点是,Azure 信息保护可停止来自未经授权的用户的攻击。The key takeaway in this scenario is that Azure Information Protection can stop attacks from unauthorized users. 有关 Azure 信息保护中加密控制的详细信息,请参阅 Azure RMS 使用的加密控制:算法和密钥长度For more information about cryptographic controls in Azure Information Protection, read Cryptographic controls used by Azure RMS: Algorithms and key lengths.

通过恶意程序代表用户进行访问Access by malicious programs on behalf of users

代表用户的恶意程序访问通常在用户不知情的情况下发生。Malicious program accessing on behalf of a user is usually something that takes place without the user's knowledge. 特洛伊木马程序、病毒和其他恶意软件是可代表用户执行操作的典型恶意程序示例。Trojans , viruses, and other malware are classic examples of malicious programs that can act on behalf of the user. 如果此类程序可模拟用户的标识或利用用户的权限来执行操作,那么它可使用 Azure 信息保护 SDK 代表不知情的用户来解密内容。If such a program can impersonate the user's identity or leverage user's privileges to take an action, then it can use the Azure Information Protection SDK to decrypt content on behalf of an unwitting user. 因为此操作发生在用户的上下文中,没有简单的方法来防止这种攻击。Since this action takes place in the user’s context, there isn’t a simple way to prevent this attack.

恶意程序

此处我们的目的是提高用户标识的安全性,这将帮助降低恶意应用程序操纵用户标识的能力。The intent here is to enhance the security of the user's identity, this will assist in mitigating the ability of rogue applications to hijack user's identity. Azure Active Directory 提供几种解决方案,可帮助保护用户标识,例如使用双因素身份验证。Azure Active Directory provides several solutions that can help secure the user identity, for example, using two-factor authentication. 此外,Azure Activity Directory Identity Protection 还提供其他功能,应了解这些功能来保护用户标识的安全。In addition, there are other capabilities that come as a part of Azure Activity Directory Identity Protection that should be explored to keep the user identity secure.

保护标识超出 Azure 信息保护的范围,属于管理员的职责。Securing identities falls outside the scope of Azure Information Protection, and falls in the realm of administrator responsibility.

重要

还有很重要的一点是,关注“托管”环境以消除恶意程序的存在。It is also important to focus on a “managed” environment to remove the presence of malicious programs. 这将在下个情形中讨论。This will be covered in the next scenario.

具有授权的恶意用户Malicious users with authorization

恶意用户的访问实质上是对信任的危害。Access by a malicious user is essentially a compromise of trust. 这种情况中需精心制作启用程序以提升用户的权限,因为与之前的情形不同,此用户自愿提供凭据来破坏信任。The enabler in this scenario needs to be a program crafted to escalate user's privileges, because unlike the previous scenario, this user voluntarily provides credentials to break trust.

恶意用户

Azure 信息保护旨在使应用程序位于负责强制执行与文档关联的权限的客户端设备上。Azure Information Protection was designed to make applications located on the client device responsible for enforcing the rights associated with the document. 不论以哪种标准来衡量,当今受保护内容安全性的最薄弱环节是在客户端设备上,其内容对最终用户以纯文本形式可见。By all measures, the weakest link in the security of protected content today is on the client device, where the content is visible to the end user in plaintext. Microsoft Office 等客户端应用程序正确地执行权限,因此恶意用户无法使用这些应用程序来提升权限。The client applications like Microsoft Office honor the rights correctly, and so a malicious user cannot use these applications to escalate privileges. 但借助 Azure 的信息保护 SDK,有动机的攻击者可以创建不执行权限的应用程序,这就是恶意程序的本质。However, with the Azure Information Protection SDK, a motivated attacker can create applications that do not honor the rights, and this is the essence of a malicious program.

这种情况的重点是保护客户端设备和应用程序,以便恶意应用程序不能被使用。The focus of this scenario is to secure the client device and applications, so that rogue applications cannot be used. 下面列出了 IT 管理员可以执行一些步骤:Some steps that the IT administrator can take are listed below:

这种情况中的关键点是,保护客户端计算机和应用程序构成信任的重要部分,而信任对于 Azure 信息保护起巩固作用。An important takeaway from this scenario is that securing client machines and applications is an important part of the trust that underpins Azure Information Protection.

“摘要”Summary

实现完全的安全性远不止采用一种技术。Full security goes beyond one technology. 通过各种各样的相互依赖的手段,IT 管理员可以减少现实世界中受保护内容的攻击面。Through a variety of interdependent means, an IT administrator can reduce the attack surface on protected content in the real world.

  • Azure 信息保护:防止对内容进行未经授权的访问Azure Information Protection: prevents unauthorized access to content
  • Microsoft Intune、System Center Configuration Manager 和其他设备管理产品:使托管的和受控的环境中不存在恶意应用Microsoft Intune, System Center Configuration Manager, and other device management products: enables a managed and controlled environment free of malicious apps
  • Windows AppLocker:使托管的和受控的环境中不存在恶意应用Windows AppLocker: enables a managed and controlled environment free of malicious apps
  • Azure AD Identity Protection:增强用户标识中的信任度Azure AD Identity Protection: enhances trust in the user identity
  • EMS 条件性访问:增强设备和标识中的信任度EMS Conditional Access: enhances trust in the device and identity

其他资源Additional resources

下面的方案将进一步介绍 Azure 信息保护可以如何帮助你保护数据:The scenarios below will go in more details on how Azure Information Protection can help you to protect your data: