数据访问和保护要求Data access and protection requirements

允许用户从他们自己的设备访问公司资源时的要素之一是保护公司的数据,并保证该信息的安全。One of the most critical elements when enabling users to access company resources from their own devices is to preserve the company’s data and keep that information secure. 无论数据位于何处,都建议贵公司具有必须准备的用以确保数据安全的多种符合性要求。Your company might have a variety of compliance requirements that must be in place to ensure data is secure no matter where it is located. 下图显示了访问数据时用户与设备之间的交互以及此子域必须考虑哪些组件。Figure below shows the interactions between users and devices when accessing data and which components must be considered for this subdomain.

数据访问保护要求

下节包含为了制定解决方案设计的要求而必须回答的有关数据访问和保护的问题。The section below contains questions about data access and protection that you will need to answer in order to formulate the requirements for your solution design.

要提出的问题Questions to ask

数据访问和保护要求的问题分为以下六个方面:Data access and protection requirement questions are categorized in six areas:

  • 存储Storage
  • 网络Network
  • 目录Directory
  • 授权Authorization
  • 策略和合规性Policy and compliance

存储Storage

  • 当数据中心中的数据处于静态时,你是否启用加密?While the data is at rest in the data center, do you have encryption enabled?
  • 贵公司是否会为位于数据中心存储中的数据提供脱机访问(也就是说,你是否会将数据同步到用户设备)?Will your company provide offline access to data located in the datacenter’s storage (in other words, will you sync data to users’ devices)?
    • 如果是,贵公司是否想要在用户设备上保留相同的数据格式(加密或普通)?If so, does your company want to keep the same data format (encrypted or plain) on users’ devices?
  • 你当前是否拥有基于每个用户在系统中实现的任何存储配额?Do you have any storage quota currently implemented in your system on a per-user basis?
    • 如果是,你是否打算为授权使用他们自己的设备的用户增加此配额?If so, do you plan to increase this quota for users who are authorized to user their own devices?
  • 你的公司策略是否允许用户在公司计算机上使用外部存储驱动器?Does your company policy allow users to use external storage drives on corporate computers?
    • 如果不允许,你是否打算为从他们自己的设备访问数据的用户扩展此策略?If not, do you plan to extend this policy for users who are accessing data from their own devices?
  • 你的公司策略是否允许用户从公司计算机使用云存储?Does your company policy allow users to use cloud-based storage from corporate computers?
    • 如果不允许,你是否打算为从他们自己的设备访问数据的用户扩展此策略?If not, do you plan to extend this policy for users who are accessing data from their own devices?

网络Network

  • 你在本地是否拥有任何类型的网络加密?Do you have any type of network encryption on-premises?
    • 如果是,它是仅限于服务器到服务器的通信,还是加密整个网络?If so, is it limited to server–to-server communication, or is the entire network encrypted?
  • 当用户实际位于企业网络外部和当他们实际位于企业网络内部时,你是否打算对数据访问提出不同要求?Do you plan to have different requirements for data access while users are physically outside the corporate network and when they are physically inside the corporate network?
    • 如果是,这些要求是什么?If so, what are the requirements?
  • 当你允许用户在企业网络上使用他们自己的设备时,你是否预知任何网络活动的增加?Do you foresee any increase in network activity when you enable users to use their own devices on the corporate network?
    • 如果是,你的当前网络容量是否能够处理这种新的通信?If so, is your current network capacity able to handle this new traffic?
  • 贵公司是否使用任何网络检测机制?Does your company use any network inspection mechanisms?
    • 如果是,你是否打算为自带设备并连接到企业网络的用户扩展此功能?If so, do you plan to extend this capability for users who are bringing their own devices and connecting to the corporate network?

目录Directory

  • 贵公司是否使用单一的用户目录,或者具有多个访问接口?Does your company use a single user directory, or does it have multiple providers?
  • 你的公司目录位于本地、云中,还是本地以及云中(混合)?Is your company directory located on-premises, in the cloud, or in both locations (hybrid)?
  • 当用户从他们的设备访问应用程序时,将针对哪个目录对其进行身份验证?When users are accessing apps from their devices, against which directory will they be authenticating?
  • 贵公司是否打算联合本地和云服务之间的身份验证?Does your company plan to federate authentication between on-premises and cloud services?

身份验证Authentication

  • 你的环境中现在使用哪种类型的身份验证?Which type of authentication is used today in your environment?
  • 你打算保留这种身份验证方法,还是希望在允许用户使用他们自己的设备来访问公司资源之前对它进行增强?Do you plan to preserve this authentication method, or do you want to enhance it before enabling users to use their own devices to access company resources?
  • 你是否在当前环境中准备了多重身份验证?Do you have multi-factor authentication in place in your current environment?
  • 你打算对用户设备进行身份验证还是仅对用户进行身份验证?Do you plan to authenticate users’ devices or users only?
  • 你是否打算为从用户设备访问的应用启用单一登录?Do you plan to enable single sign-on for apps that are accessed from users’ devices?
  • 你是否打算充分利用云资源来为远程用户提供其他级别的身份验证?Do you plan to leverage cloud resources to provide an additional level of authentication for remote users?

授权Authorization

  • 在当前环境中,对用户进行身份验证后,你是否准备任何其他控件来验证用户是否有权访问他们正在请求的信息?In the current environment, after users are authenticated, do you have any other controls in place to validate if users are authorized to access the information they are requesting?
  • 你是否打算基于一组预定义规则为远程用户提供有条件的访问?Do you plan to provide conditional access based on a set of predefined rules for remote users?
  • 贵公司是否会为位于本地或云环境中的数据执行授权强制?Does your company perform authorization enforcement for data located on-premises or in the cloud?
  • 贵公司是否使用必须了解的原则来为数据访问授权?Does your company use the principle of need to know in order to authorize data access?

策略和合规性Policy and compliance

  • 贵公司是否具有用来定义如何对访问数据进行分类的策略?Does your company have policies in place to define how data access is classified?
  • 贵公司是否必须遵守任何适用于数据处理和隐私的规定?Does your company need to be compliant with any regulations for data handling and privacy?
    • 如果是,这些规定如何推动当前适用于本地资源的数据访问策略?If so, how do these regulations drive the current data access policies for on-premises resources?
  • 你的公司是否具有替代移动设备管理 (MDM)移动应用程序管理 (MAM) 的策略?Does your company have policies in place for Mobile Device Management (MDM) and Mobile Application Management (MAM)?
  • 在发生诉讼或刑事侦查的情况下,贵公司是否具有适针对设备没收的策略?Does your company have policies in place for device confiscation in case of litigation or criminal investigation?