数据加密Data Encryption

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

现在你已回答了任务 1 中有关处于静态时和传输过程中的数据加密要求的问题,接下来你将评估可用于处理每个要求的选项。Now that you’ve answered the questions in Task 1 regarding the requirements for data encryption at rest and in transit, next you’ll evaluate the options that are available to address each requirement. 即使数据处于静态,仍然可以采用不同的方法对其进行加密,如下图所示。Even when the data is at rest, it can be encrypted in different ways, as shown in the figure below.

移动设备磁盘

不同的加密级别Different levels of encryption

你可以使用完整磁盘加密或基于应用所处理的数据的加密。You can use full disk encryption or encryption based on the data handled by an app. ConfigMgr 允许你强制执行将在移动设备上执行文件加密的策略。ConfigMgr allows you to enforce policies that will perform file encryption on mobile devices. 尽管某些移动设备(如 Windows Phone 8)将自动加密,但某些其他移动设备仅在启用某些其他选项时加密数据。Although some mobile devices, like Windows Phone 8, are automatically encrypted, others only encrypt data if another option is enabled. 例如,对于 iOS 设备,加密仅在你将设置配置为需要在设备上使用密码后自动发生。For example, on iOS devices, the encryption takes place automatically only after you configure the setting to require a password on the device.

Windows 10 移动版使用基于 BitLocker 技术的设备加密来加密所有内部存储,包括操作系统和数据存储分区。Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating system and data storage partitions. 通过 MDM 工具,用户可以激活设备加密,或者 IT 部门可以激活并强制对公司管理的设备执行加密。The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. 启用设备加密后,存储在手机上的所有数据都会自动进行加密。When device encryption is turned on, all data stored on the phone is encrypted automatically. 启用了加密的 Windows 10 移动版设备有助于在设备丢失或被盗的情况下保护存储数据的保密性。A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored if the device is lost or stolen. 阅读 Windows 10 移动版安全指南,了解更多信息。Read Windows 10 Mobile security guide for more information.

提示

有关可以使用 ConfigMgr 启用加密的移动设备的详细信息,请阅读 Configuration Manager 中的移动设备的合规性设置For more information about the mobile devices that can have encryption enabled using ConfigMgr, read Compliance Settings for Mobile Devices in Configuration Manager.

对于与 Intune 移动应用程序管理策略关联的应用,加密由 Microsoft 提供。For apps that are associated with an Intune mobile application management policy, encryption is provided by Microsoft. 根据移动应用程序管理策略的设置,数据在文件 I/O 运行过程中同步加密。Data is encrypted synchronously during file I/O operations according to the setting in the mobile application management policy. 在 Android 设备上,托管应用利用平台加密库(非 FIPS 140-2 认证)在加密块链接 (CBC) 模式下使用 AES-128 加密。On Android devices, managed apps use AES-128 encryption in Cipher Block Chaining (CBC) mode utilizing the platform cryptography libraries, which is not FIPS 140-2 certified.

此选项允许你指定将加密与特定应用相关联的所有数据,包括存储在外部媒体(例如 SD 卡)上的数据。This option allows you to specify that all data associated with a particular app will be encrypted, including data stored on external media, such as SD cards. 相同的功能也可用于适用于 Office 365 的 MDMThe same capability is also available with MDM for Office 365.

公有云存储服务(例如 OneDrive for Business)还可以与 Intune Standalone 集成,也可以与 System Center 2012 R2 Configuration Manager SP1 集成。Public cloud storage services, such as OneDrive for Business, can also be integrated with Intune Standalone and also with System Center 2012 R2 Configuration Manager SP1. 你可以将 OneDrive for Business 应用部署到用户的设备,然后用户的 OneDrive for Business 帐户中的所有文档都将加密。You can deploy the OneDrive for Business app to the user’s device and then all documents in the user’s OneDrive for Business account will be encrypted.

大多数 MDM 解决方案使用 SSL 来保护传输过程中的数据,因此你只需确定你是否将使用现有 PKI 来颁发证书,或者你是否将使用第三方供应商证书颁发机构 (CA)。Most MDM solutions use SSL to protect data in transit, so you’ll just need to decide if you will be using an existing PKI to issue certificates or if you will be using a third-party vendor certificate authority (CA). 使用第三方 CA 的好处是使用自己的设备来访问公司资源的用户将自动信任公认的公用 CA。The advantage of using a third party CA is that users using their own device to access company’s resources will automatically trust a well-recognized public CA.

Intune(独立版)Intune (standalone)

优点Advantages

  • 加密与受 Intune 管理策略控制的应用相关联的数据Encrypt data associated with apps controlled by Intune management policy

缺点Disadvantages

  • 不包括移动设备存储的本机加密Does not include native encryption for mobile device storage
  • 没有与当前本地 MDM 平台的集成意味着将增加一个管理接口供你使用No integration with current on-premises MDM platform means an additional management interface for you to use

Office 365 的 MDMMDM of Office 365

优点Advantages

  • 基于移动设备平台功能加密数据Encrypt data based on the mobile device platform capability

缺点Disadvantages

  • 如果组织没有当前本地 ConfigMgr 基础结构,则需在集成前规划、安装和配置此平台If the organization does not have a current on-premises ConfigMgr infrastructure, it will require to plan, install and configure this platform prior to the integration

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 加密与受 Intune 管理策略控制的应用相关联的数据Encrypt data associated with apps controlled by Intune management policy
  • 加密移动设备存储Encrypt mobile device storage
  • 对于可以在移动设备上加密哪些内容和如何完成加密提供更细化的控制,包括加密算法的选择Provides more granular control of what can be encrypted on mobile devices and how the encryption is done, including selection of the encryption algorithm

缺点Disadvantages

  • 如果组织没有当前本地 ConfigMgr 基础结构,则需在集成前规划、安装和配置此平台If the organization does not have a current on-premises ConfigMgr infrastructure, it will require to plan, install and configure this platform prior to the integration

有关如何将 Intune 和 ConfigMgr 功能结合以增加数据保护并配置加密的详细信息,请阅读使用配置管理器和 Intune 在移动设备上管理加密For more information about how to combine Intune and ConfigMgr’s capabilities to increase data protection and configure encryption, read Managing Encryption on Mobile Devices with Configuration Manager and Intune.