保護資料解決方案Securing data solutions

在許多情況下,若要讓資料能夠在雲端中存取 (特別是移轉只在內部部署資料存放區使用的資料時),在增加該資料的協助工具及用來保護其安全的新方法上,可能會產生一些顧慮。For many, making data accessible in the cloud, particularly when transitioning from working exclusively in on-premises data stores, can cause some concern around increased accessibility to that data and new ways in which to secure it.

挑戰Challenges

  • 集中監視和分析儲存在多個記錄中的安全性事件。Centralizing the monitoring and analysis of security events stored in numerous logs.
  • 跨應用程式和服務實作加密和授權管理。Implementing encryption and authorization management across your applications and services.
  • 確保集中式身分識別管理可跨越所有解決方案元件運作,不論在內部部署或雲端。Ensuring that centralized identity management works across all of your solution components, whether on-premises or in the cloud.

資料保護Data Protection

保護資訊的第一步是識別要保護的目標。The first step to protecting information is identifying what to protect. 開發清楚、簡單及易懂的指導方針來識別、保護及監視最重要的資料資產 (無論位於任何地方)。Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside. 針對會對組織任務或獲利能力產生過度影響的資產,提供最嚴密的保護。Establish the strongest protection for assets that have a disproportionate impact on the organization's mission or profitability. 這些資產稱為高價值資產或 HVA。These are known as high value assets, or HVAs. 執行嚴格的 HVA 生命週期和安全相依性分析,並建立適當的安全性控制及條件。Perform stringent analysis of HVA lifecycle and security dependencies, and establish appropriate security controls and conditions. 同樣地,識別並分類機密資產,並定義技術和程序來自動套用安全性控制。Similarly, identify and classify sensitive assets, and define the technologies and processes to automatically apply security controls.

一旦已識別需要保護的資料,請考量資料在「待用」和「傳輸中」的保護方式。Once the data you need to protect has been identified, consider how you will protect the data at rest and data in transit.

  • 待用資料:在實體媒體 (磁碟或光碟)、內部部署或雲端中靜態儲存的資料。Data at rest: Data that exists statically on physical media, whether magnetic or optical disk, on premises or in the cloud.
  • 傳輸中資料︰正在元件、位置或程式之間傳送的資料,可能會透過網路、透過服務匯流排 (從內部部署至雲端,反之亦然),或透過輸入/輸出的程序。Data in transit: Data while it is being transferred between components, locations or programs, such as over the network, across a service bus (from on-premises to cloud and vice-versa), or during an input/output process.

若要了解保護待用或傳輸中資料的詳細資訊,請參閱 Azure 資料安全性和加密最佳做法To learn more about protecting your data at rest or in transit, see Azure Data Security and Encryption Best Practices.

存取控制Access Control

保護雲端中資料的重點是身分識別管理和存取控制的組合。Central to protecting your data in the cloud is a combination of identity management and access control. 由於有各種雲端服務類型以及逐漸普及的混合式雲端,在身分識別和存取控制上應遵循幾個重要的做法:Given the variety and type of cloud services, as well as the rising popularity of hybrid cloud, there are several key practices you should follow when it comes to identity and access control:

  • 集中管理您的身分識別。Centralize your identity management.
  • 啟用單一登入 (SSO)。Enable Single Sign-On (SSO).
  • 部署密碼管理。Deploy password management.
  • 為使用者強制執行多重要素驗證。Enforce multi-factor authentication for users.
  • 使用 Azure 角色型存取控制 (Azure RBAC) 。Use Azure role-based access control (Azure RBAC).
  • 應設定條件式存取原則,其透過使用者位置、裝置類型、修補程式等級等其他相關屬性來增強傳統使用者識別的概念。Conditional Access Policies should be configured, which enhances the classic concept of user identity with additional properties related to user location, device type, patch level, and so on.
  • 使用資源管理員來控制資源的建立位置。Control locations where resources are created using resource manager.
  • 主動監視可疑的活動Actively monitor for suspicious activities

如需詳細資訊,請參閱 Azure 身分識別管理和存取控制安全性最佳作法For more information, see Azure Identity Management and access control security best practices.

稽核Auditing

除了先前所述的身份識別與存取監視外,您在雲端中使用的服務和應用程式應產生您可以監視的安全性相關事件。Beyond the identity and access monitoring previously mentioned, the services and applications that you use in the cloud should be generating security-related events that you can monitor. 要監視這些事件的主要挑戰是處理大量記錄,這是為了避免潛在問題或對過去的問題進行疑難排解。The primary challenge to monitoring these events is handling the quantities of logs , in order to avoid potential problems or troubleshoot past ones. 雲端式應用程式通常含有許多可移動的組件,其中大部分會產生某種程度的記錄與遙測。Cloud-based applications tend to contain many moving parts, most of which generate some level of logging and telemetry. 使用集中監視及分析可協助您管理大量資訊,並讓其具有意義。Use centralized monitoring and analysis to help you manage and make sense of the large amount of information.

如需詳細資訊,請參閱 Azure 記錄與稽核For more information, see Azure Logging and Auditing.

在 Azure 中保護資料解決方案Securing data solutions in Azure

加密Encryption

虛擬機器Virtual machines. 使用 Azure 磁碟加密來加密 Windows 或 Linux VM 上連結的磁碟。Use Azure Disk Encryption to encrypt the attached disks on Windows or Linux VMs. 此解決方案與 Azure Key Vault 整合,可控制和管理磁碟加密金鑰和祕密。This solution integrates with Azure Key Vault to control and manage the disk-encryption keys and secrets.

Azure 儲存體Azure Storage. 使用Azure 儲存體服務加密來自動加密 Azure 儲存體中的待用資料。Use Azure Storage Service Encryption to automatically encrypt data at rest in Azure Storage. 以完全無感的方式處理所有加密、解密和金鑰管理。Encryption, decryption, and key management are totally transparent to users. 也可以使用用戶端加密與 Azure Key Vault 來保護傳輸中的資料。Data can also be secured in transit by using client-side encryption with Azure Key Vault. 如需詳細資訊,請參閱 Microsoft Azure 儲存體的用戶端加密和 Azure Key VaultFor more information, see Client-Side Encryption and Azure Key Vault for Microsoft Azure Storage.

SQL DatabaseAzure Synapse AnalyticsSQL Database and Azure Synapse Analytics. 使用透明資料加密 (TDE) 可在不需變更應用程式的情況下,對資料庫、相關聯的備份和交易記錄檔執行即時加密和解密。Use Transparent Data Encryption (TDE) to perform real-time encryption and decryption of your databases, associated backups, and transaction log files without requiring any changes to your applications. SQL Database 亦可使用 一律加密,不論是當機密資料在伺服器上待用時、在用戶端與伺服器之間移動時,還是使用中時,都可協助保護資料。SQL Database can also use Always Encrypted to help protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. 您可以使用 Azure Key Vault 來儲存「一律加密」加密金鑰。You can use Azure Key Vault to store your Always Encrypted encryption keys.

版權管理Rights management

Azure Rights Management 是使用加密、身分識別和授權原則來保護檔案和電子郵件的雲端式服務。Azure Rights Management is a cloud-based service that uses encryption, identity, and authorization policies to secure files and email. 它可以跨多個裝置使用 — 電話、平板電腦和電腦。It works across multiple devices — phones, tablets, and PCs. 可以在組織內部和外部保護資料,因為該保護會保存資料,即使資料已離開組織的範圍也一樣。Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization's boundaries.

存取控制Access control

使用 azure 角色型存取控制 (AZURE RBAC) ,根據使用者角色來限制對 Azure 資源的存取。Use Azure role-based access control (Azure RBAC) to restrict access to Azure resources based on user roles. 如果您使用 Active Directory 內部部署,您可以 與 Azure AD 同步,根據使用者的內部部署身份識別為其提供雲端識別身分。If you are using Active Directory on-premises, you can synchronize with Azure AD to provide users with a cloud identity based on their on-premises identity.

您可以使用 Azure Active Directory 中的條件式存取,根據特定條件來強制控制您環境中的應用程式存取。Use Conditional access in Azure Active Directory to enforce controls on the access to applications in your environment based on specific conditions. 例如,您的原則聲明可能需要採取下列形式:當約聘員工嘗試從不受信任的網路存取我們的雲端應用程式時,則封鎖存取For example, your policy statement could take the form of: When contractors are trying to access our cloud apps from networks that are not trusted, then block access.

Azure AD Privileged Identity Management 可協助您管理、控制及監視您的使用者,以及他們正在以其系統管理員權限執行哪些工作。Azure AD Privileged Identity Management can help you manage, control, and monitor your users and what sorts of tasks they are performing with their admin privileges. 這是限制組織中的人員可以在 Azure AD、Azure、Microsoft 365 或 SaaS 應用程式中執行特殊許可權作業,以及監視其活動的重要步驟。This is an important step to limiting who in your organization can carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps, as well as monitor their activities.

網路Network

若要保護傳輸中的資料,請一律使用 SSL/TLS 來交換不同位置之間的資料。To protect data in transit, always use SSL/TLS when exchanging data across different locations. 您有時需要使用虛擬私人網路 (VPN) 或 ExpressRoute,隔離您的內部部署與雲端基礎結構之間的整個通訊通道。Sometimes you need to isolate your entire communication channel between your on-premises and cloud infrastructure by using either a virtual private network (VPN) or ExpressRoute. 如需詳細資訊,請參閱將內部部署資料解決方案擴充至雲端For more information, see Extending on-premises data solutions to the cloud.

使用 網路安全性群組 來減少潛在的攻擊媒介數目。Use network security groups to reduce the number of potential attack vectors. 網路安全性群組包含一些安全性規則,可根據來源或目的地 IP 位址、連接埠和通訊協定允許或拒絕輸入或輸出網路流量。A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol.

使用虛擬網路服務端點 來保護 Azure SQL 或 Azure 儲存體資源,只允許虛擬網路的流量存取這些資源。Use Virtual Network service endpoints to secure Azure SQL or Azure Storage resources, so that only traffic from your virtual network can access these resources.

Azure 虛擬網路 (VNet) 內的 VM 可使用虛擬網路對等互連互連,安全地與其他 VNet 通訊。VMs within an Azure Virtual Network (VNet) can securely communicate with other VNets using virtual network peering. 對等互連虛擬網路之間的網路流量為私用。Network traffic between peered virtual networks is private. 虛擬網路之間的流量會保留在 Microsoft 骨幹網路上。Traffic between the virtual networks is kept on the Microsoft backbone network.

如需詳細資訊,請參閱 Azure 網路安全性For more information, see Azure network security

監視Monitoring

Azure 資訊安全中心會自動收集、分析及整合您 Azure 資源、網路和已連線的合作夥伴解決方案 (例如防火牆解決方案) 的記錄資料,來偵測真正的威脅並減少誤判情形。Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, such as firewall solutions, to detect real threats and reduce false positives.

Log Analytics 提供記錄的集中式存取,並幫助您分析資料與建立自訂警示。Log Analytics provides centralized access to your logs and helps you analyze that data and create custom alerts.

Azure SQL Database 威脅偵測會偵測意圖存取或攻擊資料庫,並可能會造成損害的異常活動。Azure SQL Database Threat Detection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. 資訊安全人員或其他指定的系統管理員可以在發生可疑的資料庫活動時立即接收通知。Security officers or other designated administrators can receive an immediate notification about suspicious database activities as they occur. 每個通知都會提供可疑活動的詳細資料,以及建議如何進一步調查並減輕威脅。Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.