身分識別和存取管理Identity and access management

身分識別提供大量安全性保證的基礎。Identity provides the basis of a large percentage of security assurance. 它可以根據雲端服務中的身分識別驗證和授權控制來啟用存取,以保護資料和資源,及判斷應該允許哪些要求。It enables access based on identity authentication and authorization controls in cloud services to protect data and resources and to decide which requests should be permitted.

身分識別與存取權管理 (IAM) 是公用雲端中的界限安全性。Identity and access management (IAM) is boundary security in the public cloud. 必須將其視為任何安全且完全符合規範的公用雲端架構的基礎。It must be treated as the foundation of any secure and fully compliant public cloud architecture. Azure 提供一組完整的服務、工具和參考架構,讓組織能夠以高度安全且有效率的方式執行環境,如下所述。Azure offers a comprehensive set of services, tools, and reference architectures to enable organizations to make highly secure, operationally efficient environments as outlined here.

本節將探討與企業環境中 IAM 相關的設計考慮和建議。This section examines design considerations and recommendations related to IAM in an enterprise environment.

為何需要身分識別和存取管理Why we need identity and access management

企業中的技術環境會變得複雜且不穩定。The technological landscape in the enterprise is becoming complex and heterogenous. 為了管理此環境的合規性和安全性,IAM 讓適當的人員能夠在適當的時間存取適當的資源,以獲得正確的原因。To manage compliance and security for this environment, IAM enables the right individuals to access the right resources at the right time for the right reasons.

規劃身分識別與存取權管理Plan for identity and access management

企業組織在操作存取上通常會遵循最低特殊權限的做法。Enterprise organizations typically follow a least-privileged approach to operational access. 您應擴充此模型,以透過 Azure Active Directory (Azure AD) 、Azure 角色型存取控制 (Azure RBAC) 和自訂角色定義來考慮 Azure。This model should be expanded to consider Azure through Azure Active Directory (Azure AD), Azure role-based access control (Azure RBAC), and custom role definitions. 規劃如何在 Azure 中管理資源的控制和資料平面存取是很重要的。It's critical to plan how to govern control- and data-plane access to resources in Azure. IAM 和 Azure RBAC 的任何設計都必須符合法規、安全性和營運需求,才能接受。Any design for IAM and Azure RBAC must meet regulatory, security, and operational requirements before it can be accepted.

身分識別與存取權管理是多步驟的程序,其中牽涉到仔細規劃身分識別整合和其他安全性考量,例如封鎖舊版驗證、規劃新式密碼。Identity and access management is a multistep process that involves careful planning for identity integration and other security considerations, such as blocking legacy authentication and planning for modern passwords. 臨時性規劃也牽涉到選擇企業對企業或企業對消費者的身分識別與存取權管理。Staging planning also involves selection of business-to-business or business-to-consumer identity and access management. 雖然這些需求各有不同,但還是需要考慮企業登陸區域的常見設計考量和建議。While these requirements vary, there are common design considerations and recommendations to consider for an enterprise landing zone.

此圖顯示身分識別與存取管理。

圖1:身分識別和存取管理。Figure 1: Identity and access management.

設計考慮:Design considerations:

  • 當您為 IAM 和治理制定架構時,必須考慮自訂角色和角色指派的數目限制。There are limits around the number of custom roles and role assignments that must be considered when you lay down a framework around IAM and governance. 如需詳細資訊,請參閱 AZURE RBAC 服務限制For more information, see Azure RBAC service limits.
  • 每個訂用帳戶的角色指派限制為2000。There's a limit of 2,000 role assignments per subscription.
  • 每個管理群組的角色指派限制為500。There's a limit of 500 role assignments per management group.
  • 集中式與同盟資源擁有權:Centralized versus federated resource ownership:
    • 共用資源或環境中任何實作或強制安全性界限 (例如網路) 的層面,都必須集中管理。Shared resources or any aspect of the environment that implements or enforces a security boundary, such as the network, must be managed centrally. 這項需求是許多法規架構的一部分。This requirement is part of many regulatory frameworks. 對於授與或拒絕存取機密或重要商務資源的任何組織而言,這是標準做法。It's standard practice for any organization that grants or denies access to confidential or critical business resources.
    • 管理不違反安全性界限的應用程式資源,或管理其他需要維護安全性和合規性的層面,都可以委派給應用程式小組。Managing application resources that don't violate security boundaries or other aspects required to maintain security and compliance can be delegated to application teams. 允許使用者在安全管理的環境中佈建資源,可讓組織充分利用雲端的靈活特性,同時防止違反任何重要的安全性或治理界限。Allowing users to provision resources within a securely managed environment allows organizations to take advantage of the agile nature of the cloud while preventing the violation of any critical security or governance boundary.
    • 根據集中式或同盟資源擁有權的定義,自訂角色可能會不同。Depending on the definition of the centralized or federated resource ownership, custom roles might differ. 集中式資源擁有權的自訂角色會受到限制,而且可能需要額外的許可權,視責任模型而定。The custom roles for the centralized resource ownership are limited and might need additional rights depending on the responsibility model. 例如,在某些組織中,NetOps 角色可能只需要管理和設定全球連線能力。For example, in some organizations a NetOps role might only need to manage and configure global connectivity. 但在其他需要更集中的方法的組織中,NetOps 角色需要使用更多允許的動作進行擴充,例如建立對等互連 beetween 中樞和輪輻。But in other organizations that need a more centralized approach, the NetOps role needs to be enriched with more allowed actions like creating peering beetween the hub and the spokes.

設計建議:Design recommendations:

  • 您可以使用 AZURE RBAC 來管理對資源的資料平面存取。Use Azure RBAC to manage data-plane access to resources, where possible. 範例為 Azure Key Vault、儲存體帳戶或 SQL 資料庫。Examples are Azure Key Vault, a storage account, or a SQL database.
  • 針對具有 Azure 環境存取權限的任何使用者,部署 Azure AD 條件式存取原則。Deploy Azure AD conditional-access policies for any user with rights to Azure environments. 這麼做可提供另一種機制,協助保護受控制的 Azure 環境不受未經授權的存取。Doing so provides another mechanism to help protect a controlled Azure environment from unauthorized access.
  • 針對具有 Azure 環境許可權的任何使用者強制執行多重要素驗證。Enforce multi-factor authentication for any user with rights to the Azure environments. 強制執行多重要素驗證是許多合規性架構的要件。Multi-factor authentication enforcement is a requirement of many compliance frameworks. 它可大幅降低認證竊取和未經授權存取的風險。It greatly lowers the risk of credential theft and unauthorized access.
  • 使用 Azure AD Privileged Identity Management (PIM) 來建立零的長期存取和最低許可權。Use Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege. 將貴組織的角色對應到所需的最低存取層級。Map your organization's roles to the minimum level of access needed. Azure AD PIM 可以是現有工具和程式的延伸模組、如所述使用 Azure 原生工具,或視需要使用兩者。Azure AD PIM can either be an extension of existing tools and processes, use Azure native tools as outlined, or use both as needed.
  • 當您授與對資源的存取權時,請在 Azure AD PIM 中的 Azure 控制平面資源使用「僅限 Azure AD」的群組。Use Azure-AD-only groups for Azure control-plane resources in Azure AD PIM when you grant access to resources.
    • 如果已經有群組管理系統,請將內部部署群組新增至「僅限 Azure AD」群組。Add on-premises groups to the Azure-AD-only group if a group management system is already in place.
  • 使用 Azure AD PIM 存取權檢閱來定期驗證資源權利。Use Azure AD PIM access reviews to periodically validate resource entitlements. 存取權檢閱是許多合規性架構的一部分。Access reviews are part of many compliance frameworks. 如此一來,許多組織都已有程式可解決這項需求。As a result, many organizations will already have a process in place to address this requirement.
  • 整合 Azure AD 記錄與平臺中央 Azure 監視器Integrate Azure AD logs with the platform-central Azure Monitor. Azure 監視器允許 Azure 中的記錄和監視資料使用單一事實來源,這可為組織提供雲端原生選項,以符合記錄收集和保留方面的需求。Azure Monitor allows for a single source of truth around log and monitoring data in Azure, which gives organizations cloud-native options to meet requirements around log collection and retention.
  • 如果有任何資料主權需求,可以部署自訂使用者原則來強制執行。If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
  • 當您考慮下列金鑰角色時,請使用 Azure AD 租使用者內的自訂角色定義:Use custom role definitions within the Azure AD tenant while you consider the following key roles:
角色Role 使用方式Usage 動作Actions 沒有任何動作No actions
Azure 平臺擁有者 (例如內建擁有者角色) Azure platform owner (such as the built-in Owner role) 管理群組和訂用帳戶生命週期管理Management group and subscription lifecycle management *
網路管理 (NetOps) Network management (NetOps) 全平臺全球連線管理:虛擬網路、Udr、Nsg、Nva、VPN、Azure ExpressRoute 和其他Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others */read, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/**/read, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*
安全性作業 (SecOps) Security operations (SecOps) 在整個 Azure 資產和 Azure Key Vault 清除原則之間進行水準視圖安全性系統管理員角色Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy */read, */register/action, Microsoft.KeyVault/locations/deletedVaults/purge/action, Microsoft.Insights/alertRules/*, Microsoft.Authorization/policyDefinitions/*, Microsoft.Authorization/policyAssignments/*, Microsoft.Authorization/policySetDefinitions/*, Microsoft.PolicyInsights/*, Microsoft.Security/**/read, */register/action, Microsoft.KeyVault/locations/deletedVaults/purge/action, Microsoft.Insights/alertRules/*, Microsoft.Authorization/policyDefinitions/*, Microsoft.Authorization/policyAssignments/*, Microsoft.Authorization/policySetDefinitions/*, Microsoft.PolicyInsights/*, Microsoft.Security/*
訂用帳戶擁有者Subscription owner 衍生自訂用帳戶擁有者角色之訂用帳戶擁有者的委派角色Delegated role for subscription owner derived from subscription Owner role * Microsoft.Authorization/*/write, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*Microsoft.Authorization/*/write, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*
應用程式擁有者 (DevOps/AppOps) Application owners (DevOps/AppOps) 在資源群組層級授與應用程式/作業小組的參與者角色Contributor role granted for application/operations team at resource group level * Microsoft.Authorization/*/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Network/virtualNetworks/write, Microsoft.KeyVault/locations/deletedVaults/purge/actionMicrosoft.Authorization/*/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Network/virtualNetworks/write, Microsoft.KeyVault/locations/deletedVaults/purge/action
  • 在所有基礎結構即服務 (IaaS) 資源使用 Azure 資訊安全中心的 Just-In-Time 存取權,以便對 IaaS 虛擬機器的暫時性使用者存取實施網路層級保護。Use Azure Security Center just-in-time access for all infrastructure as a service (IaaS) resources to enable network-level protection for ephemeral user access to IaaS virtual machines.
  • 對 Azure 資源使用 Azure AD 管理的身分識別,以避免根據使用者名稱與密碼進行驗證。Use Azure AD managed identities for Azure resources to avoid authentication based on user names and passwords. 因為公用雲端資源的許多安全性缺口源自於內嵌在程式碼或其他文字來源的認證竊取,對寫在程式碼中的存取強制執行受控識別,可大幅降低認證竊取的風險。Because many security breaches of public cloud resources originate with credential theft embedded in code or other text sources, enforcing managed identities for programmatic access greatly reduces the risk of credential theft.
  • 針對需要較高存取權限的自動化 Runbook,使用特殊權限的身分識別。Use privileged identities for automation runbooks that require elevated access permissions. 違反重要安全性界限的自動化工作流程,應該受相同的工具和原則使用者的相同許可權。Automated workflows that violate critical security boundaries should be governed by the same tools and policies users of equivalent privilege are.
  • 不要將使用者直接新增至 Azure 資源範圍。Don't add users directly to Azure resource scopes. 相反地,會將使用者新增至已定義的角色,然後將這些角色指派給資源範圍。Instead add users to defined roles, which are then assigned to resource scopes. 直接使用者指派規避集中式管理,大幅增加所需的管理,以防止未經授權的資料存取受限制的資料。Direct user assignments circumvent centralized management, greatly increasing the management required to prevent unauthorized access to restricted data.

規劃登陸區域內的驗證Plan for authentication inside a landing zone

企業組織採用 Azure 時,必須做出一個重要的設計決策:要將現有的內部部署身分識別網域擴充至 Azure 或要建立全新的身分識別網域。A critical design decision that an enterprise organization must make when adopting Azure is whether to extend an existing on-premises identity domain into Azure or to create a brand new one. 企業應徹底評估登陸區域內的驗證需求,將其納入在 Windows Server、Azure AD Domain Services (Azure AD DS) 或兩者中部署 Active Directory Domain Services (AD DS) 的規劃。Requirements for authentication inside the landing zone should be thoroughly assessed and incorporated into plans to deploy Active Directory Domain Services (AD DS) in Windows Server, Azure AD Domain Services (Azure AD DS), or both. 大部分的 Azure 環境至少會在 Azure 網狀架構驗證、AD DS 區域主機驗證、群組原則管理上使用 Azure AD 。Most Azure environments will use at least Azure AD for Azure fabric authentication and AD DS local host authentication and group policy management.

設計考慮:Design considerations:

  • 請考慮使用集中和委派的責任,來管理在登陸區域內部署的資源。Consider centralized and delegated responsibilities to manage resources deployed inside the landing zone.
  • 依賴網域服務和使用舊版通訊協定的應用程式,可以使用 AZURE AD DSApplications that rely on domain services and use older protocols can use Azure AD DS.

設計建議:Design recommendations:

  • 根據角色和安全性需求,使用集中和委派的責任來管理部署在登陸區域內的資源。Use centralized and delegated responsibilities to manage resources deployed inside the landing zone based on role and security requirements.
  • 特殊權限的作業 (例如建立服務主體物件、在 Azure AD 中註冊應用程式、採購和處理憑證或萬用字元憑證) 都需要特殊存取權限。Privileged operations such as creating service principal objects, registering applications in Azure AD, and procuring and handling certificates or wildcard certificates require special permissions. 請考慮哪些使用者將處理這類要求,以及如何根據所需的努力來保護和監視其帳戶。Consider which users will be handling such requests and how to secure and monitor their accounts with the degree of diligence required.
  • 如果組織有使用整合式 Windows 驗證的應用程式必須透過 Azure AD 從遠端存取的案例,請考慮使用 Azure AD 應用程式 ProxyIf an organization has a scenario where an application that uses integrated Windows authentication must be accessed remotely through Azure AD, consider using Azure AD Application Proxy.
  • 在 Windows Server 上執行的 Azure AD、Azure AD DS 和 AD DS 之間有差異。There's a difference between Azure AD, Azure AD DS, and AD DS running on Windows Server. 評估您的應用程式需求,瞭解並記錄每個使用者將使用的驗證提供者。Evaluate your application needs, and understand and document the authentication provider that each one will be using. 針對所有應用程式做出相應的規劃。Plan accordingly for all applications.
  • 評估 Windows Server 上 AD DS 和 Azure AD DS 的工作負載的相容性。Evaluate the compatibility of workloads for AD DS on Windows Server and for Azure AD DS.
  • 確定您的網路設計可讓需要 Windows Server AD DS 的資源進行本機驗證和管理,以存取適當的網域控制站。Ensure your network design allows resources that require AD DS on Windows Server for local authentication and management to access the appropriate domain controllers.
    • 針對 Windows Server 上的 AD DS,可考慮使用共用服務環境,此環境能在較大的整體企業網路中提供本機驗證和主機管理。For AD DS on Windows Server, consider shared services environments that offer local authentication and host management in a larger enterprise-wide network context.
  • 在主要區域中部署 Azure AD DS,因為此服務只能投射到一個訂用帳戶。Deploy Azure AD DS within the primary region because this service can only be projected into one subscription.
  • 使用受控識別而不是服務主體來向 Azure 服務驗證身分。Use managed identities instead of service principals for authentication to Azure services. 這種做法可減少認證竊取的風險。This approach reduces exposure to credential theft.