Azure 資料庫安全性檢查清單Azure database security checklist

為了協助改善安全性,Azure 資料庫包含數個內建安全性控制項,您可用來限制和控制存取。To help improve security, Azure Database includes a number of built-in security controls that you can use to limit and control access.

其中包含:These include:

  • 防火牆,可讓您建立依 IP 位址限制連線能力的防火牆規則A firewall that enables you to create firewall rules limiting connectivity by IP address,
  • 可從 Azure 入口網站存取的伺服器層級防火牆Server-level firewall accessible from the Azure portal
  • 可從 SSMS 存取的資料庫層級防火牆規則Database-level firewall rules accessible from SSMS
  • 使用安全的連接字串來保護資料庫連線Secure connectivity to your database using secure connection strings
  • 使用存取管理Use access management
  • 資料加密Data encryption
  • SQL Database 稽核SQL Database auditing
  • SQL Database 威脅偵測SQL Database threat detection

簡介Introduction

雲端運算需要許多應用程式使用者、資料庫管理員和程式設計人員所不熟悉的新安全性典範。Cloud computing requires new security paradigms that are unfamiliar to many application users, database administrators, and programmers. 因此,有些組織會因為意識到安全性風險而對實作資料管理的雲端基礎結構顯得遲疑不決。As a result, some organizations are hesitant to implement a cloud infrastructure for data management due to perceived security risks. 不過,透過進一步了解 Microsoft Azure 和 Microsoft Azure SQL Database 內建的安全性功能,可以大幅減輕這層疑慮。However, much of this concern can be alleviated through a better understanding of the security features built into Microsoft Azure and Microsoft Azure SQL Database.

檢查清單Checklist

我們建議您先閱讀 Azure 資料庫安全性最佳做法一文,再檢閱這份檢查清單。We recommend that you read the Azure Database Security Best Practices article prior to reviewing this checklist. 在您了解最佳做法之後,您就能夠充分利用這份檢查清單。You will be able to get the most out of this checklist after you understand the best practices. 您可以接著使用這份檢查清單,確保您已解決 Azure 資料庫安全性的重大問題。You can then use this checklist to make sure that you’ve addressed the important issues in Azure database security.

檢查清單類別Checklist Category 描述Description
保護資料Protect Data

移動/傳輸中加密Encryption in Motion/Transit

待用加密Encryption at rest
控制存取Control Access

資料庫存取Database Access
  • 驗證 (Azure Active Directory 驗證) AD 驗證會使用由 Azure Active Directory 管理的身分識別。Authentication (Azure Active Directory Authentication) AD authentication uses identities managed by Azure Active Directory.
  • 授權會授與使用者所需的最低權限。Authorization grant users the least privileges necessary.

應用程式存取Application Access
  • 資料列層級安全性 (使用安全性原則,同時根據使用者的身分識別、角色或執行內容限制資料列層級存取)。Row level Security (Using Security Policy, at the same time restricting row-level access based on a user's identity,role, or execution context).
  • 動態資料遮罩 (使用權限和原則,對不具權限的使用者進行遮罩處理,以限制敏感性資料的揭露)Dynamic Data Masking (Using Permission & Policy, limits sensitive data exposure by masking it to non-privileged users)
主動式監視Proactive Monitoring

追蹤和偵測Tracking & Detecting

Azure 資訊安全中心Azure Security Center
  • 資料監視 使用 Azure 資訊安全中心作為 SQL 和其他 Azure 服務的集中式安全性監視解決方案。Data Monitoring Use Azure Security Center as a centralized security monitoring solution for SQL and other Azure services.

結論Conclusion

Azure 資料庫是強固的資料庫平台,具有完整的安全性功能,能符合許多組織及法務相容性需求。Azure Database is a robust database platform, with a full range of security features that meet many organizational and regulatory compliance requirements. 您可以輕鬆保護資料,方法是控制實體存取您的資料,以及透過透明資料加密、資料格等級加密或資料列等級安全性,使用檔案、資料行或資料列等級的各種資料安全性選項。You can easily protect data by controlling the physical access to your data, and using a variety of options for data security at the file-, column-, or row-level with Transparent Data Encryption, Cell-Level Encryption, or Row-Level Security. Always Encrypted 也會啟用針對加密資料的作業,從而簡化應用程式更新的程序。Always Encrypted also enables operations against encrypted data, simplifying the process of application updates. 接著,存取 SQL Database 活動的稽核記錄可為您提供所需要的資訊,讓您知道存取資料的方式及時間。In turn, access to auditing logs of SQL Database activity provides you with the information you need, allowing you to know how and when data is accessed.

後續步驟Next steps

只需要幾個簡單步驟,您就可以讓資料庫預防惡意使用者或未經授權的存取。You can improve the protection of your database against malicious users or unauthorized access with just a few simple steps. 您會在本教學課程中學到:In this tutorial you learn to: