Azure 資料安全性和加密最佳作法Azure data security and encryption best practices

這篇文章描述資料安全性和加密最佳的作法。This article describes best practices for data security and encryption.

最佳作法是根據共識的意見,並使用目前的 Azure 平台功能及功能集。The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. 隨著時間變更的意見和技術,這篇文章會更新以反映這些變更以規則為基礎。Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.

保護資料Protect data

若要協助保護雲端上的資料,您必須考慮您的資料可能會發生的狀態,以及哪些控制項適用於該狀態。To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Azure 資料安全性和加密的最佳做法與下列資料狀態相關:Best practices for Azure data security and encryption relate to the following data states:

  • 待用:這包括實體媒體 (磁碟或光碟) 上以靜態方式存在的所有資訊儲存物件、容器和類型。At rest: This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk.
  • 傳輸中:當資料在元件、位置或程式之間傳輸時,即為傳輸中。In transit: When data is being transferred between components, locations, or programs, it’s in transit. 範例會透過網路、跨服務匯流排 (從內部部署到雲端,反之亦然,包括諸如 ExpressRoute 的混合式連線),或輸入/輸出過程期間傳輸。Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.

選擇金鑰管理解決方案Choose a key management solution

保護您的金鑰對於保護雲端中的資料至關重要。Protecting your keys is essential to protecting your data in the cloud.

Azure Key Vault 可協助保護雲端應用程式和服務所使用的密碼編譯金鑰和祕密。Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. 金鑰保存庫簡化了金鑰管理程序,並可讓您控管存取和加密資料的金鑰。Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. 開發人員可以在幾分鐘內建立開發和測試的金鑰,然後將它們移轉至生產金鑰。Developers can create keys for development and testing in minutes, and then migrate them to production keys. 安全性系統管理員可以視需要授與 (和撤銷) 存取金鑰的權限。Security administrators can grant (and revoke) permission to keys, as needed.

您可以使用 Key Vault 建立多個安全的容器,稱之為保存庫。You can use Key Vault to create multiple secure containers, called vaults. 這些保存庫由 HSM 支援。These vaults are backed by HSMs. 保存庫藉由集中儲存應用程式祕密,協助減少意外遺失安全性資訊的機會。Vaults help reduce the chances of accidental loss of security information by centralizing the storage of application secrets. Key Vault 也會控制和記錄其中所儲存項目的存取權。Key vaults also control and log the access to anything stored in them. Azure Key Vault 可以處理要求及更新傳輸層安全性 (TLS) 憑證。Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates. 它為憑證生命週期管理提供了健全的解決方案功能。It provides features for a robust solution for certificate lifecycle management.

Azure Key Vault 設計用來支援應用程式金鑰和祕密。Azure Key Vault is designed to support application keys and secrets. Key Vault 的用意並非作為使用者密碼的存放區。Key Vault is not intended to be a store for user passwords.

以下是使用金鑰保存庫的安全性最佳做法。Following are security best practices for using Key Vault.

最佳做法:在特定範圍對使用者、群組和應用程式授與存取權。Best practice: Grant access to users, groups, and applications at a specific scope.
詳細資料:使用 RBAC 的預先定義角色。Detail: Use RBAC’s predefined roles. 例如,若要對使用者授與管理金鑰保存庫的權限,您會在特定範圍對此使用者指派預先定義的角色 Key Vault 參與者For example, to grant access to a user to manage key vaults, you would assign the predefined role Key Vault Contributor to this user at a specific scope. 在此案例中,範圍會是訂用帳戶、資源群組或只是特定金鑰保存庫。The scope in this case would be a subscription, a resource group, or just a specific key vault. 如果預先定義的角色不符合您的需求,您可以定義您自己的角色If the predefined roles don’t fit your needs, you can define your own roles.

最佳做法:控制使用者可以存取的內容。Best practice: Control what users have access to.
詳細資料:金鑰保存庫的存取權可透過兩個不同介面來控制︰管理平面和資料平面。Detail: Access to a key vault is controlled through two separate interfaces: management plane and data plane. 管理平面和資料平面的存取控制在運作上互不相關。The management plane and data plane access controls work independently.

使用 RBAC 控制使用者可以存取的內容。Use RBAC to control what users have access to. 例如,如果您想要對應用程式授與金鑰保存庫中金鑰的使用權限,您只需要使用金鑰保存庫存取原則對資料平面授與存取權限,此應用程式完全不需要管理平面的存取權。For example, if you want to grant an application access to use keys in a key vault, you only need to grant data plane access permissions by using key vault access policies, and no management plane access is needed for this application. 相反地,如果您想要讓使用者能夠讀取保存庫屬性和標籤,但不讓他擁有金鑰、密碼或憑證的任何存取權,您可以使用 RBAC 對這位使用者授與「讀取」權限,但不需要授與資料平面的存取權。Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates, you can grant this user read access by using RBAC, and no access to the data plane is required.

最佳做法:將憑證儲存在金鑰保存庫。Best practice: Store certificates in your key vault. 您的憑證價值很高。Your certificates are of high value. 若陷入有心人的控制中,就可能危害您的應用程式安全性或資料的安全性。In the wrong hands, your application's security or the security of your data can be compromised.
詳細資料:Azure Resource Manager 可以在部署 VM 時,將儲存在 Azure Key Vault 中的憑證安全地部署到 Azure VM。Detail: Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. 透過為金鑰保存庫設定適當的存取原則,您也控制誰可以存取您的憑證。By setting appropriate access policies for the key vault, you also control who gets access to your certificate. 另一個優點是您可以在 Azure Key Vault 中的單一位置管理所有憑證。Another benefit is that you manage all your certificates in one place in Azure Key Vault. 如需其他資訊,請參閱將憑證從客戶管理的金鑰保存庫部署到 VM (英文)。See Deploy Certificates to VMs from customer-managed Key Vault for more information.

最佳做法:請確定您可以復原刪除的金鑰保存庫或金鑰保存庫物件。Best practice: Ensure that you can recover a deletion of key vaults or key vault objects.
詳細資料:刪除金鑰保存庫或金鑰保存庫物件可能是不小心或惡意的。Detail: Deletion of key vaults or key vault objects can be inadvertent or malicious. 啟用金鑰保存庫的虛刪除和清除保護功能,尤其是針對用來加密待用資料的金鑰。Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. 刪除這些金鑰就相當於資料遺失,因此如有需要,您可以復原已刪除的保存庫和保存庫物件。Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. 定期練習金鑰保存庫復原作業。Practice Key Vault recovery operations on a regular basis.

注意

如果使用者具有金鑰保存庫管理平面的參與者權限 (RBAC),他們可以透過設定金鑰保存庫存取原則,對自己授與資料平面的存取權。If a user has contributor permissions (RBAC) to a key vault management plane, they can grant themselves access to the data plane by setting a key vault access policy. 建議您嚴格控制擁有金鑰保存庫「參與者」權限的人員,以確保只有獲得授權的人員可以存取和管理您的金鑰保存庫、金鑰、密碼和憑證。We recommend that you tightly control who has contributor access to your key vaults, to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

透過安全的工作站管理Manage with secure workstations

注意

訂用帳戶管理員或擁有者應使用安全存取工作站或特殊權限存取工作站。The subscription administrator or owner should use a secure access workstation or a privileged access workstation.

因為絕大多數的攻擊是以使用者為目標,所以端點會成為主要攻擊點之一。Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack. 攻擊者入侵端點,就可以利用使用者的認證來存取組織的資料。An attacker who compromises the endpoint can use the user’s credentials to gain access to the organization’s data. 大部分的端點攻擊可以利用使用者就是其本機工作站的系統管理員的這個事實。Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.

最佳做法:使用安全管理工作站保護敏感性帳戶、工作和資料。Best practice: Use a secure management workstation to protect sensitive accounts, tasks, and data.
詳細資料:使用特殊權限存取工作站來減少工作站的受攻擊面。Detail: Use a privileged access workstation to reduce the attack surface in workstations. 這些安全的管理工作站可協助您減輕其中一些攻擊,以確保您的資料更為安全。These secure management workstations can help you mitigate some of these attacks and ensure that your data is safer.

最佳做法:確保端點保護。Best practice: Ensure endpoint protection.
詳細資料:在用來取用資料的所有裝置上強制執行安全性原則 (不論資料位置是雲端或內部部署)。Detail: Enforce security policies across all devices that are used to consume data, regardless of the data location (cloud or on-premises).

保護靜態資料的安全Protect data at rest

待用資料加密 (英文) 是達到資料隱私性、合規性及資料主權的必要步驟。Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.

最佳做法:套用磁碟加密來協助保護您的資料。Best practice: Apply disk encryption to help safeguard your data.
詳細資料:使用 Azure 磁碟加密Detail: Use Azure Disk Encryption. 它可讓 IT 系統管理員加密 Windows 和 Linux IaaS VM 磁碟。It enables IT administrators to encrypt Windows and Linux IaaS VM disks. 磁碟加密結合業界標準的 Windows BitLocker 功能和 Linux dm-crypt 功能,為 OS 和資料磁碟提供磁碟區加密。Disk Encryption combines the industry-standard Windows BitLocker feature and the Linux dm-crypt feature to provide volume encryption for the OS and the data disks.

Azure 儲存體和 Azure SQL Database 預設會加密待用資料,且許多服務會提供加密選項。Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an option. 您可以使用 Azure Key Vault 控管存取和加密資料的金鑰。You can use Azure Key Vault to maintain control of keys that access and encrypt your data. 若要深入了解,請參閱 Azure 資源提供者加密模型支援See Azure resource providers encryption model support to learn more.

最佳做法:使用加密,協助降低與未經授權存取資料相關的風險。Best practices: Use encryption to help mitigate risks related to unauthorized data access.
詳細資料:將機密資料寫入它們之前,先加密您的磁碟機。Detail: Encrypt your drives before you write sensitive data to them.

未強制執行資料加密的組織會更容易遭受資料機密性問題的攻擊。Organizations that don’t enforce data encryption are more exposed to data-confidentiality issues. 例如,未經授權或惡意使用者可能會竊取遭入侵帳戶中的資料,或未經授權存取以清除格式編碼的資料。For example, unauthorized or rogue users might steal data in compromised accounts or gain unauthorized access to data coded in Clear Format. 公司必須證明他們是十分用心,並使用正確的安全性控制項來增強資料安全性以遵守業界法規。Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.

保護傳輸中的資料Protect data in transit

保護傳輸中的資料應該是您的資料保護策略中不可或缺的部分。Protecting data in transit should be an essential part of your data protection strategy. 因為資料會從許多位置來回移動,一般會建議您一律使用 SSL/TLS 通訊協定來交換不同位置的資料。Because data is moving back and forth from many locations, we generally recommend that you always use SSL/TLS protocols to exchange data across different locations. 在某些情況下,您可能希望使用 VPN,隔離您的內部部署與雲端基礎結構之間的整個通訊通道。In some circumstances, you might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN.

對於在內部部署基礎結構與 Azure 之間移動的資料,請考慮適當的防護措施,例如 HTTPS 或 VPN。For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. 當在 Azure 虛擬網路和內部部署位置之間傳送加密流量時,請使用 Azure VPN 閘道When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use Azure VPN Gateway.

以下是特定於使用 Azure VPN 閘道、SSL/TLS,以及 HTTPS 的最佳做法。Following are best practices specific to using Azure VPN Gateway, SSL/TLS, and HTTPS.

最佳做法:從內部部署的多個工作站安全存取 Azure 虛擬網路。Best practice: Secure access from multiple workstations located on-premises to an Azure virtual network.
詳細資料:使用站對站 VPNDetail: Use site-to-site VPN.

最佳做法:從內部部署的個別工作站安全存取 Azure 虛擬網路。Best practice: Secure access from an individual workstation located on-premises to an Azure virtual network.
詳細資料:使用點對站 VPNDetail: Use point-to-site VPN.

最佳做法:通過專用的高速 WAN 連結移動大型資料集。Best practice: Move larger data sets over a dedicated high-speed WAN link.
詳細資料:使用 ExpressRouteDetail: Use ExpressRoute. 如果您選擇使用 ExpressRoute,您也可以透過使用 SSL/TLS 或其他通訊協定,在應用程式層級加密資料,以提供額外的保護。If you choose to use ExpressRoute, you can also encrypt the data at the application level by using SSL/TLS or other protocols for added protection.

最佳做法:透過 Azure 入口網站與 Azure 儲存體互動。Best practice: Interact with Azure Storage through the Azure portal.
詳細資料:透過 HTTPS 發生的所有交易。Detail: All transactions occur via HTTPS. 您也可以使用儲存體 REST API透過 HTTPS 與互動Azure 儲存體You can also use Storage REST API over HTTPS to interact with Azure Storage.

無法保護傳輸中資料的組織比較容易遭受攔截攻擊竊聽及工作階段攔截。Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. 這些攻擊可能是取得機密資料存取權的第一步。These attacks can be the first step in gaining access to confidential data.

保護電子郵件、 文件和敏感性資料Secure email, documents, and sensitive data

您想要控制及保護於公司外部共用的電子郵件、文件及敏感性資料。You want to control and secure email, documents, and sensitive data that you share outside your company. Azure 資訊保護為雲端式解決方案,可協助組織將其文件及電子郵件分類、加註標籤及進行保護。Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. 定義規則和條件的系統管理員可自動完成此動作,使用者也可以手動方式完成,或在使用者取得建議的情況下組合完成。This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.

不論資料儲存位置或共同對象為何,隨時都可識別分類。Classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. 標籤包括視覺標記,例如頁首、頁尾或浮水印。The labels include visual markings such as a header, footer, or watermark. 中繼資料會以純文字新增至檔案和電子郵件標頭。Metadata is added to files and email headers in clear text. 純文字可確保其他服務 (例如防止資料遺失的解決方案) 可以識別分類並採取適當動作。The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.

此保護技術使用 Azure Rights Management (Azure RMS)。The protection technology uses Azure Rights Management (Azure RMS). 此技術與其他 Microsoft 雲端服務和應用程式 (例如 Office 365 和 Azure Active Directory) 整合。This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. 此保護技術使用加密、身分識別和授權原則。This protection technology uses encryption, identity, and authorization policies. 透過 Azure RMS 套用的保護,不論位置是組織內部或外部、網路、檔案伺服器或應用程式,都可持續保護文件和電子郵件。Protection that is applied through Azure RMS stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications.

此資訊保護解決方案可讓您控制您的資料,即使資料與其他人共用也是如此。This information protection solution keeps you in control of your data, even when it’s shared with other people. 您也可以將 Azure RMS 與您自己的特定業務應用程式和軟體廠商提供的資訊保護解決方案結合使用,不論這些應用程式和解決方案是在內部部署或雲端中。You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.

建議您:We recommend that you:

  • 為您的組織部署 Azure 資訊保護Deploy Azure Information Protection for your organization.
  • 套用可反映您的業務需求的標籤。Apply labels that reflect your business requirements. 例如: 將名為「高度機密」的標籤套用於包含極機密資料的所有文件和電子郵件,以分類並保護此資料。For example: Apply a label named “highly confidential” to all documents and emails that contain top-secret data, to classify and protect this data. 然後,只有授權的使用者可以存取此資料,並具有您指定的任何限制。Then, only authorized users can access this data, with any restrictions that you specify.
  • 設定 Azure RMS 的使用量記錄,以便您可以監視您的組織使用保護服務的方式。Configure usage logging for Azure RMS so that you can monitor how your organization is using the protection service.

資料分類和檔案保護能力不佳的組織可能更容易受資料外洩或資料不當使用。Organizations that are weak on data classification and file protection might be more susceptible to data leakage or data misuse. 使用適當的檔案保護,您可以分析資料流程以深入了解您的業務、偵測風險行為並採取矯正措施、追蹤文件的存取等等。With proper file protection, you can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, and so on.

後續步驟Next steps

如需更多安全性最佳做法,請參閱 Azure 安全性最佳做法與模式,以便在使用 Azure 設計、部署和管理雲端解決方案時使用。See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

下列資源可提供更多有關 Azure 安全性和相關 Microsoft 服務的一般資訊:The following resources are available to provide more general information about Azure security and related Microsoft services: