Azure 儲存體安全性概觀Azure Storage security overview

本文提供可與 Azure 儲存體搭配使用的 Azure 安全性功能概觀。This article provides an overview of Azure security features that you can use with Azure Storage. Azure 儲存體是現代應用程式的雲端儲存體解決方案,這些應用程式仰賴持續性、可用性和可調整性來滿足其客戶的需求。Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure 儲存體提供一組完整的安全性功能。Azure Storage provides a comprehensive set of security capabilities. 您可以:You can:

  • 使用角色型存取控制 (RBAC) 與 Azure Active Directory 來保護儲存體帳戶的安全。Secure the storage account by using Role-Based Access Control (RBAC) and Azure Active Directory.
  • 使用用戶端加密、HTTPS 或 SMB 3.0,保護應用程式和 Azure 之間傳輸中資料的安全。Secure data in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0.
  • 設定當使用儲存體服務加密來將資料寫入 Azure 儲存體時自動加密資料。Set data to be automatically encrypted when it's written to Azure Storage by using Storage Service Encryption.
  • 將虛擬機器 (VM) 所使用的作業系統和資料磁碟設定為使用 Azure 磁碟加密來加密。Set OS and data disks used by virtual machines (VMs) to be encrypted by using Azure Disk Encryption.
  • 使用共用存取簽章 (SAS),將委派存取權授與 Azure 儲存體中的資料物件。Grant delegated access to the data objects in Azure Storage by using shared access signatures (SASs).
  • 使用分析來追蹤當某人存取儲存體時使用的驗證方法。Use analytics to track the authentication method that someone is using when they access Storage.

若要深入了解「Azure 儲存體」中的安全性,請參閱 Azure 儲存體安全性指南For a more detailed look at security in Azure Storage, see the Azure Storage security guide. 本指南提供 Azure 儲存體安全性功能的深入探討。This guide provides a deep dive into the security features of Azure Storage. 這些功能包括儲存體帳戶金鑰、傳輸中和待用資料加密,以及儲存體分析。These features include storage account keys, data encryption in transit and at rest, and storage analytics.

角色型存取控制Role-Based Access Control

您可以使用角色型存取控制,協助保護儲存體帳戶。You can help secure your storage account by using Role-Based Access Control. 對於想要強制執行資料存取安全性原則的組織,根據需要知道最低權限安全性原則限制存取權限是必須做的事。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. 在特定範圍將適當的 RBAC 角色指派給群組和應用程式,即可授與這些存取權限。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 您可以使用 內建的 RBAC 角色(例如儲存體帳戶參與者) 將權限指派給使用者。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

深入了解:Learn more:

儲存體物件的委派存取權Delegated access to storage objects

共用存取簽章可提供您儲存體帳戶中資源的委派存取。A shared access signature provides delegated access to resources in your storage account. SAS 意謂著您可以將儲存體帳戶中物件的有限權限授與用戶端,讓該用戶端可以在一段指定期間內使用一組指定的權限進行存取。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 您可以在不須分享您帳戶存取金鑰的情況下,授與這些有限的權限。You can grant these limited permissions without having to share your account access keys.

SAS 是一種 URI,此 URI 會在其查詢參數中包含對儲存體資源進行驗證式存取所需的一切資訊。The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. 若要使用 SAS 存取儲存體資源,用戶端只需將 SAS 提供給適當的建構函式或方法即可。To access storage resources with the SAS, the client only needs to provide the SAS to the appropriate constructor or method.

深入了解:Learn more:

傳輸中加密Encryption in transit

傳輸中加密是在透過網路傳輸資料時用來保護資料的機制。Encryption in transit is a mechanism of protecting data when it's transmitted across networks. 使用 Azure 儲存體時,您可以使用下列各項來保護資料:With Azure Storage, you can secure data by using:

  • 傳輸層級加密,例如將資料傳入或傳出 Azure 儲存體時的 HTTPS。Transport-level encryption, such as HTTPS, when you transfer data into or out of Azure Storage.
  • 連線加密,例如適用於 Azure 檔案共用的 SMB 3.0 加密。Wire encryption, such as SMB 3.0 encryption, for Azure file shares.
  • 用戶端加密,可在將資料傳輸到儲存體之前加密資料,並在從儲存體傳出資料之後將資料解密。Client-side encryption, to encrypt the data before it's transferred into Storage and to decrypt the data after it is transferred out of Storage.

深入了解用戶端加密︰Learn more about client-side encryption:

待用加密Encryption at rest

對多組織來說,待用資料加密 (英文) 是達到資料隱私權、合規性及資料主權的必要步驟。For many organizations, data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. 有三個 Azure 功能可提供待用資料的加密:Three Azure features provide encryption of data that's at rest:

深入了解儲存體服務加密:Learn more about Storage Service Encryption:

Azure 磁碟加密Azure Disk Encryption

適用於虛擬機器的 Azure 磁碟加密可協助您滿足組織的安全性和合規性需求。Azure Disk Encryption for virtual machines helps you address organizational security and compliance requirements. 它會使用您在 Azure Key Vault 中控制的金鑰和原則,來將您的 VM 磁碟 (包括開機和資料磁碟) 加密。It encrypts your VM disks (including boot and data disks) by using keys and policies that you control in Azure Key Vault.

適用於 VM 的磁碟加密可用於 Linux 與 Windows 作業系統。Disk Encryption for VMs works for Linux and Windows operating systems. 也會使用金鑰保存庫,協助您防護、管理和稽核您的磁碟加密金鑰的使用情形。It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. VM 磁碟中的所有資料都會使用 Azure 儲存體帳戶中符合業界標準的加密技術進行待用加密。All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure storage accounts. Windows 的磁碟加密解決方案是建基於 Microsoft BitLocker 磁碟機加密,而 Linux 解決方案是建基於 dm-cryptThe Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

深入了解Learn more

防火牆與虛擬網路Firewalls and Virtual networks

Azure 儲存體可讓您啟用儲存體帳戶的防火牆規則。Azure storage allows you to enable firewall rules for your storage accounts. 啟用之後,這些規則將會封鎖資料的傳入要求,包括來自其他 Azure 服務的要求。Once enabled they will block incoming requests for data, including requests from other Azure services. 但您可以設定例外狀況來允許流量。You can configure exceptions to allow traffic. 您可以在現有的儲存體帳戶上或建立儲存體帳戶時,啟用防火牆規則。Firewall rules may be enabled on existing storage accounts or during creation time.

您應該使用此功能來保護您的儲存體帳戶,只讓一組允許的特定網路存取儲存體帳戶。You should use this functionality to secure your storage accounts to a specific set of allowed networks.

如需有關 Azure 儲存體防火牆和虛擬網路的詳細資訊,請檢閱設定 Azure 儲存體防火牆和虛擬網路一文For more information on Azure storage firewalls and virtual networks review the article Configure Azure Storage Firewalls and Virtual Networks

Azure 資料箱Azure Data Box

資料箱、資料箱磁碟及 Data Box Heavy 裝置可協助您在網路無法使用時,將大量資料轉送到 Azure。Data Box, Data Box Disk, and Data Box Heavy devices help you transfer large amounts of data to Azure when the network isn’t an option. 這些離線資料轉送裝置會在您的組織與 Azure 資料中心之間運送。These offline data transfer devices are shipped between your organization and the Azure data center. 裝置使用 AES 加密來協助保護傳輸中的資料,而且會在上傳後經過徹底的清理過程,以從裝置中刪除您的資料。They use AES encryption to help protect your data in transit, and they undergo a thorough post-upload sanitization process to delete your data from the device.

Data Box Edge 與 Data Box Gateway 是連線資料轉送產品,等同於在您的位置與 Azure 之間管理資料的網路儲存體閘道。Data Box Edge and Data Box Gateway are online data transfer products that act as network storage gateways to manage data between your site and Azure. Data Box Edge 是內部部署網路裝置,與 Azure 來回轉送資料,並使用具備人工智慧 (AI) 的邊緣計算來處理資料。Data Box Edge, an on-premises network device, transfers data to and from Azure and uses artificial intelligence (AI)-enabled edge compute to process data. Data Box Gateway 是具備儲存體閘道功能的虛擬設備。Data Box Gateway is a virtual appliance with storage gateway capabilities.

深入了解:Learn more:

進階威脅防護Advanced Threat Protection

Azure 儲存體提供「進階威脅防護」來增加額外的安全智慧層級,用於偵測儲存體帳戶中異常且可能有害的存取意圖或攻擊。Azure Storage provides Advanced Threat Protection for an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage account. 進階威脅防護會監視 Azure 儲存體診斷記錄,找出對 Blob 儲存體發出的可疑讀取、寫入或刪除要求。Advanced Threat Protection monitors Azure Storage diagnostic logs for suspicious read, write, or delete requests to Blob storage.

您可以從 Azure 資訊安全中心檢視進階威脅保護警示。Advanced Threat Protection alerts can be viewed from Azure Security Center. Azure 資訊安全中心會在偵測到任何可疑活動時提供相關的詳細資料,並提供調查和修復潛在威脅的建議動作。Azure Security Center provides details on any suspicious activity detected and recommends actions to investigate and remediate the potential threat.

深入了解:Learn more:

Azure 金鑰保存庫Azure Key Vault

Azure 磁碟加密會使用 Azure Key Vault,協助您控制及管理金鑰保存庫訂用帳戶中的磁碟加密金鑰與祕密。Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription. 它也可確保虛擬機器磁碟上的所有資料都會在 Azure 儲存體中進行待用加密。It also ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage. 您應使用金鑰保存庫來稽核金鑰和原則使用方式。You should use Key Vault to audit keys and policy usage.

深入了解Learn more