Azure SQL Database 的進階資料安全性Advanced data security for Azure SQL Database

進階資料安全性是進階 SQL 安全性功能的整合套件。Advanced data security is a unified package for advanced SQL security capabilities. 其中包含的功能可用於探索和分類敏感性資料、找出潛在資料庫弱點並減低其風險,及偵測可能指出資料庫遇到威脅的異常活動。It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. 此套件可讓您從單一的進入點位置啟用及管理前述功能。It provides a single go-to location for enabling and managing these capabilities.

總覽Overview

先進的資料安全性 (ADS) 提供一組先進的 SQL 安全性功能, 包括資料探索 & 分類、弱點評估和先進的威脅防護。Advanced data security (ADS) provides a set of advanced SQL security capabilities, including data discovery & classification, vulnerability assessment, and Advanced Threat Protection.

  • 資料探索與分類 (目前處於預覽階段) 提供內建於 Azure SQL Database 的功能,可用來探索、分類、標記和保護資料庫中的敏感性資料。Data discovery & classification (currently in preview) provides capabilities built into Azure SQL Database for discovering, classifying, labeling & protecting the sensitive data in your databases. 它可用來讓您檢視資料庫分類狀態、追蹤對資料庫內敏感性資料的存取,並具有其他多方面的用途。It can be used to provide visibility into your database classification state, and to track the access to sensitive data within the database and beyond its borders.
  • 弱點評估是容易設定的服務,可探索、追蹤及協助您修復潛在的資料庫弱點。Vulnerability assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. 它可讓您檢視安全性狀態,且包含解決安全性問題和增強資料庫防護性的可行步驟。It provides visibility into your security state, and includes actionable steps to resolve security issues, and enhance your database fortifications.
  • 先進的威脅防護會偵測異常活動, 指出不尋常且可能有害的嘗試存取或惡意探索您的資料庫。Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. 它會持續監視您的資料庫是否有可疑的活動,並在發現潛在弱點、SQL 插入式攻擊和異常資料庫存取模式時提供即時安全性警示。It continuously monitors your database for suspicious activities, and provides immediate security alerts on potential vulnerabilities, SQL injection attacks, and anomalous database access patterns. Advanced 威脅防護警示會提供可疑活動的詳細資料, 以及如何調查和緩和威脅的建議動作。Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

只要啟用 SQL ADS,其中包含的所有功能即會一併啟用。Enable SQL ADS once to enable all of these included features. 只要按一下按鍵,即可對 SQL Database 伺服器或受控執行個體上的所有資料庫啟用 ADS。With one click, you can enable ADS for all databases on your SQL Database server or managed instance. 啟用或管理 ADS 設定需要屬於 SQL 安全性管理員角色、SQL 資料庫管理員角色或 SQL Server 管理員角色。Enabling or managing ADS settings requires belonging to the SQL security manager role, SQL database admin role or SQL server admin role.

ADS 的定價與 Azure 資訊安全中心標準層相同,每個受保護的 SQL Database 伺服器或受控執行個體算作一個節點。ADS pricing aligns with Azure Security Center standard tier, where each protected SQL Database server or managed instance is counted as one node. 新的受保護資源適用資訊安全中心標準層的免費試用。Newly protected resources qualify for a free trial of Security Center standard tier. 如需詳細資訊,請參閱 Azure 資訊安全中心定價頁面For more information, see the Azure Security Center pricing page.

開始使用 ADSGetting Started with ADS

下列步驟可讓您開始使用 ADS。The following steps get you started with ADS.

1.啟用 ADS1. Enable ADS

針對您的 SQL Database 伺服器或受控執行個體,瀏覽至 [安全性] 標題下的 [進階資料安全性],以啟用 ADS。Enable ADS by navigating to Advanced Data Security under the Security heading for your SQL Database server or manged instance. 若要對資料庫伺服器或受控執行個體上的所有資料庫啟用 ADS,請按一下 [在伺服器上啟用進階資料安全性]。To enable ADS for all databases on the database server or managed instance, click Enable Advanced Data Security on the server.

注意

系統會自動建立並設定儲存體帳戶, 以儲存您的弱點評定掃描結果。A storage account is automatically created and configured to store your Vulnerability Assessment scan results. 如果您已針對相同資源群組和區域中的另一部伺服器啟用廣告, 則會使用現有的儲存體帳戶。If you've already enabled ADS for another server in the same resource group and region, then the existing storage account is used.

啟用 ADS

注意

ADS 的費用與每個節點的 Azure 資訊安全中心標準層費用相同,其中一個節點代表整個 SQL Database 伺服器或受控執行個體。The cost of ADS is aligned with Azure Security Center standard tier pricing per node, where a node is the entire SQL Database server or managed instance. 因此,您只需付費一次,即可使用 ADS 保護資料庫伺服器或受控執行個體上的所有資料庫。You are thus paying only once for protecting all databases on the database server or managed instance with ADS. 您可以先以免費試用版試用 ADS。You can try ADS out initially with a free trial.

2.開始分類資料、追蹤弱點,並調查威脅警示2. Start classifying data, tracking vulnerabilities, and investigating threat alerts

按一下 [資料探索與分類] 卡可查看建議要分類的敏感性資料行,以及使用持續敏感性標籤為資料分類。Click the Data Discovery & Classification card to see recommended sensitive columns to classify and to classify your data with persistent sensitivity labels. 按一下 [弱點評估] 卡可檢視和管理弱點掃描和報告,以及追蹤您的安全性水準。Click the Vulnerability Assessment card to view and manage vulnerability scans and reports, and to track your security stature. 如果已收到安全性警示, 請按一下 [ Advanced 威脅防護] 卡片以查看警示的詳細資料, 並透過 [Azure 資訊安全中心安全性警示] 頁面, 查看您 Azure 訂用帳戶中所有警示的匯總報告。If security alerts have been received, click the Advanced Threat Protection card to view details of the alerts and to see a consolidated report on all alerts in your Azure subscription via the Azure Security Center security alerts page.

3.管理 SQL Database 伺服器或受控執行個體的 ADS 設定3. Manage ADS settings on your SQL Database server or managed instance

若要檢視及管理 ADS 設定,請針對您的 SQL Database 伺服器或受控執行個體,瀏覽至 [安全性] 標題下的 [進階資料安全性]。To view and manage ADS settings, navigate to Advanced Data Security under the Security heading for your SQL Database server or managed instance. 在此頁面上, 您可以啟用或停用 ADS, 以及修改整個 SQL Database 伺服器或受控實例的弱點評定和先進的威脅防護設定。On this page, you can enable or disable ADS, and modify vulnerability assessment and Advanced Threat Protection settings for your entire SQL Database server or managed instance.

伺服器設定

4.管理 SQL 資料庫的 ADS 設定4. Manage ADS settings for a SQL database

若要覆寫特定資料庫的 ADS 設定,請勾選 [啟用資料庫層級的進階資料安全性] 核取方塊。To override ADS settings for a particular database, check the Enable Advanced Data Security at the database level checkbox. 只有在您有特定需求, 才能針對個別資料庫接收獨立的 [威脅防護警示] 或 [弱點評估] 結果, 以取代或除了針對中所有資料庫接收的警示和結果以外, 才使用此選項。資料庫伺服器或受控實例。Use this option only if you have a particular requirement to receive separate Advanced Threat Protection alerts or vulnerability assessment results for the individual database, in place of or in addition to the alerts and results received for all databases on the database server or managed instance.

選取此核取方塊之後, 您就可以設定此資料庫的相關設定。Once the checkbox is selected, you can then configure the relevant settings for this database.

資料庫和先進的威脅防護設定

從 ADS 資料庫窗格,也可以觸達資料庫伺服器或受控執行個體的進階資料安全性設定。Advanced data security settings for your database server or managed instance can also be reached from the ADS database pane. 按一下主要 ADS 窗格中的 [設定],然後按一下 [檢視進階資料安全性伺服器設定]。Click Settings in the main ADS pane, and then click View Advanced Data Security server settings.

資料庫設定

後續步驟Next steps