Azure SQL Database 安全性功能的概觀An overview of Azure SQL Database security capabilities

本文概述使用 Azure SQL Database 保護應用程式資料層的基本概念。This article outlines the basics of securing the data tier of an application using Azure SQL Database. 所述的安全性策略會遵循下圖所示的多層式深度防禦方法,並從外部移入:The security strategy described follows the layered defense-in-depth approach as shown in the picture below, and moves from the outside in:

sql-security-layer.png

網路安全性Network security

Microsoft Azure SQL Database 為雲端和企業應用程式提供關聯式資料庫服務。Microsoft Azure SQL Database provides a relational database service for cloud and enterprise applications. 為了協助保護客戶資料,防火牆會阻止資料庫伺服器的網路存取,直到根據 IP 位址或 Azure 虛擬網路流量來源明確授與存取權。To help protect customer data, firewalls prevent network access to the database server until access is explicitly granted based on IP address or Azure Virtual network traffic origin.

IP 防火牆規則IP firewall rules

IP 防火牆規則會根據每個要求的來源 IP 位址授與資料庫存取權。IP firewall rules grant access to databases based on the originating IP address of each request. 如需詳細資訊,請參閱 Azure SQL Database 和 SQL 資料倉儲防火牆規則概觀For more information, see Overview of Azure SQL Database and SQL Data Warehouse firewall rules.

虛擬網路防火牆規則Virtual network firewall rules

虛擬網路服務端點會透過 Azure 骨幹擴充您的虛擬網路連線能力,並且讓 Azure SQL Database 找出流量源自的虛擬網路子網路。Virtual network service endpoints extend your virtual network connectivity over the Azure backbone and enable Azure SQL Database to identify the virtual network subnet that traffic originates from. 若要允許流量觸達 Azure SQL Database,請使用 SQL服務標籤,允許透過網路安全性群組輸出流量。To allow traffic to reach Azure SQL Database, use the SQL service tags to allow outbound traffic through Network Security Groups.

虛擬網路規則可讓 Azure SQL Database 只接受虛擬網路內所選子網路傳來的通訊。Virtual network rules enable Azure SQL Database to only accept communications that are sent from selected subnets inside a virtual network.

注意

控制防火牆規則的存取「不」 適用於受控執行個體Controlling access with firewall rules does not apply to a managed instance. 如需所需網路組態的詳細資訊,請參閱連線到受控執行個體For more information about the networking configuration needed, see connecting to a managed instance

存取管理Access management

重要

在 Azure 內管理資料庫和資料庫伺服器,是由入口網站使用者帳戶的角色指派所控制。Managing databases and database servers within Azure is controlled by your portal user account's role assignments. 如需有關此文章的詳細資訊,請參閱 Azure 入口網站中的角色型存取控制For more information on this article, see Role-based access control in Azure portal.

AuthenticationAuthentication

驗證是證明使用者宣告身分的程序。Authentication is the process of proving the user is who they claim to be. Azure SQL Database 支援兩種驗證類型:Azure SQL Database supports two types of authentication:

  • SQL 驗證SQL authentication:

    SQL 資料庫驗證是指使用者使用使用者名稱和密碼連線到 Azure SQL Database 時的驗證。SQL database authentication refers to the authentication of a user when connecting to Azure SQL Database using username and password. 在資料庫的資料庫伺服器建立期間,必須指定採取使用者名稱和密碼的「伺服器管理員」登入。During the database server creation for the database, a "Server admin" login with a username and password must be specified. 使用這些認證時,「伺服器管理員」能夠以資料庫擁有者身分向該資料庫伺服器上的任何資料庫進行驗證。Using these credentials, a “server admin” can authenticate to any database on that database server as the database owner. 在那之後,伺服器管理員可以建立其他 SQL 登入和使用者,可讓使用者使用使用者名稱和密碼進行連線。After that, additional SQL logins and users can be created by the server admin, which enable users to connect using username and password.

  • Azure Active Directory 驗證Azure Active Directory authentication:

    Azure Active Directory 驗證是使用 Azure Active Directory (Azure AD) 中的身分識別來連線到 Azure SQL DatabaseSQL 資料倉儲的機制。Azure Active Directory authentication is a mechanism of connecting to Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). Azure AD 驗證可讓系統管理員在一個中央位置,集中管理資料庫使用者的身分識別和權限以及其他 Microsoft 服務。Azure AD authentication allows administrators to centrally manage the identities and permissions of database users along with other Microsoft services in one central location. 這包括密碼儲存體的最小化,並啟用集中式密碼輪替原則。This includes the minimization of password storage and enables centralized password rotation policies.

    必須建立稱為 Active Directory 系統管理員的伺服器管理員,才能使用 Azure AD 驗證搭配 SQL Database。A server admin called the Active Directory administrator must be created to use Azure AD authentication with SQL Database. 如需詳細資訊,請參閱使用 Azure Active Directory 驗證連線到 SQL DatabaseFor more information, see Connecting to SQL Database By Using Azure Active Directory Authentication. Azure AD 驗證支援受控和同盟帳戶。Azure AD authentication supports both managed and federated accounts. 同盟帳戶支援與 Azure AD 同盟的客戶網域的 Windows 使用者和群組。The federated accounts support Windows users and groups for a customer domain federated with Azure AD.

    其他可用的 Azure AD 驗證選項為適用於 SQL Server Management Studio 的 Active Directory 通用驗證連線,包括 Multi-factor Authentication條件式存取Additional Azure AD authentication options available are Active Directory Universal Authentication for SQL Server Management Studio connections including Multi-Factor Authentication and Conditional Access.

重要

在 Azure 內管理資料庫和伺服器,是由入口網站使用者帳戶的角色指派所控制。Managing databases and servers within Azure is controlled by your portal user account's role assignments. 如需有關此文章的詳細資訊,請參閱 Azure 入口網站中的角色型存取控制For more information on this article, see Role-based access control in Azure portal. 控制防火牆規則的存取「不」 適用於受控執行個體Controlling access with firewall rules does not apply to a managed instance. 如需所需網路設定的相關資訊,請參閱下列關於連線到受控執行個體的文章。Please see the following article on connecting to a managed instance for more information about the networking configuration needed.

授權Authorization

授權是指在 Azure SQL Database 內指派給使用者的權限,並可決定允許使用者執行的動作。Authorization refers to the permissions assigned to a user within an Azure SQL Database, and determines what the user is allowed to do. 權限會新增至使用者帳戶控制資料庫角色,並將資料庫層級權限指派給這些角色,或藉由授與使用者某些物件層級權限Permissions are controlled by adding user accounts to database roles and assigning database-level permissions to those roles or by granting the user certain object-level permissions. 如需詳細資訊,請參閱登入與使用者For more information, see Logins and users

最佳做法是建立自訂角色時所需。As a best practice, create custom roles when needed. 將使用者新增至角色中,執行其作業職責所需的最低權限。Add users to the role with the least privileges required to do their job function. 請勿直接向使用者指派的權限。Do not assign permissions directly to users. 伺服器管理帳戶是內建的 db_owner 角色,其具有廣泛的權限,且僅被授與具有系統管理責任的幾個使用者的成員。The server admin account is a member of the built-in db_owner role, which has extensive permissions and should only be granted to few users with administrative duties. 針對 Azure SQL Database 應用程式,使用EXECUTE AS以指定的被呼叫的模組執行內容或使用應用程式角色有限權限。For Azure SQL Database applications, use the EXECUTE AS to specify the execution context of the called module or use Application Roles with limited permissions. 這種做法可確保連接至資料庫的應用程式具有應用程式所需的最低權限。This practice ensures that the application that connects to the database has the least privileges needed by the application. 遵循這些最佳作法也有助於分離各部分的責任。Following these best practices also fosters separation of duties.

資料列層級安全性Row-level security

資料列層級安全性讓客戶能夠根據執行查詢的使用者特性 (例如,依群組成員資格或執行內容),來控制資料庫資料表中的資料列存取。Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query (for example, group membership or execution context). 資料列層級的安全性也可用來實作自訂標籤為基礎的安全性概念。Row-Level Security can also be used to implement custom Label-based security concepts. 如需詳細資訊,請參閱資料列層級安全性For more information, see Row-Level security.

azure-database-rls.png

威脅保護Threat protection

SQL Database 可藉由提供稽核和威脅偵測功能來保護客戶資料。SQL Database secures customer data by providing auditing and threat detection capabilities.

Azure 監視器記錄和事件中樞中的 SQL 稽核SQL auditing in Azure Monitor logs and Event Hubs

SQL Database 稽核會將資料庫事件記錄到客戶自有 Azure 儲存體帳戶中的稽核記錄,藉此追蹤資料庫活動並協助維護安全性標準的合規性。SQL Database auditing tracks database activities and helps to maintain compliance with security standards by recording database events to an audit log in a customer-owned Azure storage account. 稽核可讓使用者監視進行中的資料庫活動,以及分析和調查歷史活動,以找出潛在威脅或可疑的濫用和安全性違規。Auditing allows users to monitor ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations. 如需詳細資訊,請參閱開始使用 Azure Database 稽核For more information, see Get started with SQL Database Auditing.

進階威脅防護Advanced Threat Protection

進階的威脅防護正在分析您的 SQL Server 記錄檔,以偵測異常行為,並且可能會造成損害嘗試存取或攻擊資料庫。Advanced Threat Protection is analyzing your SQL Server logs to detect unusual behavior and potentially harmful attempts to access or exploit databases. 可疑的活動會建立警示,例如 SQL 插入式攻擊、 潛在的資料滲透和暴力密碼破解強制攻擊,或在 access 中的異常模式,以攔截的權限提升和違反的認證使用。Alerts are created for suspicious activities such as SQL injection, potential data infiltration, and brute force attacks or for anomalies in access patterns to catch privilege escalations and breached credentials use. 從中檢視警示Azure 資訊安全中心,其中會提供可疑活動的詳細資料,而建議進一步指定動作以及為了減緩這個威脅的調查。Alerts are viewed from the Azure Security Center, where the details of the suspicious activities are provided and recommendations for further investigation given along with actions to mitigate the threat. 每一伺服器的額外的費用,您可以啟用進階的威脅防護。Advanced Threat Protection can be enabled per server for an additional fee. 如需詳細資訊,請參閱 < 開始使用 SQL Database 進階威脅防護For more information, see Get started with SQL Database Advanced Threat Protection.

azure-database-td.jpg

資訊保護和加密Information protection and encryption

傳輸層安全性 TLS (傳輸中加密)Transport Layer Security TLS (Encryption-in-transit)

SQL Database 可藉由使用傳輸層安全性將移動中的資料加密來保護客戶資料。SQL Database secures customer data by encrypting data in motion with Transport Layer Security.

Sql Server 會強制執行加密 (SSL/TLS) 在所有時間的所有連線。Sql Server enforces encryption (SSL/TLS) at all times for all connections. 這可確保所有資料都會都加密 」 在 「 傳輸 」,用戶端與伺服器的設定無論之間Encrypt或是TrustServerCertificate連接字串中。This ensures all data is encrypted "in transit" between the client and server irrespective of the setting of Encrypt or TrustServerCertificate in the connection string.

最佳做法,建議在您的應用程式連接字串會指定加密的連接並 信任伺服器憑證。As a best practice, recommend that in your application's connection string you specify an encrypted connection and not trust the server certificate. 這會強制您的應用程式,來確認伺服器憑證,並因此可避免應用程式遭受攔截式中間類型的攻擊。This forces your application to verify the server certificate and thus prevents your application from being vulnerable to man in the middle type attacks.

例如,使用 ADO.NET 驅動程式時這是透過Encrypt = TrueTrustServerCertificate = FalseFor example when using the ADO.NET driver this is accomplished via Encrypt=True and TrustServerCertificate=False. 如果您從 Azure 入口網站取得連接字串,則它將具有正確的設定。If you obtain your connection string from the Azure portal, it will have the correct settings.

重要

請注意,有些非 Microsoft 驅動程式可能不預設使用 TLS 或依賴較舊版本的 TLS (< 1.2) 才能運作。Note that some non-Microsoft drivers may not use TLS by default or rely on an older version of TLS (<1.2) in order to function. 在此情況下 SQL Server 仍可讓您連接到您的資料庫。In this case SQL Server still allows you to connect to your database. 不過,我們建議您評估安全性風險,特別是當您儲存的敏感性資料時,才允許這類驅動程式和應用程式連接到 SQL Database。However, we recommend that you evaluate the security risks of allowing such drivers and application to connect to SQL Database, especially if you store sensitive data.

如需 TLS 和連線能力的進一步資訊,請參閱TLS 考量For further information about TLS and connectivity, see TLS considerations

透明資料加密 (待用資料加密)Transparent Data Encryption (Encryption-at-rest)

Azure SQL Database 的透明資料加密 (TDE) 會新增一層安全性來協助保護待用資料,以免原始檔案或備份遭到未經授權或離線存取。Transparent Data Encryption (TDE) for Azure SQL Database adds a layer of security to help protect data at rest from unauthorized or offline access to raw files or backups. 常見的案例包括資料中心遭竊或不安全的硬體或媒體 (例如磁碟機和備份磁帶) 處置方式。Common scenarios include datacenter theft or unsecured disposal of hardware or media such as disk drives and backup tapes. TDE 會使用 AES 加密演算法將整個資料庫加密,應用程式開發人員不需對現有的應用程式進行任何變更。 TDE encrypts the entire database using an AES encryption algorithm, which doesn’t require application developers to make any changes to existing applications.

在 Azure 中,預設會加密新建立的 SQL 資料庫,並以內建伺服器憑證保護資料庫加密金鑰。In Azure, all newly created SQL databases are encrypted by default and the database encryption key is protected by a built-in server certificate. 憑證維護和輪替是由服務管理,使用者不需要輸入任何資料。Certificate maintenance and rotation are managed by the service and requires no input from the user. 想要掌控加密金鑰的客戶可以在 Azure Key Vault 中管理金鑰。Customers who prefer to take control of the encryption keys can manage the keys in Azure Key Vault.

Azure Key Vault 的金鑰管理Key management with Azure Key Vault

透明資料加密 (TDE) 的攜帶您自己的金鑰 (BYOK) 支援可讓客戶使用  Azure Key Vault (Azure 的雲端式外部金鑰管理系統),取得金鑰管理與輪替的擁有權。Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE) allows customers to take ownership of key management and rotation using Azure Key Vault, Azure’s cloud-based external key management system. 如果撤銷了資料庫對金鑰保存庫的存取權,資料庫即無法解密並讀取到記憶體中。If the database's access to the key vault is revoked, a database cannot be decrypted and read into memory. Azure Key Vault 可提供集中金鑰管理平台、使用嚴密監控的硬體安全性模組 (HSM),並可區分管理金鑰和資料的職責,以利符合安全性合規性需求。Azure Key Vault provides a central key management platform, leverages tightly monitored hardware security modules (HSMs), and enables separation of duties between management of keys and data to help meet security compliance requirements.

一律加密 (使用中加密)Always Encrypted (Encryption-in-use)

azure-database-ae.png

一律加密功能的設計訴求是要保護特定資料庫資料行中儲存的敏感性資料以防存取 (例如,信用卡號碼、身分證號碼,或「必須知道」 的資料)。Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). 這包括資料庫管理員或其他特殊權限的使用者,該使用者經授權存取資料庫以執行管理工作,但沒有存取已加密資料行中特定資料的商務需求。This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns. 資料一律會加密,這表示加密的資料會解密,僅供可存取加密金鑰的用戶端應用程式進行處理。The data is always encrypted, which means the encrypted data is decrypted only for processing by client applications with access to the encryption key. 加密金鑰決不會公開給 SQL,而且可以存放於 Windows 憑證存放區Azure Key VaultThe encryption key is never exposed to SQL and can be stored either in the Windows Certificate Store or in Azure Key Vault.

動態資料遮罩Dynamic data masking

azure-database-ddm.png

SQL Database 動態資料遮罩可藉由遮罩處理,使不具權限的使用者無法看見機密資料。SQL Database dynamic data masking limits sensitive data exposure by masking it to non-privileged users. 動態資料遮罩會自動探索 Azure SQL Database 中的可能敏感性資料,並提供可動作的建議來為這些欄位加上遮罩,盡量避免對應用程式層造成影響。Dynamic data masking automatically discovers potentially sensitive data in Azure SQL Database and provides actionable recommendations to mask these fields, with minimal impact on the application layer. 其運作方式為針對指定的資料庫欄位隱匿查詢結果集中的敏感性資料,而不變更資料庫中的資料。It works by obfuscating the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. 如需詳細資訊,請參閱開始使用 SQL Database 動態資料遮罩For more information, see Get started with SQL Database dynamic data masking.

安全性管理Security management

弱點評估Vulnerability assessment

弱點評量是容易設定的服務,可探索、追蹤及協助修復潛在的資料庫弱點,其目標在於主動改善整體資料庫安全性。Vulnerability assessment is an easy to configure service that can discover, track, and help remediate potential database vulnerabilities with the goal to proactively improve overall database security. 弱點評量 (VA) 是進階資料安全性 (ADS) 供應項目的一部分,該供應項目是進階 SQL 安全性功能的整合套件。Vulnerability assessment (VA) is part of the advanced data security (ADS) offering, which is a unified package for advanced SQL security capabilities. 弱點評量可以透過中央 SQL ADS 入口網站存取及管理。Vulnerability assessment can be accessed and managed via the central SQL ADS portal.

資料探索與分類Data discovery & classification

資料探索與分類 (目前處於預覽階段) 提供內建於 Azure SQL Database 的進階功能,可用於探索、分類、標記和保護您資料庫中的敏感性資料。Data discovery & classification (currently in preview) provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling, and protecting the sensitive data in your databases. 探索與分類您最具敏感性的資料 (商業/財務、醫療保健、個人資料等),可在您組織的資訊保護方面扮演著關鍵角色。Discovering and classifying your utmost sensitive data (business/financial, healthcare, personal data, etc.) can play a pivotal role in your organizational Information protection stature. 它可以作為以下的基礎結構:It can serve as infrastructure for:

  • 各種安全性案例,例如針對敏感性資料異常存取的監視 (稽核) 及警示。Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • 對包含高度敏感性資料的資料庫進行存取控制並強化安全性。Controlling access to, and hardening the security of, databases containing highly sensitive data.
  • 協助符合資料隱私標準和法規合規性需求。Helping meet data privacy standards and regulatory compliance requirements.

如需詳細資訊,請參閱開始使用資料探索與分類For more information, see Get started with data discovery & classification.

法規遵循Compliance

除了上述可協助您的應用程式符合各種安全性需求的特色和功能之外,Azure SQL Database 也定期參與稽核,並且經過認證符合許多法規標準。In addition to the above features and functionality that can help your application meet various security requirements, Azure SQL Database also participates in regular audits, and has been certified against a number of compliance standards. 如需詳細資訊,請參閱 < Microsoft Azure 信任中心您可以在此找到最新的 SQL Database 的合規性認證清單。For more information, see the Microsoft Azure Trust Center where you can find the most current list of SQL Database compliance certifications.

功能限制Feature restrictions

功能限制可以協助防止某些形式的洩漏資訊資料庫,甚至是在 SQL 資料隱碼攻擊成功時的 SQL 插入式攻擊。Feature restrictions help prevent some forms of SQL injection from leaking information about the database, even when the SQL injection is successful. 如需詳細資訊,請參閱 < Azure SQL Database 功能限制For more information, see Azure SQL Database Feature Restrictions.

後續步驟Next steps