Microsoft Cloud App Security 資料安全性與隱私權Microsoft Cloud App Security data security and privacy

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

注意

本文提供如何從裝置或服務上刪除個人資料的步驟,而且可以用來支援 GDPR 的義務。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如果您正在尋找與 GDPR 相關的一般資訊,請參閱服務信任入口網站的 GDPR 區段If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Microsoft Cloud App Security 是 Microsoft Cloud Security 堆疊的重要元件。Microsoft Cloud App Security is a critical component of the Microsoft Cloud Security stack. 它是全方位的解決方案,可協助您的組織充分利用雲端應用程式的潛力。It's a comprehensive solution that helps your organization take full advantage of the promise of cloud applications. Cloud App Security 可讓您針對自己的敏感性資料取得全面的可見度、稽核及細微控制,來讓您能保持控制。Cloud App Security keeps you in control through comprehensive visibility, auditing, and granular controls over your sensitive data.

Microsoft Cloud App Security 所提供的工具可協助揭露影子 IT 並評估風險,同時讓您強制執行原則並調查活動。Microsoft Cloud app security has tools that help uncover shadow IT and assess risk while enabling you to enforce policies and investigate activities. 它可協助您即時控制存取並阻止威脅,使您的組織可以更安全地移至雲端。It helps you control access in real time and stop threats so your organization can more safely move to the cloud.

Cloud App Security 合規性Cloud App Security compliance

在每天都會發生資料外洩和攻擊的世界中,對於組織而言,選擇能盡全力保護其資料的雲端應用程式安全性代理人,是一件非常重要的任務。In a world where data breaches and attacks are daily occurrences, it's essential for organizations to choose a cloud app security broker that makes every effort to protect their data. Microsoft Cloud App Security 如同所有的 Microsoft 雲端產品和服務,都是為了解決客戶最嚴格的安全性和隱私權需求而打造。Microsoft Cloud App Security, like all Microsoft cloud products and services, is built to address the rigorous security and privacy demands of our customers.

為了協助組織符合管理個人資料收集與使用的國家、地區和業界專屬需求,Microsoft Cloud App Security 提供一組全方位的合規性供應項目。To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data, Microsoft Cloud App Security provides a comprehensive set of compliance offerings. 合規性供應項目包含認證和證明。The compliance offerings include certifications and attestations.

合規性架構和供應項目Compliance framework and offerings

Microsoft Cloud App Security 符合許多國際和業界特定合規性標準,包括但不限於:Microsoft Cloud App Security meets many international and industry-specific compliance standards including, but not limited to:

組織Organization 標題Title 說明Description
CSA 證明標誌 CSA STAR AttestationCSA STAR Attestation 根據獨立的稽核報告,Azure 和 Intune 榮獲雲端安全性聯盟 STAR Attestation。Azure and Intune were awarded Cloud Security Alliance STAR Attestation based on an independent audit.
CSA 認證標誌 CSA STAR CertificationCSA STAR Certification Azure、Intune 和 Power BI 榮獲雲端安全性聯盟 STAR Certification 金級。Azure, Intune, and Power BI were awarded Cloud Security Alliance STAR Certification at the Gold level.
歐盟標準條款標誌 歐盟示範條款EU Model Clauses Microsoft 提供歐盟標準合約條款,保障個人資料的傳輸。Microsoft offers EU Standard Contractual Clauses, guarantees for transfers of personal data.
HIPAA 標誌 HIPAA/HITECHHIPAA/HITECH Microsoft 提供健康保險流通與責任法案商業夥伴協議 (BAA)。Microsoft offers Health Insurance Portability & Accountability Act Business Associate Agreements (BAAs).
ISO 9001 標誌 ISO 9001ISO 9001 Microsoft 針對這些品質管理標準的實作已通過認證。Microsoft is certified for its implementation of these quality management standards.
ISO 27001 標誌 ISO/IEC 27001ISO/IEC 27001 Microsoft 針對這些資訊安全管理標準的實作已通過認證。Microsoft is certified for its implementation of these information security management standards.
ISO 27018 標誌 ISO/IEC 27018ISO/IEC 27018 Microsoft 是第一個針對雲端隱私權遵循此作業規範的雲端提供者。Microsoft was the first cloud provider to adhere to this code of practice for cloud privacy.
PCI 標誌 PCI DSSPCI DSS Azure 符合支付卡產業資料安全標準等級 1 第 3.1 版的規範。Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1.
SOC 標誌 SOC 1 和 SOC 2 Type 2 報告SOC 1 and SOC 2 Type 2 Reports Microsoft 雲端服務符合「服務機構控制」的作業安全性規範。Microsoft cloud services comply with Service Organization Controls standards for operational security.
SOC 標誌 SOC 3SOC 3 Microsoft 雲端服務符合「服務機構控制」的作業安全性規範。Microsoft cloud services comply with Service Organization Controls standards for operational security.
G-Cloud 標誌 英國 G-cloudUK G-Cloud 皇家商業服務委員會已將 Microsoft 雲端服務分類更新為政府雲端第 6 版。The Crown Commercial Service renewed the Microsoft cloud services classification to Government Cloud v6.

如需詳細資訊,請移至 Microsoft 合規性供應項目 (部分機器翻譯),並選取 [Cloud App Security]。For more information, go to Microsoft Compliance Offerings and select Cloud App Security.

隱私權Privacy

您是自己資料的擁有者You're the owner of your data

  • 在 Microsoft Cloud App Security 中,您的系統管理員可以在入口網站中使用搜尋列檢視儲存在服務中的可識別個人資料。In Microsoft Cloud App Security, your administrators can view the identifiable personal data stored in the service from the portal using the Search bar.

  • 系統管理員可以搜尋特定使用者的中繼資料或活動。Admins can search for a specific user's metadata or user's activity. 按一下實體會開啟 [使用者及帳戶]Clicking on an entity opens the Users and accounts. [使用者及帳戶] 頁面能提供您從已連線的雲端應用程式中提取,有關實體的完整詳細資料。The Users and accounts page provides you with comprehensive details about the entity that are pulled from connected cloud applications. 該頁面也提供使用者的活動歷程記錄,以及與該使用者相關的安全性警示。It also provides the user's activity history and security alerts related to the user.

  • 您擁有自己的資料,並可以隨時取消訂用帳戶,以及要求刪除您的資料。You own your data and can cancel subscriptions and request deletion of your data at any time. 如果您不更新訂用帳戶,則您的資料將於線上服務條款 (英文) 中所指定的時間表內刪除。If you don't renew your subscription, your data will be deleted within the timeline specified in the Online Services Terms.

  • 如果您選擇終止服務,您可以將您的資料帶走。If you ever choose to terminate the service, you can take your data with you.

Microsoft Cloud App Security 是您資料的處理器Microsoft Cloud App Security is the processor of your data

  • Cloud App Security 僅會將您的資料用於與提供您所訂閱之服務一致的目的。Cloud App Security uses your data only for purposes that are consistent with providing the services to which you subscribe.

  • 如果政府向 Microsoft 要求存取您的資料,Microsoft 會盡可能將該查詢轉移給身為客戶的您。If a government approaches Microsoft for access to your data, Microsoft redirects the inquiry to you, the customer, whenever possible. Microsoft 先前曾對不合法的法律要求提出異議,並成功禁止政府公開客戶資料的要求Microsoft has challenged legal demands that weren't valid, which prohibited disclosure of a government request for customer data. 深入了解誰可以存取您的資料,以及需遵循哪些條款Learn more about who can access your data and on what terms.

隱私權控制Privacy controls

  • 隱私權控制可協助您設定組織中有哪些人員可以存取服務,以及他們可以存取的內容。Privacy controls help you configure who in your organization has access to the service and what they can access.

更新個人資料Updating personal data

關於使用者的個人資料是衍生自使用者於所使用 SaaS 應用程式中的物件。Personal data about users is derived from the user's object in the SaaS applications used. 因此,在這些應用程式中對使用者設定檔所做的任何變更,都會反映在 Microsoft Cloud App Security 中。Because of this, any changes made to the user profile in these applications are reflected in Microsoft Cloud App Security.

資料位置Data location

Microsoft Cloud App Security 目前在位於美國和歐洲 (分別為一個「地區」) 的資料中心運作。Microsoft Cloud App Security currently operates in datacenters in the United States and Europe (each a "Geo"). 您的租用戶帳戶將會根據您在註冊時所選擇的國家/地區 (Region),於某個「地區 (Geo)」中建立。Your tenant account will be created in a Geo based on the country/region you chose when you signed up. 具體來說,您的資料將會儲存在距離該位置最接近之地區中的資料中心。Specifically, your data will be stored in a data center in the Geo nearest to that location.

注意

Cloud App Security 利用世界各地的 Azure 資料中心,透過地理位置提供最佳化的效能。Cloud App Security leverages Azure Data Centers around the world to provide optimized performance through geolocation. 這表示使用者的工作階段可能會裝載在特定區域之外,視流量模式與其位置而定。This means that a user's session may be hosted outside of a particular region, depending on traffic patterns and their location. 不過,為了保護您的隱私權,這些資料中心不會儲存任何工作階段資料。However, to protect your privacy, no session data is stored in these data centers.

深入了解隱私權Learn more about privacy

透明度Transparency

Microsoft 針對其作法提供透明度:Microsoft provides transparency about its practices:

  • 與您分享您資料的儲存位置。Sharing with you where your data is stored.
  • 保證您的資料僅會用於提供已同意的服務。Affirming that your data is used only to deliver agreed-upon services.
  • 詳述 Microsoft 工程師和核准的轉包商會如何使用此資料來提供服務。Specifying how Microsoft engineers and approved subcontractors use this data to provide services.

Microsoft 會使用嚴格的控制來管理對客戶資料的存取、僅授與完成重要工作所需的最低層級存取權,以及在不再需要時撤銷存取權。Microsoft uses strict controls to govern access to customer data, granting the lowest level of access required to complete key tasks and revoking access when it is no longer needed.

資料保護Data protection

Microsoft Cloud App Security 會在內容檢查期間強制執行資料保護。Microsoft Cloud App Security enforces data protection during content inspection. 檔案內容不會儲存在 Cloud App Security 資料中心中。File content isn't stored in the Cloud App Security datacenter. 只會儲存檔案記錄的中繼資料,以及所識別的任何相符項目。Only the metadata of the file records and any matches that were identified are stored.

資料保留Data retention

Microsoft Cloud App Security 會保留下列資料︰Microsoft Cloud App Security retains data as follows:

  • 活動記錄:180 天Activity log: 180 days
  • 探索資料:90 天Discovery data: 90 days
  • 警示:180 天Alerts: 180 days
  • 治理記錄:120 天Governance log: 120 days

若要深入了解 Microsoft 的資料處理實務,請閱讀線上服務條款 (英文)。You can learn more about Microsoft data practices by reading the Online Service Terms.

深入了解透明度Learn more about transparency

資料流程Data flow

Cloud App Security 能在處理某些資料 (例如警示和活動) 上為您提供方便性,而不會中斷您一般的安全性工作流程。Cloud App Security provides you with the convenience of working with some data, such as alerts and activities, without disrupting your usual security workflow. 例如,SecOps 可能會偏好在其慣用的 SIEM 產品 (例如 Azure Sentinel) 中檢視警示。For example, SecOps may prefer to view alerts in their preferred SIEM product such as Azure Sentinel. 為了啟用此類工作流程,在與 Microsoft 或協力廠商產品整合時,Cloud App Security 會透過它們公開一些資料。To enable such workflows, when integrating with Microsoft or third-party products, Cloud App Security exposes some data through them.

下表會顯示個別產品整合所會公開的資料:The following table show what data is surfaced for each product integration:

Microsoft 產品Microsoft products

產品Product 公開的資料Exposed data 設定Configuration
Microsoft 威脅防護Microsoft Threat Protection 警示和使用者活動Alerts and user activities 在上線時於 Microsoft 威脅防護上自動啟用Enabled automatically on Microsoft Threat Protection upon onboarding
Azure SentinelAzure Sentinel 警示和探索資料Alerts and discovery data 在 Cloud App Security 中啟用在 Azure Sentinel 中設定 (部分機器翻譯)Enabled in Cloud App Security and configured in Azure Sentinel
Office 安全性與合規性中心Office Security and Compliance Center Office 365 的警示Alerts for Office 365 自動串流至 Office 安全性與合規性中心Automatically streamed to Office Security and Compliance Center
Azure 資訊安全中心Azure Security Center Azure 的警示Alerts for Azure 預設在 Cloud App Security 中啟用,可在 Azure 資訊安全中心中停用Enabled by default in Cloud App Security; can be disabled in Azure Security Center
Microsoft Graph 安全性 APIMicrosoft Graph Security API 警示Alerts 由 Microsoft Graph 安全性 API 提供 (英文)Available via Microsoft Graph Security API
Microsoft Power AutomateMicrosoft Power Automate 傳送警示以觸發自動化流程Alerts sent to trigger an automated flow 在 Cloud App Security 中設定Configured in Cloud App Security

協力廠商產品Third-party products

整合類型Integration type 公開的資料Exposed data 設定Configuration
使用 SIEM 代理程式Using a SIEM agent 警示與事件Alerts and events 在 Cloud App Security 中啟用及設定Enabled and configured in Cloud App Security
使用 Cloud App Security 的 REST APIUsing Cloud App Security's REST API 警示與事件Alerts and events 在 Cloud App Security 中啟用及設定Enabled and configured in Cloud App Security
ICAP 連接器ICAP connector DLP 掃描的檔案File for DLP scan 在 Cloud App Security 中啟用及設定Enabled and configured in Cloud App Security

注意

其他產品可能不會強制執行 Cloud App Security 以角色為基礎的安全性權限,來控制誰可以存取哪些資料。Other products may not enforce Cloud App Security role-based security permissions to control who has access to what data. 因此,在與其他產品整合之前,請確定您已了解會針對您想要使用的產品傳送哪些資料,以及有誰能夠存取它。Therefore, before integrating with other products, make sure you understand what data is sent to the product you want to use and who has access to it.

刪除個人資料Deleting personal data

從已連線的雲端應用程式刪除資料之後,Microsoft Cloud App Security 將會在 2 年內自動刪除該資料的複本。After data is deleted from a connected cloud application, Microsoft Cloud App Security will automatically delete the copy of the data within 2 years.

探索個人資料Exporting personal data

Microsoft Cloud App Security 可讓您將所有使用者活動和安全性警示資訊匯出至 CSV。Microsoft Cloud App Security provides you with the ability to export to CSV all user activity and security alert information.

安全性Security

加密Encryption

Microsoft 會使用加密技術來保護您位於 Microsoft 資料庫中的待用資料,以及在使用者裝置和 Cloud App Security 資料中心之間傳輸的資料。Microsoft uses encryption technology to protect your data while at rest in a Microsoft database and when it travels between user devices and Cloud App Security datacenters.

注意

Cloud App Security 會利用傳輸層安全性 (TLS) 通訊協定 1.2+ 來提供最佳加密。Cloud App security leverages Transport Layer Security (TLS) protocols 1.2+ to provide best-in class encryption. 使用工作階段控制進行設定時,不支援 TLS 1.2+ 的原生用戶端應用程式與瀏覽器將無法存取。Native client applications and browsers that do not support TLS 1.2+, will not be accessible when configured with session control. 不過,使用 TLS 1.1 或更低版本的 SaaS 應用程式,在使用 Cloud App Security 設定時,會在瀏覽器中顯示為使用 TLS 1.2+。However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS 1.2+ when configured with Cloud App Security.

識別身分和存取管理Identity and access management

Microsoft Cloud App Security 可讓您使用 Azure Active Directory 來根據地理位置,限制系統管理員對入口網站的存取。Microsoft Cloud App Security enables you to limit access of administrators to the portal based on geolocation using Azure Active Directory. 您可以使用 Azure Active Directory 來要求進行多重要素驗證以存取 Microsoft Cloud App Security 入口網站。It's possible to require multi-factor authentication to access the Microsoft Cloud App Security portal by using Azure Active Directory.

權限Permissions

Microsoft Cloud App Security 支援角色型存取控制。Microsoft Cloud App Security supports role-based access control. Office 365 和 Azure Active Directory 全域管理員和安全性系統管理員角色具有 Cloud App Security 的完整存取權,而安全性讀取者則具有讀取存取權。Office 365 and Azure Active Directory Global admin and Security admin roles have full access to Cloud App Security, and Security readers have read access. 如需詳細資訊For more information.

組織合規性的客戶控制Customer controls for organizational compliance

限域部署Scoped deployment

Microsoft Cloud App Security 可讓您限制部署的範圍。Microsoft Cloud App Security enables you to scope your deployment. 「範圍」可讓您使用 Cloud App Security 僅管理特定群組,或是從 Cloud App Security 治理排除特定群組。Scoping enables you to govern only specific groups using Cloud App Security, or to exclude specific groups from Cloud App Security governance. 如需詳細資訊,請參閱限域部署For more information, see Scoped deployment.

匿名Anonymization

您可以選擇將 Cloud Discovery 報告設為匿名。You can choose to keep Cloud Discovery reports anonymous. 在將您的記錄檔上傳至 Microsoft Cloud App Security 之後,將會以加密的使用者名稱來取代所有使用者名稱資訊。After your log files are uploaded to Microsoft Cloud App Security, all username information is replaced with encrypted usernames. 針對特定的安全性調查,您可以解析出實際的使用者名稱。For specific security investigations, you can resolve the real username. 搭配使用 AES-128 與每個租用戶的專用金鑰,來加密私人資料。Private data is encrypted using AES-128 with a dedicated key per tenant. 如需詳細資訊For more information.

Cloud App Security 美國政府 GCC High 客戶的安全性與隱私權Security and Privacy for Cloud App Security US Government GCC High customers

如需 Azure ATP 合規性標準與美國政府 GCC High 客戶之客戶資料位置的資訊,請參閱適用於美國政府的 Enterprise Mobility + Security 服務描述For information on Cloud App Security compliance standards and the location of data for US Government GCC High customers, see Enterprise Mobility + Security for US Government service description.

後續步驟Next steps

取得 Cloud App Security 的免費試用,並了解它是否符合您的商務挑戰。Get a free trial of Cloud App Security, and see how it meets your business challenges.