Azure 备份的安全控制Security controls for Azure Backup

本文阐述了 Azure 备份中内置的安全控制。This article documents the security controls built into Azure Backup.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务终结点支持Service endpoint support No
VNet 注入支持VNet injection support No
网络隔离和防火墙支持Network isolation and firewalling support Yes
对 Azure VM 的强制隧道支持Forced tunneling support for Azure VMs Yes
对 Azure VM 内运行的应用程序的强制隧道支持Forced tunneling support for applications running inside Azure VMs No

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
Azure 监视支持(例如,Log Analytics、App Insights)Azure monitoring support (such as Log analytics, App insights) Yes 通过资源日志支持 Log Analytics。Log Analytics is supported via resource logs. 有关详细信息,请参阅使用 Log Analytics 监视 Azure 备份保护的工作负荷For more information, see Monitor Azure Backup protected workloads using Log Analytics.
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 来自 Azure 门户的所有客户触发操作都会记录到活动日志中。All customer triggered actions from the Azure portal are logged to activity logs.
数据平面日志记录和审核Data plane logging and audit No 无法直接访问 Azure 备份数据平面。Azure Backup data plane can't be reached directly.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
身份验证Authentication Yes 身份验证通过 Azure Active Directory 来进行。Authentication is through Azure Active Directory.
授权Authorization Yes 使用客户创建的角色和 Azure 内置角色。Customer created and Azure built-in roles are used. 有关详细信息,请参阅使用基于角色的访问控制管理 Azure 备份恢复点For more information, see Use Role-Based Access Control to manage Azure Backup recovery points.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务器端静态加密:Microsoft 管理的密钥Server-side encryption at rest: Microsoft-managed keys Yes 对存储帐户使用存储服务加密。Using storage service encryption for storage accounts.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) No
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) No
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) No 使用 HTTPS。Using HTTPS.
加密的 API 调用API calls encrypted Yes

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
配置管理支持(对配置进行版本控制,等等)Configuration management support (versioning of configuration, and so on) Yes

后续步骤Next steps