Azure 备份中的安全功能概述Overview of security features in Azure Backup

保护数据所要采取的最重要措施之一是使用可靠的备份基础结构。One of the most important steps you can take to protect your data is to have a reliable backup infrastructure. 但是,确保以安全方式备份数据并随时保护备份也同样重要。But it's just as important to ensure that your data is backed up in a secure fashion, and that your backups are protected at all times. Azure 备份为备份环境中的传输中数据和静态数据提供安全措施。Azure Backup provides security to your backup environment - both when your data is in transit and at rest. 本文列出了 Azure 备份中的安全功能,这些功能可帮助你保护备份数据并满足企业的安全需求。This article lists security capabilities in Azure Backup that help you protect your backup data and meet the security needs of your business.

管理和控制标识与用户访问Management and control of identity and user access

恢复服务保管库使用的存储帐户是隔离的,恶意用户无法对其进行访问。Storage accounts used by recovery services vaults are isolated and cannot be accessed by users for any malicious purposes. 仅允许通过 Azure 备份管理操作(例如还原)进行访问。The access is only allowed through Azure Backup management operations, such as restore. 借助 Azure 备份,可使用 Azure 基于角色的访问控制 (RBAC) 通过精细访问权限来控制托管的操作。Azure Backup enables you to control the managed operations through fine-grained access using Azure Role-Based Access Control (RBAC). RBAC 可以在团队内部实现职责分离,仅向用户授予其履行自己的职责所需的访问权限级别。RBAC allows you to segregate duties within your team and grant only the amount of access to users necessary to do their jobs.

Azure 备份提供了三个内置角色来控制备份管理操作:Azure Backup provides three built-in roles to control backup management operations:

  • 备份参与者 - 可以创建和管理备份,但无法删除恢复服务保管库,也不能授予他人访问权限Backup Contributor - to create and manage backups, except deleting Recovery Services vault and giving access to others
  • 备份操作员 - 拥有参与者的所有权限,但无法删除备份,也不能管理备份策略Backup Operator - everything a contributor does except removing backup and managing backup policies
  • 备份读取者 - 拥有查看所有备份管理操作的权限Backup Reader - permissions to view all backup management operations

详细了解用于管理 Azure 备份的基于角色的访问控制Learn more about Role-Based Access control to manage Azure Backup.

Azure 备份服务中内置了多个安全控制机制,用于防止、检测和应对安全漏洞。Azure Backup has several security controls built into the service to prevent, detect, and respond to security vulnerabilities. 详细了解 Azure 备份的安全控制Learn more about security controls for Azure Backup.

在来宾与 Azure 存储之间进行隔离Separation between guest and Azure storage

使用 Azure 备份(包括虚拟机备份,以及 VM 备份中的 SQL 和 SAP HANA)时,备份数据会存储在 Azure 存储中,来宾无法直接访问备份存储或其内容。With Azure Backup, which includes virtual machine backup and SQL and SAP HANA in VM backup, the backup data is stored in Azure storage and the guest has no direct access to backup storage or its contents. 使用虚拟机备份时,备份快照创建和存储操作由 Azure 结构执行,来宾不会干预此过程,只是使工作负荷静止,以创建应用程序一致性备份。With virtual machine backup, the backup snapshot creation and storage is done by Azure fabric where the guest has no involvement other than quiescing the workload for application consistent backups. 使用 SQL 和 SAP HANA 时,备份扩展会暂时获得对特定 Blob 的写入访问权限。With SQL and SAP HANA, the backup extension gets temporary access to write to specific blobs. 这样,即使在遭到入侵的环境中,现有备份也不会遭到篡改或者被来宾删除。In this way, even in a compromised environment, existing backups can't be tampered with or deleted by the guest.

无需建立 Internet 连接即可创建 Azure VM 备份Internet connectivity not required for Azure VM backup

备份 Azure VM 需要将虚拟机磁盘中的数据移到恢复服务保管库。Backup of Azure VMs requires movement of data from your virtual machine's disk to the Recovery Services vault. 但是,所需的通信和数据传输全部只在 Azure 主干网络中发生,无需访问虚拟网络。However, all the required communication and data transfer happens only on the Azure backbone network without needing to access your virtual network. 因此,放置在受保护网络中的 Azure VM 备份不需要你授予对任何 IP 或 FQDN 的访问权限。Therefore, backup of Azure VMs placed inside secured networks doesn't require you to allow access to any IPs or FQDNs.

传输中数据和静态数据的加密Encryption of data in transit and at rest

加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Encryption protects your data and helps you to meet your organizational security and compliance commitments. 在 Azure 中,Azure 存储与保管库之间传输的数据受 HTTPS 保护。Within Azure, data in transit between Azure storage and the vault is protected by HTTPS. 此数据保留在 Azure 主干网络上。This data remains on the Azure backbone network.

  • 使用 Microsoft 托管的密钥自动加密备份数据。Backup data is automatically encrypted using Microsoft-managed keys. 还可以使用 Azure Key Vault 中存储的客户管理的密钥来加密恢复服务保管库中备份的托管磁盘 VM。You can also encrypt your backed up managed disk VMs in the Recovery Services Vault using customer managed keys stored in the Azure Key Vault. 无需执行任何显式操作即可启用这种加密。You don't need to take any explicit action to enable this encryption. 这种加密适用于要备份到恢复服务保管库的所有工作负荷。It applies to all workloads being backed up to your Recovery Services vault.

  • Azure 备份支持备份和还原已使用 Azure 磁盘加密 (ADE) 功能加密了其 OS/数据磁盘的 Azure VM。Azure Backup supports backup and restore of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE). 详细了解加密的 Azure VM 和 Azure 备份Learn more about encrypted Azure VMs and Azure Backup.

防止意外删除备份数据Protection of backup data from unintentional deletes

Azure 备份提供安全功能来帮助保护备份数据,即使是删除了备份数据,也能予以恢复。Azure Backup provides security features to help protect backup data even after deletion. 启用软删除后,如果用户删除了 VM 的备份,备份数据将额外保留 14 天,因此可以恢复该备份项,而不会丢失数据。With soft delete, if user deletes the backup of a VM, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. 以“软删除”状态将备份数据额外保留 14 天不会向客户收取任何费用。The additional 14 days retention of backup data in the "soft delete" state doesn't incur any cost to the customer. 详细了解软删除Learn more about soft delete.

可疑活动的监视和警报Monitoring and alerts of suspicious activity

Azure 备份提供内置监视和警报功能,用于查看和配置 Azure 备份相关事件的操作。Azure Backup provides built-in monitoring and alerting capabilities to view and configure actions for events related to Azure Backup. 备份报表充当一站式目标,在其中能够以不同的粒度级别跟踪使用情况、审核备份和还原,以及识别关键趋势。Backup Reports serve as a one-stop destination for tracking usage, auditing of backups and restores, and identifying key trends at different levels of granularity. 使用 Azure 备份的监视和报告工具可以在发生任何未经授权的、可疑的或恶意的活动后立即获得警报。Using Azure Backup's monitoring and reporting tools can alert you to any unauthorized, suspicious, or malicious activity as soon as they occur.

用于帮助保护混合备份的安全功能Security features to help protect hybrid backups

Azure 备份服务使用 Azure 恢复服务 (MARS) 代理将本地计算机中的文件、文件夹以及卷或系统状态备份和还原到 Azure。Azure Backup service uses the Azure Recovery Services (MARS) agent to back up and restore files, folders, and the volume or system state from an on-premises computer to Azure. MARS 现在提供用于保护混合备份的安全功能。MARS now provides security features to help protect hybrid backups. 这些功能包括:These features include:

  • 执行关键操作(例如更改密码)时,会添加额外的身份验证层。An additional layer of authentication is added whenever a critical operation like changing a passphrase is performed. 使用此验证,确保只有具有有效 Azure 凭据的用户才可执行此类操作。This validation is to ensure that such operations can be performed only by users who have valid Azure credentials. 详细了解用于防止攻击的功能Learn more about the features that prevent attacks.

  • 删除的备份数据自删除之日起会额外保留 14 天。Deleted backup data is retained for an additional 14 days from the date of deletion. 这可以确保能够在给定的时间段内恢复数据,因此即使遭到攻击,也不会丢失数据。This ensures recoverability of the data within a given time period, so there's no data loss even if an attack happens. 此外,还保留了更多的最小恢复点,以防止数据损坏。Also, a greater number of minimum recovery points are maintained to guard against corrupt data. 详细了解如何恢复已删除的备份数据Learn more about recovering deleted backup data.

  • 对于使用 Azure 恢复服务 (MARS) 代理进行备份的数据,可以使用通行短语来确保在将数据上传到 Azure 备份之前对其进行加密,仅在从 Azure 备份下载后才将其解密。For data backed up using the Azure Recovery Services (MARS) agent, a passphrase is used to ensure data is encrypted before upload to Azure Backup and decrypted only after download from Azure Backup. 通行短语详细信息仅提供给创建了该通行短语的用户,以及使用该通行短语配置的代理。The passphrase details are only available to the user who created the passphrase and the agent that is configured with it. 不会通过服务传输任何信息,也不会与服务共享任何信息。Nothing is transmitted or shared with the service. 这可以全面确保数据的安全性,因为在没有通行短语的情况下,无法使用无意中公开的任何数据(例如,在网络中出现中间人攻击时就是如此),而通行短语不会在网络中发送。This ensures complete security of your data as any data that is exposed inadvertently (such as a man-in-the-middle attack on the network) is unusable without the passphrase, and the passphrase isn't sent on the network.

符合标准化安全要求Compliance with standardized security requirements

为帮助组织遵守有关收集和使用个人数据的国家、地区和行业特定要求,Azure 和 Azure 备份提供了一套全面的认证和证明。To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data, Azure & Azure Backup offer a comprehensive set of certifications and attestations. 参阅合规性认证列表See the list of compliance certifications

后续步骤Next steps