Azure Cosmos DB 安全性 - 概述Security in Azure Cosmos DB - overview

本文介绍了数据库安全最佳做法以及 Azure Cosmos DB 提供的关键功能,帮助你防范、检测和应对数据库入侵。This article discusses database security best practices and key features offered by Azure Cosmos DB to help you prevent, detect, and respond to database breaches.

Azure Cosmos DB 在安全性方面有哪些新增功能What's new in Azure Cosmos DB security

静态加密现已可用于所有 Azure 中国区域的 Azure Cosmos DB 中存储的文档和备份。Encryption at rest is now available for documents and backups stored in Azure Cosmos DB in all Azure China regions. 对于这些区域中的新客户和现有客户,会自动应用静态加密。Encryption at rest is applied automatically for both new and existing customers in these regions. 无需进行任何配置;可获得与以前(即知道使用静态加密可确保数据安全之前)一样的出色延迟、吞吐量、可用性和功能。There is no need to configure anything; and you get the same great latency, throughput, availability, and functionality as before with the benefit of knowing your data is safe and secure with encryption at rest.

如何保护我的数据库How do I secure my database

数据安全性的责任由你、客户和数据库提供程序共同分担。Data security is a shared responsibility between you, the customer, and your database provider. 根据所选的数据库提供程序,要承担的责任大小将有所不同。Depending on the database provider you choose, the amount of responsibility you carry can vary. 如果选择本地解决方案,则从终结点保护到硬件物理安全性的所有工作都由你负责 - 这不是一个轻松的任务。If you choose an on-premises solution, you need to provide everything from end-point protection to physical security of your hardware - which is no easy task. 如果选择 Azure Cosmos DB 等 PaaS 云数据库提供程序,要考虑的问题会明显减少。If you choose a PaaS cloud database provider such as Azure Cosmos DB, your area of concern shrinks considerably. 下图摘自我们的 Shared Responsibilities for Cloud Computing(云计算的责任分担)白皮书,显示了使用 Azure Cosmos DB 等 PaaS 提供程序时,责任会得到怎样的减轻。The following image, borrowed from ours Shared Responsibilities for Cloud Computing white paper, shows how your responsibility decreases with a PaaS provider like Azure Cosmos DB.

客户和数据库提供程序的责任

上图显示了高层级的云安全组件,但是,对于数据库解决方案,需要考虑到哪些具体的事项呢?The preceding diagram shows high-level cloud security components, but what items do you need to worry about specifically for your database solution? 如何对不同的解决方案进行比较?And how can you compare solutions to each other?

建议根据以下要求查检表来比较数据库系统:We recommend the following checklist of requirements on which to compare database systems:

  • 网络安全和防火墙设置Network security and firewall settings
  • 用户身份验证和精细用户控制User authentication and fine grained user controls
  • 能够在多个区域复制数据来应对区域性故障Ability to replicate data multiple-regionally for regional failures
  • 能够从一个数据中心故障转移到另一个数据中心Ability to fail over from one data center to another
  • 在数据中心内执行本地数据复制Local data replication within a data center
  • 自动数据备份Automatic data backups
  • 从备份还原已删除的数据Restoration of deleted data from backups
  • 保护和隔离敏感数据Protect and isolate sensitive data
  • 监视攻击Monitoring for attacks
  • 响应攻击Responding to attacks
  • 能够地域隔离数据以遵守数据监管限制Ability to geo-fence data to adhere to data governance restrictions
  • 对受保护数据中心内的服务器实施物理保护Physical protection of servers in protected data centers
  • 认证Certifications

以下要求看似理所当然,但最近发生的大规模数据库入侵提醒我们这些要求尽管很简单,但却至关重要:And although it may seem obvious, recent large-scale database breaches remind us of the simple but critical importance of the following requirements:

  • 让修补的服务器保持最新状态Patched servers that are kept up-to-date
  • 按默认启用 HTTPS/SSL 加密HTTPS by default/SSL encryption
  • 使用强密码的管理帐户Administrative accounts with strong passwords

Azure Cosmos DB 如何保护数据库How does Azure Cosmos DB secure my database

让我们回顾前面的列表 - Azure Cosmos DB 能够满足其中的多少项要求?Let's look back at the preceding list - how many of those security requirements does Azure Cosmos DB provide? 它满足每一项要求。Every single one.

让我们深入分析其中的每项要求。Let's dig into each one in detail.

安全要求Security requirement Azure Cosmos DB 的安全方案Azure Cosmos DB's security approach
网络安全性Network security 使用 IP 防火墙是用于保护数据库的第一个保护层。Using an IP firewall is the first layer of protection to secure your database. Azure Cosmos DB 支持使用基于 IP 的策略驱动访问控制来提供入站防火墙支持。Azure Cosmos DB supports policy driven IP-based access controls for inbound firewall support. 基于 IP 的访问控制类似于传统数据库系统使用的防火墙规则,但已经过扩展,确保只能通过获批准的一组计算机或云服务访问 Azure Cosmos 数据库帐户。The IP-based access controls are similar to the firewall rules used by traditional database systems, but they are expanded so that an Azure Cosmos database account is only accessible from an approved set of machines or cloud services.

使用 Azure Cosmos DB 可以启用特定的 IP 地址 (168.61.48.0)、IP 范围 (168.61.48.0/8) 以及 IP 和范围的组合。Azure Cosmos DB enables you to enable a specific IP address (168.61.48.0), an IP range (168.61.48.0/8), and combinations of IPs and ranges.

从此允许列表之外的计算机发出的所有请求会被 Azure Cosmos DB 阻止。All requests originating from machines outside this allowed list are blocked by Azure Cosmos DB. 从获批准计算机和云服务发出的请求必须完成身份验证过程才能获得资源的访问控制权。Requests from approved machines and cloud services then must complete the authentication process to be given access control to the resources.

可以在 Azure Cosmos DB 防火墙支持中了解详细信息。Learn more in Azure Cosmos DB firewall support.
授权Authorization Azure Cosmos DB 使用基于哈希的消息身份验证代码 (HMAC) 进行授权。Azure Cosmos DB uses hash-based message authentication code (HMAC) for authorization.

每个请求将使用机密帐户密钥进行哈希处理,后续的 base-64 编码哈希将连同每个调用发送到 Azure Cosmos DB。Each request is hashed using the secret account key, and the subsequent base-64 encoded hash is sent with each call to Azure Cosmos DB. 要验证请求,Azure Cosmos DB 服务需使用正确的机密密钥和属性生成哈希值,然后将该值与请求中的值进行比较。To validate the request, the Azure Cosmos DB service uses the correct secret key and properties to generate a hash, then it compares the value with the one in the request. 如果两个值匹配,则成功为操作授权并处理请求,否则,会发生授权失败并拒绝请求。If the two values match, the operation is authorized successfully and the request is processed, otherwise there is an authorization failure and the request is rejected.

可以使用主密钥资源令牌对文档等资源进行精细访问。You can use either a master key, or a resource token allowing fine-grained access to a resource such as a document.

可以在保护对 Azure Cosmos DB 资源的访问中了解详细信息。Learn more in Securing access to Azure Cosmos DB resources.
用户和权限Users and permissions 使用帐户的主密钥可为每个数据库创建用户资源和权限资源。Using the master key for the account, you can create user resources and permission resources per database. 资源令牌与数据库中的权限相关联,确定用户是否对数据库中的应用程序资源拥有访问权限(读写、只读或无访问权限)。A resource token is associated with a permission in a database and determines whether the user has access (read-write, read-only, or no access) to an application resource in the database. 应用程序资源包括容器、文档、附件、存储过程、触发器和 UDF。Application resources include container, documents, attachments, stored procedures, triggers, and UDFs. 然后,在身份验证期间,使用资源令牌来允许或拒绝访问资源。The resource token is then used during authentication to provide or deny access to the resource.

可以在保护对 Azure Cosmos DB 资源的访问中了解详细信息。Learn more in Securing access to Azure Cosmos DB resources.
Active Directory 集成 (RBAC)Active directory integration (RBAC) 还可以在 Azure 门户中通过“访问控制(标识和访问管理)”来提供或限制对 Cosmos 帐户、数据库、容器和套餐(吞吐量)的访问权限。You can also provide or restrict access to the Cosmos account, database, container, and offers (throughput) using Access control (IAM) in the Azure portal. IAM 提供基于角色的访问控制并与 Active Directory 集成。IAM provides role-based access control and integrates with Active Directory. 对于个人和组,可使用内置角色或自定义角色。You can use built in roles or custom roles for individuals and groups. 有关详细信息,请参阅 Active Directory 集成一文。See Active Directory integration article for more information.
多区域复制Multiple-region replication Azure Cosmos DB 提供统包式多区域分发。只需单击一下按钮,就能将数据复制到 Azure 的任何一个跨中国的数据中心。Azure Cosmos DB offers turnkey multiple-region distribution, which enables you to replicate your data to any one of Azure's across China datacenters with the click of a button. 多区域复制可以实现多区域缩放,以较低的延迟访问中国的数据。Multiple-region replication lets you scale multiple-regionally and provide low-latency access to your data around China.

从安全角度来看,多区域复制可确保数据受到保护,防范区域性故障。In the context of security, multiple-region replication ensures data protection against regional failures.

若要了解详细信息,请参阅在多个区域分配数据Learn more in Distribute data multiple-regionally.
区域性故障转移Regional failovers 如果已将数据复制到多个数据中心,当区域数据中心脱机时,Azure Cosmos DB 会自动切换操作。If you have replicated your data in more than one data center, Azure Cosmos DB automatically rolls over your operations should a regional data center go offline. 可以使用数据复制到的区域创建故障转移区域的优先级列表。You can create a prioritized list of failover regions using the regions in which your data is replicated.

可以在 Azure Cosmos DB 中的区域性故障转移中了解详细信息。Learn more in Regional Failovers in Azure Cosmos DB.
本地复制Local replication 即使是在单个数据中心内,Azure Cosmos DB 也会自动复制数据来实现高可用性,并允许选择一致性级别Even within a single data center, Azure Cosmos DB automatically replicates data for high availability giving you the choice of consistency levels. 此复制可保证为所有单区域帐户和具有松散一致性的所有多区域帐户提供 99.99% 的可用性 SLA,为所有多区域数据库帐户提供 99.999% 的读取可用性。This replication guarantees a 99.99% availability SLA for all single region accounts and all multi-region accounts with relaxed consistency, and 99.999% read availability on all multi-region database accounts.
自动联机备份Automated online backups Azure Cosmos 数据库定期备份并存储在异地冗余的存储中。Azure Cosmos databases are backed up regularly and stored in a geo redundant store.

可以在使用 Azure Cosmos DB 进行自动联机备份和还原中了解详细信息。Learn more in Automatic online backup and restore with Azure Cosmos DB.
还原已删除的数据Restore deleted data 可以使用自动联机备份来恢复大约 30 天内意外删除的数据。The automated online backups can be used to recover data you may have accidentally deleted up to ~30 days after the event.

可以在使用 Azure Cosmos DB 进行自动联机备份和还原中了解详细信息Learn more in Automatic online backup and restore with Azure Cosmos DB
保护和隔离敏感数据Protect and isolate sensitive data “新增功能”中列出的区域中的所有数据现已处于静态加密状态。All data in the regions listed in What's new? is now encrypted at rest.

可将个人数据和其他机密数据隔离到特定的容器,并限制为只能由特定的用户进行读写或只读访问。Personal data and other confidential data can be isolated to specific container and read-write, or read-only access can be limited to specific users.
监视攻击Monitor for attacks 使用审核日志和活动日志,可以监视帐户中的正常和异常活动。By using audit logging and activity logs, you can monitor your account for normal and abnormal activity. 可以查看针对资源执行了哪些操作、操作是谁发起的、操作是何时发生的、操作的状态等,如此表后面的屏幕截图所示。You can view what operations were performed on your resources, who initiated the operation, when the operation occurred, the status of the operation, and much more as shown in the screenshot following this table.
响应攻击Respond to attacks 联系 Azure 支持部门举报潜在的攻击行为后,将启动由 5 个步骤构成的事件响应过程。Once you have contacted Azure support to report a potential attack, a 5-step incident response process is kicked off. 该 5 步骤过程的目的是在检测到问题并启动调查后,尽快将服务安全性和操作恢复正常。The goal of the 5-step process is to restore normal service security and operations as quickly as possible after an issue is detected and an investigation is started.

云中的 Azure 安全响应中了解详细信息。Learn more in Azure Security Response in the Cloud.
地域隔离Geo-fencing Azure Cosmos DB 确保符合主权区域(例如德国、中国和美国政府)的数据治理要求。Azure Cosmos DB ensures data governance for sovereign regions (for example, Germany, China, US Gov).
受保护的设施Protected facilities Azure Cosmos DB 中的数据存储在 Azure 的受保护数据中心内的 SSD 上。Data in Azure Cosmos DB is stored on SSDs in Azure's protected data centers.

HTTPS/SSL/TLS 加密HTTPS/SSL/TLS encryption 从客户端到服务的所有 Azure Cosmos DB 交互都支持 SSL/TLS 1.2。All client-to-service Azure Cosmos DB interactions are SSL/TLS 1.2 capable. 此外,所有数据中心内部和跨数据中心的复制都会实施 SSL/TLS 1.2。Also, all intra datacenter and cross datacenter replications are SSL/TLS 1.2 enforced.
静态加密Encryption at rest 对存储在 Azure Cosmos DB 中的所有静态数据进行加密。All data stored into Azure Cosmos DB is encrypted at rest. 可以在 Azure Cosmos DB 静态加密中了解详细信息。Learn more in Azure Cosmos DB encryption at rest
修补的服务器Patched servers 作为一种托管的数据库,在 Azure Cosmos DB 中无需管理和修补服务器,系统会自动完成这些操作。As a managed database, Azure Cosmos DB eliminates the need to manage and patch servers, that's done for you, automatically.
使用强密码的管理帐户Administrative accounts with strong passwords 难以相信,我们竟然还要提到这项要求。但与我们的某些竞争产品不同,在 Azure Cosmos DB 中,不带密码的管理帐户是根本不受允许的。It's hard to believe we even need to mention this requirement, but unlike some of our competitors, it's impossible to have an administrative account with no password in Azure Cosmos DB.

DocumentDB 中默认融入了基于 SSL 和 HMAC 机密的身份验证安全性。Security via SSL and HMAC secret based authentication is baked in by default.
安全和数据保护认证Security and data protection certifications 有关认证的最新数据列表,请参阅具有所有认证(搜索 Cosmos)的整个 Azure 符合性站点以及最新 Azure 符合性文档For the most up-to-date list of certifications see the overall Azure Compliance site as well as the latest Azure Compliance Document with all certifications (search for Cosmos). 如需更有针对性的阅读,请查看 2018 年 4 月 25 日的帖子 [Azure #CosmosDB:Secure, private, compliant](Azure #CosmosDB:安全性、隐私性、符合性),其中包含 SOCS 1/2 类型 2、HITRUST、PCI DSS 1 级、ISO 27001、HIPAA、FedRAMP High 和许多其他内容。For a more focused read check out the April 25, 2018 post [Azure #CosmosDB: Secure, private, compliant that includes SOCS 1/2 Type 2, HITRUST, PCI DSS Level 1, ISO 27001, HIPAA, FedRAMP High, and many others.

以下屏幕截图显示如何使用审核日志记录和活动日志监视帐户:Azure Cosmos DB 的活动日志The following screenshot shows how you can use audit logging and activity logs to monitor your account: Activity logs for Azure Cosmos DB

后续步骤Next steps

有关主密钥和资源令牌的详细信息,请参阅保护对 Azure Cosmos DB 数据的访问For more information about master keys and resource tokens, see Securing access to Azure Cosmos DB data.

有关审核日志记录的详细信息,请参阅 Azure Cosmos DB 诊断日志记录For more information about audit logging, see Azure Cosmos DB diagnostic logging.

有关我们的认证的详细信息,请参阅 Azure 信任中心For more information about Azure certifications, see Azure Trust Center.