在 Azure 中保护 Azure 数据资源管理器群集Secure Azure Data Explorer clusters in Azure

本文介绍 Azure 数据资源管理器中的安全性,以帮助你保护云中的数据和资源,并满足企业的安全需求。This article provides an introduction to security in Azure Data Explorer to help you protect your data and resources in the cloud and meet the security needs of your business. 确保群集安全非常重要。It's important to keep your clusters secure. 可通过一项或多项 Azure 功能来保护群集,包括安全访问和存储。Securing your clusters includes one or more Azure features that include secure access and storage. 本文提供的信息可帮助你确保群集安全。This article provides information to help you keep your cluster secure.

Azure 资源的托管标识Managed identities for Azure resources

构建云应用程序时面临的一个常见难题是,如何管理代码中用于云服务身份验证的凭据。A common challenge when building cloud applications is credentials management in your code for authenticating to cloud services. 保护这些凭据是一项重要任务。Keeping the credentials secure is an important task. 不应将这些凭据存储在开发人员工作站中,或将其签入源代码管理。The credentials shouldn't be stored in developer workstations or checked into source control. 虽然 Azure Key Vault 可用于安全存储凭据、机密以及其他密钥,但代码需要通过 Key Vault 的身份验证才能检索它们。Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.

Azure 资源的 Azure Active Directory (Azure AD) 托管标识功能可以解决此问题。The Azure Active Directory (Azure AD) managed identities for Azure resources feature solves this problem. 此功能为 Azure 服务提供了 Azure AD 中的自动托管标识。The feature provides Azure services with an automatically managed identity in Azure AD. 可以使用此标识向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. 有关此服务的详细信息,请参阅 Azure 资源的托管标识概述页。For more information about this service, see managed identities for Azure resources overview page.

数据加密Data encryption

Azure 磁盘加密Azure Disk Encryption

Azure 磁盘加密有助于保护数据,使组织能够信守在安全性与合规性方面作出的承诺。Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. 它为群集虚拟机的 OS 和数据磁盘提供卷加密。It provides volume encryption for the OS and data disks of your cluster's virtual machines. Azure 磁盘加密还与 Azure Key Vault 集成,使我们可以控制和管理磁盘加密密钥和机密,并确保 VM 磁盘上的所有数据已加密。Azure Disk Encryption also integrates with Azure Key Vault, which allows us to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted.

基于角色的访问控制Role-based access control

使用基于角色的访问控制 (RBAC) 可以在团队中分离职责,并只向群集用户授予所需的访问权限。Using role-based access control (RBAC), you can segregate duties within your team and grant only the required access to cluster users. 可以仅允许某些操作,而不是向群集上的每个人授予不受限制的权限。Instead of giving everybody unrestricted permissions on the cluster, you can allow only certain actions. 可以使用 Azure 门户Azure CLIAzure PowerShell 针对数据库配置访问控制You can configure access control for the databases in the Azure portal, using the Azure CLI, or Azure PowerShell.

后续步骤Next steps