#Microsoft Azure 安全入门Getting started with Microsoft Azure security

当你生成 IT 资产或将其迁移到云提供商处时,你需要依赖该组织来保护你委托给该组织服务的应用程序和数据,并且需要依赖该组织提供给你的安全控制来控制基于云的资产的安全性。When you build or migrate IT assets to a cloud provider, you are relying on that organization’s abilities to protect the applications and data you entrust to their services and the security controls they provide you to control the security of your cloud-based assets.

Azure 的基础结构(从设备到应用程序)经过设计,可同时托管数百万的客户,并为企业提供可靠的基础,使之能够满足其安全需求。Azure’s infrastructure is designed from the facility to applications for hosting millions of customers simultaneously, and providing a trustworthy foundation upon which businesses’ can meet their security needs. 此外,Azure 还为你提供广泛的可配置安全选项以及对这些选项进行控制的功能,方便你自定义安全措施来满足部署的独特要求。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements for your deployments.

在这篇有关 Azure 安全性的概述性文章中,我们将了解:In this overview article on Azure security, we’ll look at:

  • 可以用来确保 Azure 中服务和数据安全性的 Azure 服务和功能Azure services and features you can use to help secure your services and data within Azure

  • 21Vianet 如何通过保护 Azure 基础结构来保护数据和应用程序How 21Vianet secures the Azure infrastructure to help protect your data and applications

##数据访问控制和加密Data access control and encryption

21Vianet 所采用的“职责分离”和 最小特权 原则贯穿整个 Azure 操作。21Vianet employs the principles of Separation of Duties and Least Privilege throughout Azure operations. Azure 支持人员访问相关数据需要你根据“实时”原则进行明确许可,并且会进行记录和审核,在完成相关任务后就会取消访问权限。Access to data by Azure support personnel requires your explicit permission and is granted on a “just-in-time” basis that is logged and audited, then revoked after completion of the engagement.

此外,Azure 还提供多种功能来保护正在传输的数据和静态数据,包括针对数据、文件、应用程序、服务、通信和驱动器进行加密。In addition, Azure provides multiple capabilities for protecting data in-transit and at-rest, including encryption for data, files, applications, services, communications, and drives. 在将信息放置在 Azure 中以及将密钥存储在本地数据中心之前,你可以选择对其进行加密。You have the option to encrypt information before placing it in Azure, as well as storing keys in your on-premises datacenters.

Azure 中的 Microsoft Antimalware

Azure 加密技术Azure encryption technologies

你可以选择在 Azure 的 VHD(内含敏感信息)上配置 BitLocker 驱动器加密You have the option to configure BitLocker Drive Encryption on VHDs containing sensitive information in Azure.

Azure 中其他用于确保数据安全的功能包括:Other capabilities in Azure that will assist you to keep your data secure include:

  • 应用程序开发人员可以使用 Windows CryptoAPI 和 .NET Framework 将加密内建到 Azure 中部署的应用程序。Application developers can build encryption into the applications they deploy in Azure using the Windows CryptoAPI and .NET Framework.

  • 针对 Microsoft Blob 存储进行客户端加密可以让你完全控制密钥。Client side encryption for Microsoft blob storage enable you to completely control the keys. 存储服务永远看不到这些密钥,因此无法解密数据。The storage service never sees the keys and is incapable of decrypting the data.

  • Azure 支持在 SQL Server 虚拟机中进行表级和列级加密 (TDE/CLE),并支持在客户的数据中心部署第三方本地密钥管理服务器。Azure supports table-level and column-level encryption (TDE/CLE) in SQL Server Virtual Machines, and supports third-party on-premises key management servers in customers’ datacenters.

  • 存储帐户密钥、共享访问签名、管理证书以及其他密钥对每个 Azure 租户来说都是唯一的。Storage Account Keys, Shared Access Signatures, management certificates, and other keys are unique to each Azure tenant.

  • Azure 支持和使用数种加密机制,包括 SSL/TLS、IPsec 和 AES,具体取决于数据类型、容器以及传输情况。Azure supports and uses numerous encryption mechanisms, including SSL/TLS, IPsec, and AES, depending on the data types and containers and transports.

##虚拟化Virtualization

Azure 平台使用虚拟化的环境。The Azure platform uses a virtualized environment. 用户实例以单独的虚拟机方式运行,这些虚拟机无法访问物理主机服务器。这种隔离是通过物理处理器(0 环/3 环)权限级别强制实施的。User instances operate as standalone virtual machines that do not have access to a physical host server and this isolation is enforced using physical processor (ring-0/ring-3) privilege levels.

0 环表示最高权限,3 环表示最低权限。Ring 0 is the most privileged and 3 is the least. 来宾 OS 在权限较低的 1 环运行,应用程序在权限最低的 3 环运行。The guest OS runs in a lesser-privileged Ring 1 and applications in the last privileged Ring 3. 对物理资源进行这样的虚拟化会在来宾 OS 和虚拟机监控程序之间形成清晰的隔离,从而在这二者之间实现进一步的安全隔离。This virtualization of physical resources leads to a clear separation between guest OS and hypervisor, resulting in additional security separation between the two.

Azure 的虚拟机监控程序相当于微内核,可将所有硬件访问请求从来宾 VM 传递到主机,以便使用名为 VMBus 的共享内存界面进行处理。Azure’s Hypervisor acts like a micro-kernel and passes all hardware access requests from guest VMs to the host for processing using a shared-memory interface called VMBus. 这样可以防止用户获取对系统的原始读取/写入/执行访问权限,减轻共享系统资源的风险。This prevents users from obtaining raw read/write/execute access to the system and mitigates the risk of sharing system resources.

Azure 中的 Microsoft Antimalware

Azure 如何实现虚拟化How Azure implements virtualization

Azure 使用虚拟机监控程序防火墙(数据包筛选器),该防火墙是在虚拟机监控程序中实施的,可以通过结构控制器代理进行配置。Azure uses a hypervisor firewall (packet filter), which is implemented in the hypervisor and configured by a fabric controller agent. 这有助于防止租户进行未经授权的访问。This helps protect tenants from unauthorized access. 默认情况下,在创建 VM 时,会阻止所有流量,然后通过结构控制器代理来配置数据包筛选器,添加 规则和例外 以允许经授权的流量。By default, when a VM is created, all traffic is blocked and then the fabric controller agent configures the packet filter to add rules and exceptions to allow authorized traffic.

此处对两类规则进行了编程:There are two categories of rules that are programmed here:

  • 计算机配置或基础结构规则:默认情况下,将阻止所有通信。Machine Configuration or Infrastructure Rules: By default, all communication is blocked. 在例外情况下,可以允许 VM 发送和接收 DHCP 和 DNS 流量。There are exceptions to allow a VM to send and receive DHCP and DNS traffic. VM 还可以将流量发送到“公共”Internet 以及群集和 OS 激活服务器中的其他 VM。VMs can also send traffic to the “public” internet and send traffic to other VMs within the cluster and OS Activation server. VM 的传出目标允许列表不包括 Azure 路由器子网、Azure 管理后端以及其他 Microsoft 属性。The VMs’ allowed list of outgoing destinations does not include Azure router subnets, Azure management back end, and other Microsoft properties.

  • 角色配置文件:根据租户的服务模型定义入站 ACL。Role Configuration File: This defines the inbound ACLs based on the tenants’ service model. 例如,如果某个租户在特定 VM 的端口 80 上有一个 Web 前端,Azure 会对所有 IP 开放 TCP 端口 80,前提是你要在 Azure 服务管理 模型中配置一个终结点。For example, if a tenant has a Web front-end on port 80 on a certain VM, then Azure opens TCP port 80 to all IPs if you’re configuring an endpoint in the Azure Service Management model. 如果 VM 有一个正在运行的后端或辅助角色,我们就会只向同一租户中的 VM 开放该辅助角色。If the VM has a backend or worker role running, then we open the worker role only to the VM within the same tenant.

##隔离Isolation

另一项重要的云安全要求是始终进行隔离,防止在共享型多租户体系结构的部署之间对信息进行未经授权的传输和无意的传输。Maintaining separation to prevent unauthorized and unintentional transfer of information between deployments in a shared multi-tenant architecture is another important cloud security requirement.

Azure 通过 VLAN 隔离、ACL、负载均衡器和 IP 筛选器来实施 网络访问控制 和隔离。Azure implements network access control and segregation through VLAN isolation, ACLs, load balancers and IP filters. 指向你的虚拟机的外部入站通信流仅限于你所定义的端口和协议。External traffic inbound to your virtual machine(s) is restricted to ports and protocols you define. 实施网络筛选是为了防止欺骗通信,将传入和传出通信限制到可信平台组件。Network filtering is implemented to prevent spoofed traffic and restricts incoming and outgoing traffic to trusted platform components. 在边界保护设备上会实施流量策略,这些设备默认情况下会拒绝通信。Traffic flow policies are implemented on boundary protection devices that deny traffic by default.

Azure 中的 Microsoft Antimalware

网络地址转换 (NAT) 用于将内部网络流量与外部流量分开。Network Address Translation (NAT) is used to separate internal network traffic from external traffic. 内部流量不可通过外部进行路由。Internal traffic is not externally routable. 虚拟 IP 地址 通过外部路由转换成 内部动态 IP 地址,后者只能在 Azure 内部进行路由。Virtual IP addresses that are externally routable are translated into internal Dynamic IP addresses that are only routable within Azure.

流向 Azure 虚拟机的外部流量会通过访问控制列表 (ACL) 在路由器、负载均衡以及第 3 层交换机上进行防火墙处理。External traffic to Azure virtual machines is firewalled via Access Control Lists (ACLs) on routers, load balancers, and Layer 3 switches. 仅允许特定的已知协议。Only specific known protocols are permitted. 使用 ACL 是为了限制从来宾 VM 流向其他管理用 VLAN 的流量。ACLs are in place to limit traffic originating from guest VMs to other VLANs used for management. 此外还会通过 IP 筛选器在主机 OS 上对流量进行筛选,进一步限制数据链接和网络层的流量。In addition, traffic filtered via IP filters on the host OS, further limit the traffic on both data link and network layers.

Azure 如何实现隔离How Azure implements isolation

Azure 结构控制器负责将基础结构资源分配到租户工作负荷,并管理从主机到 VM 的单向通信。The Azure Fabric Controller is responsible for allocating infrastructure resources to tenant workloads, and manages unidirectional communications from the host to VMs. Azure 虚拟机监控程序会在 VM 之间强制实施内存和流程的隔离,并通过安全方式将网络流量路由到来宾 OS 租户。The Azure hypervisor enforces memory and process separation between VMs, and securely routes network traffic to guest OS tenants. Azure 还为租户、存储和虚拟网络实施隔离:Azure also implements isolation for tenants, storage and virtual networks:

  • 每个 Azure AD 租户都通过安全边界进行逻辑隔离。Each Azure AD tenant is logically isolated using security boundaries.

  • Azure 存储帐户对于每个订阅都是唯一的,访问必须通过存储帐户密钥进行身份验证。Azure Storage Accounts are unique to each subscription, and access must be authenticated using a Storage Account Key.

  • 通过将唯一的专用 IP 地址、防火墙和 IP ACL 组合起来,可以对虚拟网络进行逻辑隔离。Virtual Networks are logically isolated through a combination of unique private IP addresses, firewalls, and IP ACLs. 负载均衡器根据终结点定义将流量路由到相应的租户。Load balancers route traffic to the appropriate tenants based on endpoint definitions.

##虚拟网络和防火墙Virtual Network and Firewall

Azure 中的 分布式网络和虚拟网络 有助于确保将你的专用网络流量与其他 Azure 虚拟网络上的流量进行逻辑隔离。The distributed and virtual networks in Azure help ensure that your private network traffic is logically isolated from traffic on other Azure Virtual Networks.

Azure 中的 Microsoft 虚拟网络和防火墙

订阅可以包含多个独立的专用网络(并包括防火墙、负载均衡和网络地址转换)。Your subscription can contain multiple isolated private networks (and include firewall, load-balancing, and network address translation).

Azure 在每个 Azure 群集中提供三种主要级别的网络隔离,可通过逻辑方式来隔离流量。Azure provides three primary levels of network segregation in each Azure cluster to logically segregate traffic. 虚拟局域网 (VLAN) 用于将客户流量与 Azure 网络的其余部分分开。Virtual Local Area Networks (VLANs) are used to separate customer traffic from the rest of the Azure network. 可以通过负载均衡器对从群集外部访问 Azure 网络进行限制。Access to the Azure network from outside the cluster is restricted through load balancers.

流向 VM 以及从 VM 流出的网络流量必须经过虚拟机监控程序虚拟交换机。Network traffic to and from VMs must pass through the hypervisor virtual switch. 根 OS 中的 IP 筛选器组件将根 VM 与来宾 VM 隔离,以及将来宾 VM 相互隔离。The IP filter component in the Root OS isolates the root VM from the guest VMs and the guest VMs from one another. 它会对流量进行筛选,将通信限制在租户的节点与公共 Internet 之间(基于客户的服务配置),将这些节点与其他租户隔离开。It performs filtering of traffic to restrict communication between tenant's nodes and the public Internet (based on customer's service configuration), segregating them from other tenants.

IP 筛选器可以防止来宾 VM 执行以下操作:The IP filter helps prevent guest VMs from:

  • 生成欺骗性流量Generating spoofed traffic

  • 接收不发送给它们的流量Receiving traffic not addressed to them

  • 将流量定向到受保护的基础结构终结点Directing traffic to protected infrastructure endpoints

  • 发送或接收不当的广播流量Sending or receiving inappropriate broadcast traffic

你可以将虚拟机置于 Azure 虚拟网络中。You can place your virtual machines onto Azure Virtual Networks. 这些虚拟网络类似于你在本地环境中配置的网络,在本地环境中,网络通常与虚拟交换机相关联。These virtual networks are similar to the networks you configure in on-premises environments, where they are typically associated with a virtual switch. 连接到同一个 Azure 虚拟网络的虚拟机可以相互通信而无需其他配置。Virtual machines connected to the same Azure Virtual Network can communicate with one another without additional configuration. 你还可以选择在 Azure 虚拟网络中配置不同的子网。You also have the option to configure different subnets within your Azure Virtual Network.

可以使用以下 Azure 虚拟网络技术来帮助实现 Azure 虚拟网络上的安全通信:You can use the following Azure Virtual Network technologies to help secure communications on your Azure Virtual Network:

  • 网络安全组 (NSG)Network Security Groups (NSG). 可以在虚拟网络中使用 NSG 控制流向一个或多个虚拟机 (VM) 实例的流量。You can use an NSG to control traffic to one or more virtual machine (VM) instances in your virtual network. NSG 包含根据流量方向、协议、源地址和端口以及目标地址和端口允许或拒绝流量的访问控制规则。An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port.

  • 用户定义的路由User Defined Routing. 你可以创建用户定义的路由来指定下一跃点,方便数据包流向特定的子网并转到你的虚拟网络安全设备,从而控制数据包通过虚拟设备进行的路由。You can control the routing of packets through a virtual appliance by creating user defined routes that specify the next hop for packets flowing to a specific subnet to go a your virtual network security appliance.

  • IP 转发IP forwarding. 虚拟网络安全设备必须能够接收不发送给自身的传入流量。A virtual network security appliance must be able to receive incoming traffic that is not addressed to itself. 若要允许 VM 接收发送到其他目标的流量,可以为该 VM 启用 IP 转发。To allow a VM to receive traffic addressed to other destinations, you enable IP Forwarding for the VM.

  • 强制隧道Forced tunneling. 借助强制隧道,你可以通过站点到站点 VPN 隧道,将 Azure 虚拟网络中的虚拟机所生成的全部 Internet 绑定流量重定向或“强制”返回到本地位置,以便进行检查和审核Forced tunneling lets you redirect or "force" all Internet-bound traffic generated by your virtual machines in an Azure Virtual back to your on-premises location via a site-to-site VPN tunnel for inspection and auditing

  • 终结点 ACLEndpoint ACLs. 你可以通过定义终结点 ACL 来控制哪些计算机允许从 Internet 到 Azure 虚拟网络上的虚拟机的入站连接。You can control which machines are allowed inbound connections from the Internet to a virtual machine on your Azure Virtual Network by defining endpoint ACLs.

  • 合作伙伴网络安全解决方案Partner network security solutions. 可以通过 Azure 映像应用商店访问大量的合作伙伴网络安全解决方案。There are a number of partner network security solution that you can access from the Azure Image Marketplace.

Azure 如何实施虚拟网络和防火墙How Azure implements virtual networks and firewall

默认情况下,Azure 在所有主机和来宾 VM 上实施数据包筛选防火墙。Azure implements packet-filtering firewalls on all host and guest VMs by default. Azure 库中的 Windows OS 映像也默认启用 Windows 防火墙。Windows OS images from the Azure Gallery also have Windows Firewall enabled by default. 位于 Azure 面向公众的网络外围的负载均衡器会根据客户管理员所管理的 IP ACL 来控制通信。Load balancers at the perimeter of Azure’s public facing networks control communications based on IP ACLs managed by customer administrators.

如果 Azure 在正常操作过程中或灾难过程中移动某个客户的数据,它会通过专用加密通信通道来进行。If Azure moves a customer’s data as part of normal operations or during a disaster, it does so over private, encrypted communications channels. Azure 可以在虚拟网络和防火墙中使用的其他功能包括:Other capabilities leveraged by Azure to use in virtual networks and firewall are:

  • 本机主机防火墙:在没有虚拟机监控程序(因此也就没有 Windows 防火墙)的本机 OS 上运行的 Azure 结构和存储是使用上述两组规则进行配置的。Native Host Firewall: Azure fabric and storage run on a native OS which has no hypervisor and hence the windows firewall is configured with the above two sets of rules. 存储会运行本机主机防火墙来优化性能。Storage runs native to optimize performance.

  • 主机防火墙:主机防火墙用于保护运行虚拟机监控程序的主机操作系统。Host Firewall: The host firewall is to protect the host operating system which runs the hypervisor. 可以通过编程方式对规则进行设置,只允许结构控制器和跳转盒在特定端口上与主机 OS 通信。The rules are programmed to allow only the fabric controller and jump boxes to talk to the host OS on a specific port. 其他例外包括允许 DHCP 响应和 DNS 回复。The other exceptions are to allow DHCP response and DNS Replies. Azure 使用计算机配置文件,其中包括针对主机 OS 的防火墙规则模板。Azure uses a machine configuration file which it has the template of firewall rules for the host OS. 主机本身受 Windows 防火墙保护,可以免受外部攻击的威胁,该防火墙已配置为仅允许来自已知的经过身份验证的源的通信。The host itself is protected from external attack by a Windows firewall configured to only permit communication from known, authenticated sources.

  • 来宾防火墙:复制 VM 切换数据包筛选器中的规则,不过这些规则是在不同软件(即来宾 OS 的 Windows 防火墙组件)中通过编程方式设置的。Guest Firewall: Replicates the rules in the VM Switch packet filter but programmed in different software (i.e. the Windows Firewall piece of the guest OS). 来宾 VM 防火墙在经过配置后,可以限制与来宾 VM 的通信,即使主机 IP 筛选器上的配置允许进行这样的通信。The guest VM firewall can be configured to restrict communications to or from the guest VM, even if the communication is permitted by configurations at the host IP Filter. 例如,你可以选择使用来宾 VM 防火墙来限制你的两个 VNet 之间的通信,这两个 VNet 已配置为可以互相进行连接。For example, you may choose to use the guest VM firewall to restrict communication between two of your VNets that have been configured to connect to one another.

  • 存储防火墙 (FW):存储前端的防火墙会对通信进行筛选,只允许在端口 80/443 以及其他必需的实用程序端口上进行通信。Storage Firewall (FW): The firewall on the storage front-end filters traffic to be only on ports 80/443 and other necessary utility ports. 存储后端的防火墙会将通信限制为只能来自存储前端服务器。The firewall on the storage back-end restricts communications to only come from storage front-end servers.

  • 虚拟网络网关Azure 虚拟网络网关 充当跨界网关,将你在 Azure 虚拟网络中的工作负荷连接到本地站点。Virtual Network Gateway: Azure Virtual Network Gateways serve as the cross premises gateways connecting your workloads in Azure Virtual Network to your on premises sites. 它需要通过 IPsec 站点到站点 VPN 隧道ExpressRoute 线路连接到本地站点。It is required to connect to on premises sites through IPsec site-to-site VPN tunnels, or through ExpressRoute circuits. 对于 IPsec/IKE VPN 隧道,这些网关会执行 IKE 握手,并在虚拟网络和本地站点之间建立 IPsec S2S VPN 隧道。For IPsec/IKE VPN tunnels, the gateways perform IKE handshakes, and establish the IPsec S2S VPN tunnels between the Virtual Networks and on premises sites. 虚拟网络网关还会终止 点到站点 VPNVirtual Network Gateways also terminate point-to-site VPNs.

##安全远程访问Secure Remote Access

存储在云中的数据必须具有足够的安全措施来防止遭到攻击,并且需要在传输过程中保持机密性和完整性。Data stored in the cloud must have sufficient safeguards enabled to prevent exploits and maintain confidentiality and integrity while in-transit. 这其中包括网络控制,同时结合使用组织的基于策略的、可审核的身份和访问管理机制。This includes network controls that tie in with an organization’s policy-based, auditable identity and access management mechanisms.

内置加密技术使你能够在部署内部和部署之间、Azure 区域之间以及从 Azure 到本地数据中心之间对通信进行加密。Built-in cryptographic technology enables you to encrypt communications within and between deployments, between Azure regions, and from Azure to on-premises datacenters. 管理员通过远程登录会话远程 Windows PowerShell 和 Azure 管理门户对虚拟机进行的访问始终加密。Administrator access to virtual machines through remote desktop sessions, remote Windows PowerShell, and the Azure Management Portal is always encrypted.

为了安全地将本地数据中心扩展到云,Azure 提供了站点到站点 VPN点到站点 VPN 以及通过 ExpressRoute 实现的专用链接(通过 VPN 连接到 Azure 虚拟网络时,将对连接加密)。To securely extend your on-premises datacenter to the cloud, Azure provides both site-to-site VPN and point-to-site VPN, as well as dedicated links with ExpressRoute (connections to Azure Virtual Networks over VPN are encrypted).

Azure 如何实现安全的远程访问How Azure implements secure remote access

连接到 Azure 门户时,必须始终进行身份验证,并且需要 SSL/TLS。Connections to Azure Portal must always be authenticated and they require SSL/TLS. 你可以配置管理证书,以便进行安全管理。You can configure management certificates to enable secure management. 全面支持各种行业标准安全协议,例如 SSTPIPsecIndustry standard secure protocols such as SSTP and IPsec are fully supported.

Azure ExpressRoute ,可在 Azure 数据中心与你的本地环境或共同租用环境中的基础结构之间创建专用连接。Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute 连接不通过公共 Internet 。ExpressRoute connections do not go over the public Internet. 与常用的基于 Internet 的链接相比,这些链接更可靠,速度更快,延迟更低,安全性更高。They offer more reliability, faster speeds, lower latencies and higher security than typical Internet-based links. 在某些情况下,使用 ExpressRoute 连接在本地和 Azure 之间传输数据还可以产生显著的成本效益。In some cases, using ExpressRoute connections to transfer data between on-premises and Azure can also yield significant cost benefits.

##日志记录和监视Logging and monitoring

Azure 会对生成审计线索的安全相关事件进行经过身份验证的日志记录,其本身也经过设计,可以防止篡改。Azure provides authenticated logging of security-relevant events that generate an audit trail, and is engineered to be resistant to tampering. 这包括系统信息,例如 Azure 基础结构 VM 和 Azure AD 中的安全事件日志。This includes system information, such as security event logs in Azure infrastructure VMs and Azure AD. 安全事件监视包括收集各种事件,例如更改 DHCP 或 DNS 服务器 IP 地址;尝试访问已通过设计进行阻止的端口、协议或 IP 地址;更改安全策略或防火墙设置;创建帐户或组;意外的流程或驱动程序安装。Security event monitoring includes collecting events such as changes in DHCP or DNS server IP addresses, attempted access to ports, protocols or IP addresses that are blocked by design, changes in security policy or firewall settings, account or group creation, unexpected processes or driver installation.

Azure 中的 Microsoft Antimalware

审核日志(记录特权用户访问和活动)、授权的和未经授权的访问尝试、系统异常以及信息安全事件将会保留固定的时间。Audit logs recording privileged user access and activities, authorized and unauthorized access attempts, system exceptions, and information security events are retained for a set period of time. 日志的保留由你全权决定,因为你可以根据自己的需求来配置日志的收集和保留。The retention of your logs is at your discretion because you configure log collection and retention to your own requirements.

Azure 如何实施日志记录和监视How Azure implements logging and monitoring

Azure 将管理代理 (MA) 和 Azure 安全监视器 (ASM) 代理部署到管理中的每个计算节点、存储节点或结构节点,不管是本机的还是虚拟的节点。Azure deploys Management Agents (MA) and Azure Security Monitor (ASM) agents to each compute, storage, or fabric node under management whether they are native or virtual. 每个管理代理都经过配置,可以使用从 Azure 证书存储获得的证书通过服务团队存储帐户进行身份验证,并将预先配置的诊断和事件数据转发到存储帐户。Each Management Agent is configured to authenticate to a service team storage account with a certificate obtained from the Azure certificate store and forward pre-configured diagnostic and event data to the storage account. 这些代理不会部署到客户的虚拟机中。These agents are not deployed to customers’ virtual machines.

Azure 管理员通过 Web 门户访问日志,对日志进行的访问必须经过身份验证,并且是可控的。Azure administrators access logs through a web portal for authenticated and controlled access to the logs. 管理员可以对日志进行解析、筛选、关联和分析。An administrator can parse, filter, correlate, and analyze logs. 与日志对应的 Azure 服务团队存储帐户不允许管理员直接访问,这样是为了防止日志篡改。The Azure service team storage accounts for logs are protected from direct administrator access to help prevent against log tampering.

21Vianet 使用 Syslog 协议从网络设备收集日志,以及从主机服务器收集日志。21Vianet collects logs from network devices using the Syslog protocol and from host servers. 这些日志放置在日志数据库中,发生可疑事件时,就会生成直接发送给 21Vianet 管理员的警报。These logs are placed into a log database from which alerts are generated for suspicious events directly to a 21Vianet administrator. 管理员可以访问并分析这些日志。The administrator can access and analyze these logs.

Azure 诊断 是 Azure 的一项功能,你可以通过它从运行在 Azure 中的应用程序收集诊断数据。Azure Diagnostics is a feature of Azure that enables you to collect diagnostic data from an application running in Azure. 可以将这些诊断数据用于调试和故障排除、度量性能、监视资源使用状况、进行流量分析和容量规划以及进行审核。This is diagnostic data for debugging and troubleshooting, measuring performance, monitoring resource usage, traffic analysis, and capacity planning, and auditing. 收集诊断数据后,可以将其传输到 Azure 存储帐户进行永久保存。After the diagnostic data is collected, it can be transferred to an Azure storage account for persistence. 可以按计划传输,也可以按需传输。Transfers can either be scheduled or on-demand.

##威胁缓解措施Threat Mitigation

除了隔离、加密和筛选,Azure 还采用了大量的威胁缓解机制和流程来保护基础结构和服务。In addition to isolation, encryption, and filtering, Azure employs a number of threat mitigation mechanisms and processes to protect infrastructure and services. 其中包括内部控制和技术,用于检测和化解各种高级威胁,例如 DDoS 和特权提升。These include internal controls and technologies used to detect and remediate advanced threats such as DDoS and privilege escalation.

21Vianet 采取的安全控制和风险管理流程目的是确保其云基础结构的安全性,从而降低发生安全事件的风险。The security controls and risk management processes 21Vianet has in place to secure its cloud infrastructure reduce the risk of security incidents. 但是,在发生事件的情况下,客户支持团队将会全天候进行响应。But, in the event an incident occurs, the customer support team is ready 24 x 7 to respond.

Azure 如何实施威胁缓解措施How Azure implements threat mitigation

Azure 建立安全控制的目的是实施威胁缓解措施,同时协助客户减轻其环境中的可能威胁。Azure has security controls in place to implement threat mitigation and also to assist customers mitigate potential threats in their environments. 以下列表总结了 Azure 提供的威胁缓解功能:The list below summarizes the threat mitigation capabilities offered by Azure:

  • Azure 反恶意软件 在所有基础结构服务器上默认启用。Azure Anti-Malware is enabled by default on all infrastructure servers. 你可以在自己的 VM 中选择性地启用它。You can optionally enable it within your own VMs.

  • 21Vianet 会持续监视服务器、网络和应用程序以检测各种威胁,防止遭到攻击。21Vianet maintains continuous monitoring across servers, networks, and applications to detect threats and prevent exploits. 自动警报会将异常行为通知给管理员,因此管理员可以针对内部和外部威胁采取纠正性措施。Automated alerts notify administrators of anomalous behaviors, allowing them to take corrective action on both internal and external threats.

  • 可以选择在订阅中部署第三方安全解决方案,例如 Azure 映像应用商店提供的 Web 应用程序防火墙。You have the option to deploy 3rd-party security solutions within your subscriptions, such as web application firewalls from Azure Image Marketplace.

  • Microsoft 采取的渗透测试方法包括“红队测试”,其中涉及 Azure 中的 Microsoft 安全专家(非客户)攻击实时生产系统,用于测试系统对现实世界的高级持久性威胁的防御能力。Microsoft’s approach to penetration-testing includes “Red-Teaming”, which involves Microsoft security professionals attacking (non-customer) live production systems in Azure to test defenses against real-world, advanced persistent threats.

  • 使用集成的部署系统来管理安全修补程序在 Azure 平台的分发和安装。Integrated deployment systems manage the distribution and installation of security patches across the Azure platform.

##后续步骤Next Steps

Azure 信任中心Azure Trust Center

Azure 安全团队博客Azure Security Team Blog

Active Directory 博客Active Directory Blog