Azure 安全管理和监视概述Azure security management and monitoring overview

本文概述了 Azure 提供的安全功能和服务,以帮助管理和监视 Azure 云服务和虚拟机。This article provides an overview of the security features and services that Azure provides to aid in the management and monitoring of Azure cloud services and virtual machines.

基于角色的访问控制Role-Based Access Control

基于角色的访问控制 (RBAC) 为 Azure 资源提供详细的访问管理。Role-Based Access Control (RBAC) provides detailed access management for Azure resources. 使用 RBAC,可以仅授予用户执行其作业所需的访问权限。By using RBAC, you can grant people only the amount of access that they need to perform their jobs. RBAC 还有助于确保用户离开组织后无法访问云中的资源。RBAC can also help you ensure that when people leave the organization, they lose access to resources in the cloud.

了解详细信息:Learn more:

反恶意软件Antimalware

通过 Azure,可使用主要安全供应商(例如 Microsoft、Trend Micro、McAfee 和 Kaspersky)提供的反恶意软件。With Azure, you can use antimalware software from major security vendors such as Microsoft, Trend Micro, McAfee, and Kaspersky. 此软件可帮助保护虚拟机免受恶意文件、广告程序和其他威胁的侵害。This software helps protect your virtual machines from malicious files, adware, and other threats.

适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件提供了为 PaaS 角色和虚拟机安装反恶意软件代理的能力。Microsoft Antimalware for Azure Cloud Services and Virtual Machines offers you the ability to install an antimalware agent for both PaaS roles and virtual machines. 基于 System Center Endpoint Protection,此功能将经验证的本地安全技术引入到了云。Based on System Center Endpoint Protection, this feature brings proven on-premises security technology to the cloud.

我们还在 Azure 平台中为 Trend 的 Deep SecuritySecureCloud 产品提供了深度集成。We also offer deep integration for Trend's Deep Security and SecureCloud products in the Azure platform. DeepSecurity 是一个防病毒解决方案,SecureCloud 是一个加密解决方案。Deep Security is an antivirus solution, and SecureCloud is an encryption solution. DeepSecurity 通过扩展模型部署在 VM 内部。Deep Security is deployed inside VMs through an extension model. 通过 Azure 门户 UI 和 PowerShell,用户可以选择使用即将启动的新 VM 或已部署的现有 VM 内部的 DeepSecurity。By using the Azure portal UI and PowerShell, you can choose to use Deep Security inside new VMs that are being spun up, or existing VMs that are already deployed.

了解详细信息:Learn more:

多重身份验证Multi-Factor Authentication

Azure 多重身份验证是一种需要使用多种验证方法的身份验证方法。Azure Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method. 它为用户登录和事务添加了关键的附加安全层。It adds a critical second layer of security to user sign-ins and transactions.

多重身份验证可帮助保护对数据和应用程序的访问,同时可以满足用户对简单登录过程的需求。Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 它通过各种验证选项(例如电话、短信、移动应用通知或验证码)和第三方 OATH 令牌来提供强大的身份验证。It delivers strong authentication via a range of verification options (phone call, text message, or mobile app notification or verification code) and third-party OATH tokens.

了解详细信息:Learn more:

ExpressRouteExpressRoute

可使用 Azure ExpressRoute 通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。You can use Azure ExpressRoute to extend your on-premises networks into the Microsoft Cloud over a dedicated private connection that's facilitated by a connectivity provider. 使用 ExpressRoute 可与 Azure、Office 365 和 CRM Online 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services such as Azure, Office 365, and CRM Online. 连接可以来自:Connectivity can be from:

  • 任意位置之间的 (IP VPN) 网络。An any-to-any (IP VPN) network.
  • 点到点以太网。A point-to-point Ethernet network.
  • 通过位于归置设施的连接服务提供商提供的虚拟交叉连接。A virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 连接不经过公共 Internet。ExpressRoute connections don't go over the public internet. 它们可提供可靠性、速度、延迟和安全性这几个方面均比基于 Internet 的典型连接更胜一筹的专用连接。They can offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the internet.

了解详细信息:Learn more:

虚拟网络网关Virtual network gateways

VPN 网关(也称为 Azure 虚拟网络网关)用于在虚拟网络和本地位置之间发送流量。VPN gateways, also called Azure virtual network gateways, are used to send network traffic between virtual networks and on-premises locations. VPN 网关还用于在 Azure 内的多个虚拟网络之间发送流量(网络到网络)。They are also used to send traffic between multiple virtual networks within Azure (network to network). VPN 网关提供 Azure 和基础结构间的安全跨界连接。VPN gateways provide secure cross-premises connectivity between Azure and your infrastructure.

了解详细信息:Learn more:

Privileged Identity ManagementPrivileged Identity Management

用户有时候需要在 Azure 资源或者其他 SaaS 应用程序中执行特权操作。Sometimes users need to carry out privileged operations in Azure resources or other SaaS applications. 这通常意味着,组织授予他们永久的 Azure Active Directory (Azure AD) 访问特权。This often means organizations give them permanent privileged access in Azure Active Directory (Azure AD).

这会给云托管的资源不断增大安全风险,因为组织无法充分监视这些用户正在使用特权访问执行哪些操作。This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their privileged access. 此外,如果有访问特权的用户帐户被泄露,此安全漏洞可能会影响组织的总体云安全性。Additionally, if a user account with privileged access is compromised, that one breach can affect an organization's overall cloud security. Azure AD Privileged Identity Management 可通过降低特权的暴露时间和加强对使用情况的了解来帮助解决此风险。Azure AD Privileged Identity Management helps to resolve this risk by lowering the exposure time of privileges and increasing visibility into usage.

Privileged Identity Management 为角色或“实时”管理员访问引入了临时管理员的概念。Privileged Identity Management introduces the concept of a temporary admin for a role or "just in time" administrator access. 这种类型的管理员是需要为该分配的角色完成激活过程的用户。This kind of admin is a user who needs to complete an activation process for that assigned role. 激活过程会在指定的时段内将 Azure AD 中的用户角色分配从非活动更改为活动。The activation process changes the assignment of the user to a role in Azure AD from inactive to active, for a specified time period.

了解详细信息:Learn more:

标识保护Identity Protection

Azure AD 标识保护提供了可疑登录活动和潜在漏洞的统一视图来帮助保护企业。Azure AD Identity Protection provides a consolidated view of suspicious sign-in activities and potential vulnerabilities to help protect your business. “标识保护”根据以下信号检测用户和特权(管理员)标识的可疑活动:Identity Protection detects suspicious activities for users and privileged (admin) identities, based on signals like:

  • 暴力攻击。Brute-force attacks.
  • 凭据泄漏。Leaked credentials.
  • 从不熟悉的位置和易感染病毒的设备登录。Sign-ins from unfamiliar locations and infected devices.

通过提供通知和建议的补救措施,标识保护有助于实时降低风险。By providing notifications and recommended remediation, Identity Protection helps to mitigate risks in real time. 它会计算用户风险严重性。It calculates user risk severity. 可配置基于风险的策略,自动保护应用程序访问免受将来的威胁侵害。You can configure risk-based policies to automatically help safeguard application access from future threats.

安全中心Security Center

Azure 安全中心可帮助防范、检测和应对威胁。Azure Security Center helps you prevent, detect, and respond to threats. 通过安全中心可提高对 Azure 资源安全性的可见性和控制力度。Security Center gives you increased visibility into, and control over, the security of your Azure resources. 它为 Azure 订阅提供集成的安全监控和策略管理。It provides integrated security monitoring and policy management across your Azure subscriptions. 它有助于检测可能会被忽视的威胁,适用于各种安全解决方案生态系统。It helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

安全中心通过以下方式帮助优化和监视 Azure 资源的安全:Security Center helps you optimize and monitor the security of your Azure resources by:

  • 你可根据以下内容为 Azure 订阅资源定义策略:Enabling you to define policies for your Azure subscription resources according to:
    • 公司的安全需求。Your company's security needs.
    • 应用程序的类型或每个订阅中数据的敏感度。The type of applications or sensitivity of the data in each subscription.
  • 监视 Azure 虚拟机、网络和应用程序的状态。Monitoring the state of your Azure virtual machines, networking, and applications.
  • 提供按优先级排列的安全警报列表,包括集成的合作伙伴解决方案中的警报。Providing a list of prioritized security alerts, including alerts from integrated partner solutions. 它还提供了快速调查攻击所需的信息以及如何修复攻击的建议。It also provides the information that you need to quickly investigate an attack and recommendations on how to remediate it.

了解详细信息:Learn more:

Intelligent Security GraphIntelligent Security Graph

Intelligent Security Graph 在 Microsoft 产品和服务中提供实时威胁防护。Intelligent Security Graph provides real-time threat protection in Microsoft products and services. 它使用链接大量威胁情报和安全数据的高级分析,以提供可加强组织安全性的见解。It uses advanced analytics that link a massive amount of threat intelligence and security data to provide insights that can strengthen organizational security. Microsoft 使用高级分析,每月处理超过 4,500 亿次身份验证、扫描 4,000 亿封电子邮件是否存在恶意软件和钓鱼,并更新 10 亿台设备,以提供更丰富的见解。Microsoft uses advanced analytics—processing more than 450 billion authentications per month, scanning 400 billion emails for malware and phishing, and updating one billion devices—to deliver richer insights. 这些见解可帮助你的组织快速检测并响应攻击。These insights can help your organization detect and respond to attacks quickly.

后续步骤Next Steps

了解共担责任模型、由 Microsoft 处理的安全任务,以及由你处理的任务。Learn about the shared responsibility model and which security tasks are handled by Microsoft and which tasks are handled by you.

有关安全管理的详细信息,请参阅 Azure 中的安全管理For more information about security management, see Security management in Azure.