Azure 操作安全性概述Azure operational security overview

Azure 操作安全性是指可供用户在 Azure 中保护其数据、应用程序和其他资产的服务、控制措施和功能。Azure operational security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure. 它是一个结合了从各种 Microsoft 独有功能获取的知识的框架。It's a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft. 这些功能包括 Microsoft 安全开发生命周期 (SDL)、Microsoft 安全响应中心计划以及对网络安全威胁态势的深入感知。These capabilities include the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.

Azure 管理服务Azure management services

IT 运营团队负责管理数据中心基础结构、应用程序和数据,包括这些系统的稳定性和安全性。An IT operations team is responsible for managing datacenter infrastructure, applications, and data, including the stability and security of these systems. 但是,若要获得日益增多的复杂 IT 环境的安全洞察信息,通常需要组织从多个安全性和管理系统收集数据。However, gaining security insights across increasing complex IT environments often requires organizations to cobble together data from multiple security and management systems.

Azure Monitor 日志是基于云的 IT 管理解决方案,可帮助你管理和保护本地与云基础结构。Azure Monitor logs is a cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. 其核心功能由在 Azure 中运行的以下服务提供。Its core functionality is provided by the following services that run in Azure. Azure 包含多个服务,这些服务可帮助你管理和保护本地和云基础结构。Azure includes multiple services that help you manage and protect your on-premises and cloud infrastructure. 每项服务都提供特定的管理功能。Each service provides a specific management function. 可合并服务,实现不同的管理方案。You can combine services to achieve different management scenarios.

Azure MonitorAzure Monitor

Azure Monitor 可将来自托管源的数据收集到中央数据存储中。Azure Monitor collects data from managed sources into central data stores. 这些数据可能包括事件、性能数据或通过 API 提供的自定义数据。This data can include events, performance data, or custom data provided through the API. 收集数据后,可分析、导出数据或发出警报。After the data is collected, it's available for alerting, analysis, and export.

可整合来自各种源的数据,并将 Azure 服务中的数据合并到现有的本地环境。You can consolidate data from a variety of sources and combine data from your Azure services with your existing on-premises environment. 此外,Azure Monitor 日志还能将数据收集与针对该数据执行的操作明确区分开来,以便能够针对所有类型的数据执行所有操作。Azure Monitor logs also clearly separates the collection of the data from the action taken on that data, so that all actions are available to all kinds of data.

自动化Automation

借助 Azure 自动化,可自动完成通常要在云环境和企业环境中执行的手动、长时间进行、易出错且重复性高的任务。Azure Automation provides a way for you to automate the manual, long-running, error-prone, and frequently repeated tasks that are commonly performed in a cloud and enterprise environment. 不仅节省了时间,还提高了管理任务的可靠性。It saves time and increases the reliability of administrative tasks. 甚至还可以计划定期自动执行这些任务。It even schedules these tasks to be automatically performed at regular intervals. 可使用 Runbook 实现这些过程的自动化,或者使用 Desired State Configuration 实现配置管理的自动化。You can automate processes by using runbooks or automate configuration management by using Desired State Configuration.

备份Backup

Azure 备份是基于 Azure 的服务,可用于备份(或保护)和还原 Microsoft 云中的数据。Azure Backup is the Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft Cloud. Azure 备份将现有的本地或异地备份解决方案替换为安全可靠、性价比高的云端解决方案。Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that's reliable, secure, and cost-competitive.

Azure 备份提供多个组件,可将其下载并部署到适当计算机、服务器或云端。Azure Backup offers components that you download and deploy on the appropriate computer or server, or in the cloud. 依据要保护的内容选择部署的组件或代理。The component, or agent, that you deploy depends on what you want to protect. 无论是保护本地数据还是云端数据,所有 Azure 备份组件均可用于将数据备份到 Azure 中的 Azure 恢复服务保管库中。All Azure Backup components (whether you're protecting data on-premises or in the cloud) can be used to back up data to an Azure Recovery Services vault in Azure.

有关详细信息,请参阅 Azure 备份组件表For more information, see the Azure Backup components table.

Site RecoverySite Recovery

Azure Site Recovery 通过协调本地虚拟机和物理机到 Azure 或辅助站点的复制来提供业务连续性。Azure Site Recovery provides business continuity by orchestrating the replication of on-premises virtual and physical machines to Azure, or to a secondary site. 如果主站点不可用,可故障转移到辅助位置,使用户能够继续工作。If your primary site is unavailable, you fail over to the secondary location so that users can keep working. 系统恢复正常后可故障回复。You fail back when systems return to working order. 使用 Azure 安全中心执行更智能和更有效的威胁检测。Use Azure Security Center to perform more intelligent and effective threat detection.

Azure Active DirectoryAzure Active Directory

Azure Active Directory (Azure AD) 是一种综合性的标识服务,该服务可:Azure Active Directory (Azure AD) is a comprehensive identity service that:

  • 启用标识和访问管理 (IAM) 作为云服务。Enables identity and access management (IAM) as a cloud service.
  • 提供中心访问管理、单一登录 (SSO) 及报告功能。Provides central access management, single sign-on (SSO), and reporting.
  • 支持 Azure 市场中数千款应用程序的集成访问管理。Supports integrated access management for thousands of applications in the Azure Marketplace.

Azure AD 中还包括了整套标识管理功能,其中包括:Azure AD also includes a full suite of identity management capabilities, including these:

借助 Azure Active Directory,可使为合作伙伴与客户(企业或消费者)发布的所有应用程序都具有相同标识和访问管理功能。With Azure Active Directory, all applications that you publish for your partners and customers (business or consumer) have the same identity and access management capabilities. 这可让你大幅降低运营成本。This enables you to significantly reduce your operational costs.

Azure 安全中心Azure Security Center

Azure 安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源安全的可见性和可控性。Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into (and control over) the security of your Azure resources. 它为订阅提供集成的安全监控和策略管理。It provides integrated security monitoring and policy management across your subscriptions. 它有助于检测可能会被忽视的威胁,适用于各种安全解决方案生态系统。It helps detect threats that might otherwise go unnoticed, and it works with a broad ecosystem of security solutions.

通过 Azure 安全中心可查看虚拟机的安全设置和监视威胁,保护 Azure 中的虚拟机 (VM) 数据Safeguard virtual machine (VM) data in Azure by providing visibility into your virtual machine’s security settings and monitoring for threats. 安全中心可对虚拟机进行以下监视:Security Center can monitor your virtual machines for:

  • 包含建议配置规则的操作系统安全设置。Operating system security settings with the recommended configuration rules.
  • 缺少的系统安全更新和关键更新。System security and critical updates that are missing.
  • 终结点保护建议。Endpoint protection recommendations.
  • 磁盘加密验证。Disk encryption validation.
  • 基于网络的攻击。Network-based attacks.

安全中心使用 Azure 基于角色的访问控制 (Azure RBAC)Security Center uses Azure role-based access control (Azure RBAC). Azure RBAC 提供的内置角色可分配给 Azure 中的用户、组和服务。Azure RBAC provides built-in roles that can be assigned to users, groups, and services in Azure.

安全中心会评估资源的配置以识别安全问题和漏洞。Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. 只有在分配有资源所属的订阅或资源组的“所有者”、“参与者”或“读取者”角色时,才会在安全中心看到与资源相关的信息。In Security Center, you see information related to a resource only when you're assigned the role of owner, contributor, or reader for the subscription or resource group that a resource belongs to.

备注

若要深入了解安全中心中的角色和允许的操作,请参阅 Azure 安全中心中的权限To learn more about roles and allowed actions in Security Center, see Permissions in Azure Security Center.

安全中心使用 Microsoft Monitoring Agent。Security Center uses the Microsoft Monitoring Agent. 此代理与 Azure Monitor 服务使用的代理相同。This is the same agent that the Azure Monitor service uses. 通过此代理收集的数据存储在与 Azure 订阅关联的现有 Log Analytics 工作区或新工作区中,具体取决于 VM 的地理位置。Data collected from this agent is stored in either an existing Log Analytics workspace associated with your Azure subscription or a new workspace, taking into account the geolocation of the VM.

Azure MonitorAzure Monitor

云应用中的性能问题可能会影响业务。Performance issues in your cloud app can affect your business. 使用多个互连的组件和频繁发布版本时,性能随时可能会下降。With multiple interconnected components and frequent releases, degradations can happen at any time. 开发一款应用后,用户通常会发现其中的问题,而你在测试时却找不到这样的问题。And if you’re developing an app, your users usually discover issues that you didn’t find in testing. 应该立即发现这些问题,并使用工具来诊断和解决问题。You should know about these issues immediately, and you should have tools for diagnosing and fixing the problems.

Azure Monitor 是用于监视 Azure 中运行的服务的基本工具。Azure Monitor is basic tool for monitoring services running on Azure. 它可以提供有关服务吞吐量和周边环境的基础结构级数据。It gives you infrastructure-level data about the throughput of a service and the surrounding environment. 如果在 Azure 中管理所有应用,并想要确定是否需要增加或减少资源,则可使用 Azure Monitor。If you're managing your apps all in Azure and deciding whether to scale up or down resources, Azure Monitor is the place to start.

还可以利用监视数据深入了解应用程序的情况。You can also use monitoring data to gain deep insights about your application. 了解这些情况有助于改进应用程序的性能或可维护性,或者实现本来需要手动干预的操作的自动化。That knowledge can help you to improve application performance or maintainability, or automate actions that would otherwise require manual intervention.

Azure Monitor 包括以下组件。Azure Monitor includes the following components.

Azure 活动日志Azure Activity Log

Azure 活动日志提供相关信息,方便用户了解对订阅中的资源执行的操作。The Azure Activity Log provides insight into the operations that were performed on resources in your subscription. Azure 活动日志此前称为“审核日志”或“操作日志”,因为它报告订阅的控制平面事件。It was previously known as “Audit Log” or “Operational Log,” because it reports control-plane events for your subscriptions.

Azure 诊断日志Azure diagnostic logs

Azure 诊断日志由资源发出,提供与该资源的操作相关的各种频繁生成的数据。Azure diagnostic logs are emitted by a resource and provide rich, frequent data about the operation of that resource. 这些日志的内容因资源类型而异。The content of these logs varies by resource type.

Windows 事件系统日志是一种 VM 诊断日志类别。Windows event system logs are one category of diagnostic logs for VMs. Blob、表和队列日志是存储帐户的诊断日志类别。Blob, table, and queue logs are categories of diagnostic logs for storage accounts.

诊断日志与活动日志不同。Diagnostic logs differ from the Activity Log. 活动日志提供针对订阅中的资源执行的操作的深入信息。The Activity log provides insight into the operations that were performed on resources in your subscription. 诊断日志提供资源本身执行的操作的深入信息。Diagnostic logs provide insight into operations that your resource performed itself.

指标Metrics

Azure Monitor 可提供遥测数据,以便用户了解 Azure 上工作负荷的性能与运行状况。Azure Monitor provides telemetry that gives you visibility into the performance and health of your workloads on Azure. 最重要的 Azure 遥测数据类型是大多数 Azure 资源发出的指标(也称为性能计数器)。The most important type of Azure telemetry data is the metrics (also called performance counters) emitted by most Azure resources. Azure 监视器提供多种方式来配置和使用这些指标,以便进行监视与故障排除。Azure Monitor provides several ways to configure and consume these metrics for monitoring and troubleshooting.

Azure 诊断Azure Diagnostics

Azure 诊断可在部署的应用程序上启用诊断数据收集功能。Azure Diagnostics enables the collection of diagnostic data on a deployed application. 可使用各种源的诊断扩展。You can use the Diagnostics extension from various sources. 目前支持的有 Azure 云服务角色、运行 Microsoft Windows 的 Azure 虚拟机,以及 Azure Service FabricCurrently supported are Azure cloud service roles, Azure virtual machines running Microsoft Windows, and Azure Service Fabric.

Azure 网络观察程序Azure Network Watcher

客户在 Azure 中通过协调与组建虚拟网络、Azure ExpressRoute、Azure 应用程序网关和负载均衡器等网络资源来构建端到端网络。Customers build an end-to-end network in Azure by orchestrating and composing individual network resources such as virtual networks, Azure ExpressRoute, Azure Application Gateway, and load balancers. 监视适用于每个网络资源。Monitoring is available on each of the network resources.

端到端网络可能具有复杂的配置以及资源间的交互。The end-to-end network can have complex configurations and interactions between resources. 这会导致复杂方案需通过 Azure 网络观察程序进行基于方案的监视。The result is complex scenarios that need scenario-based monitoring through Azure Network Watcher.

网络观察程序会简化 Azure 网络的监视和诊断。Network Watcher simplifies monitoring and diagnosing of your Azure network. 可使用网络观察程序中的诊断和可视化工具来:You can use the diagnostic and visualization tools in Network Watcher to:

  • 在 Azure 虚拟机上远程捕获数据包。Take remote packet captures on an Azure virtual machine.
  • 使用流日志深入了解网络流量。Gain insights into your network traffic by using flow logs.
  • 诊断 Azure VPN 网关和连接。Diagnose Azure VPN Gateway and connections.

网络观察程序目前提供以下功能:Network Watcher currently has the following capabilities:

  • 拓扑:提供资源组中网络资源间的各种互连和关联的视图。Topology: Provides a view of the various interconnections and associations between network resources in a resource group.
  • 可变数据包捕获:捕获传入和传出虚拟机的数据包数据。Variable packet capture: Captures packet data in and out of a virtual machine. 高级筛选选项和精细控制(例如设置时间与大小限制的功能)提供了多样性。Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. 数据包数据可以存储在 Blob 存储中,或者以 .cap 格式存储在本地磁盘上。The packet data can be stored in a blob store or on the local disk in .cap format.
  • IP 流验证:根据流信息的 5 元组数据包参数(目标 IP、源 IP、目标端口、源端口和协议)检查数据包是被允许还是被拒绝。IP flow verify: Checks if a packet is allowed or denied based on 5-tuple packet parameters for flow information (destination IP, source IP, destination port, source port, and protocol). 如果安全组拒绝数据包,则返回拒绝数据包的规则和组。If a security group denies the packet, the rule and group that denied the packet are returned.
  • 下一跃点:确定 Azure 网络结构中路由的数据包的下一跃点,以便诊断任何配置不正确的用户定义的路由。Next hop: Determines the next hop for packets being routed in the Azure network fabric, so you can diagnose any misconfigured user-defined routes.
  • 安全组视图:获取在 VM 上应用的有效安全规则。Security group view: Gets the effective and applied security rules that are applied on a VM.
  • 网络安全组的 NSG 流日志:用于捕获被组中的安全规则允许或拒绝的流量的相关日志。NSG flow logs for network security groups: Enable you to capture logs related to traffic that is allowed or denied by the security rules in the group. 流由 5 元组信息(源 IP、目标 IP、源端口、目标端口和协议)定义。The flow is defined by 5-tuple information: source IP, destination IP, source port, destination port, and protocol.
  • 虚拟网络网关和连接故障排除:提供对虚拟网关和连接进行故障排除的功能。Virtual network gateway and connection troubleshooting: Provides the ability to troubleshoot virtual network gateways and connections.
  • 网络订阅限制:用于查看网络资源用量与限制。Network subscription limits: Enables you to view network resource usage against limits.
  • 诊断日志:提供单个窗格来为资源组中的网络资源启用或禁用诊断日志。Diagnostic logs: Provides a single pane to enable or disable diagnostic logs for network resources in a resource group.

有关详细信息,请参阅配置网络观察程序For more information, see Configure Network Watcher.

后续步骤Next steps

若要了解有关安全和审核解决方案的信息,请参阅以下文章:To learn about the Security and Audit solution, see the following articles: