在 Azure 中保护 PaaS 数据库的最佳做法Best practices for securing PaaS databases in Azure

在本文中,我们讨论了 Azure SQL 数据库Azure Synapse Analytics 关于保护平台即服务 (PaaS) Web 和移动应用程序的一组安全最佳做法。In this article, we discuss a collection of Azure SQL Database and Azure Synapse Analytics security best practices for securing your platform-as-a-service (PaaS) web and mobile applications. 这些最佳实践衍生自我们的 Azure 经验和客户经验。These best practices are derived from our experience with Azure and the experiences of customers like yourself.

Azure SQL 数据库和 Azure Synapse Analytics 为基于 Internet 的应用程序提供关系数据库服务。Azure SQL Database and Azure Synapse Analytics provide a relational database service for your internet-based applications. 让我们了解一下在 PaaS 部署中使用 Azure SQL 数据库和 Azure Synapse Analytics 时可帮助保护应用程序与数据的服务:Let’s look at services that help protect your applications and data when using Azure SQL Database and Azure Synapse Analytics in a PaaS deployment:

  • Azure Active Directory 身份验证(而不是 SQL Server 身份验证)Azure Active Directory authentication (instead of SQL Server authentication)
  • Azure SQL 防火墙Azure SQL firewall
  • 透明数据加密 (TDE)Transparent Data Encryption (TDE)

使用集中式标识存储库Use a centralized identity repository

可将 Azure SQL 数据库配置为使用以下两种身份验证类型之一:Azure SQL Database can be configured to use one of two types of authentication:

  • SQL 身份验证使用用户名和密码。SQL authentication uses a username and password. 在为数据库创建服务器时,已指定了一个包含用户名和密码的“服务器管理员”登录名。When you created the server for your database, you specified a "server admin" login with a username and password. 借助这些凭据,可以使用数据库所有者的身份通过服务器上任何数据库的身份验证。Using these credentials, you can authenticate to any database on that server as the database owner.

  • Azure Active Directory 身份验证使用 Azure Active Directory 管理的标识,支持托管域和集成域。Azure Active Directory authentication uses identities managed by Azure Active Directory and is supported for managed and integrated domains. 若要使用 Azure Active Directory 身份验证,必须创建名为“Azure AD 管理员”的另一个服务器管理员,用于管理 Azure AD 用户和组。To use Azure Active Directory Authentication, you must create another server admin called the "Azure AD admin," which is allowed to administer Azure AD users and groups. 此管理员还能执行普通服务器管理员可以执行的所有操作。This admin can also perform all operations that a regular server admin can.

Azure Active Directory 身份验证是使用 Azure Active Directory (AD) 中的标识连接到 Azure SQL 数据库和 Azure Synapse Analytics 的一种机制。Azure Active Directory authentication is a mechanism of connecting to Azure SQL Database and Azure Synapse Analytics by using identities in Azure Active Directory (AD). Azure AD 为 SQL Server 身份验证提供一种替代方法,使你可以阻止用户标识在数据库服务器之间激增。Azure AD provides an alternative to SQL Server authentication so you can stop the proliferation of user identities across database servers. 使用 Azure AD 身份验证可在一个中心位置集中管理数据库用户和其他 Microsoft 服务的标识。Azure AD authentication enables you to centrally manage the identities of database users and other Microsoft services in one central location. 集中 ID 管理提供一个单一位置来管理数据库用户,并简化权限管理。Central ID management provides a single place to manage database users and simplifies permission management.

与 SQL 身份验证相比使用 Azure AD 的好处Benefits of using Azure AD instead of SQL authentication

  • 允许在单一位置中轮换密码。Allows password rotation in a single place.
  • 使用外部 Azure AD 组管理数据库权限。Manages database permissions using external Azure AD groups.
  • 通过启用集成的 Windows 身份验证和 Azure AD 支持的其他形式的身份验证来消除存储密码。Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure AD.
  • 使用包含的数据库用户在数据库级别对标识进行身份验证。Uses contained database users to authenticate identities at the database level.
  • 支持对连接到 SQL 数据库的应用程序进行基于令牌的身份验证。Supports token-based authentication for applications connecting to SQL Database.
  • 支持使用 Active Directory 联合身份验证服务 (ADFS) 或本机用户/密码身份验证对本地 Azure AD 进行域联合。Supports domain federation with Active Directory Federation Services (ADFS) or native user/password authentication for a local Azure AD without domain synchronization.
  • 支持从 SQL Server Management Studio 进行连接,后者使用 Active Directory 通用身份验证,其中包括多重身份验证 (MFA)Supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA 包括利用一系列简单的验证选项进行的强身份验证,这些选项包括电话、短信、含有 PIN 码的智能卡或移动应用通知。MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification. 有关详细信息,请参阅 SQL 数据库和 Azure Synapse Analytics 的通用身份验证For more information, see Universal Authentication with SQL Database and Azure Synapse Analytics.

若要了解有关 Azure AD 身份验证的详细信息,请参阅:To learn more about Azure AD authentication, see:


若要确保 Azure Active Directory 适用于当前环境,请参阅 Azure AD 功能和限制To ensure that Azure Active Directory is a good fit for your environment, see Azure AD features and limitations.

基于 IP 地址限制访问Restrict access based on IP address

可以创建防火墙规则用于指定可接受的 IP 地址范围。You can create firewall rules that specify ranges of acceptable IP addresses. 这些规则可以针对服务器级别和数据库级别。These rules can be targeted at both the server and database levels. 建议尽量使用数据库级防火墙规则,以增强安全性并提高数据库的可移植性。We recommend using database-level firewall rules whenever possible to enhance security and to make your database more portable. 当多个数据库具有相同的访问要求,但你不想花时间单独配置每个数据库时,管理员最好是使用服务器级防火墙规则。Server-level firewall rules are best used for administrators and when you have many databases that have the same access requirements but you don't want to spend time configuring each database individually.

SQL 数据库的默认源 IP 地址限制允许从任何 Azure 地址(包括其他订阅和租户)进行访问。SQL Database default source IP address restrictions allow access from any Azure address, including other subscriptions and tenants. 可以限制为仅允许从 IP 地址访问实例。You can restrict this to only allow your IP addresses to access the instance. 即使使用了 SQL 防火墙和 IP 地址限制,也仍然需要设置强身份验证。Even with your SQL firewall and IP address restrictions, strong authentication is still needed. 请参阅本文前面提供的建议。See the recommendations made earlier in this article.

若要了解有关 Azure SQL 防火墙和 IP 限制的详细信息,请参阅:To learn more about Azure SQL Firewall and IP restrictions, see:

静态数据加密Encrypt data at rest

透明数据加密 (TDE) 默认已启用。Transparent Data Encryption (TDE) is enabled by default. TDE 以透明方式加密 SQL Server、Azure SQL 数据库和 Azure Synapse Analytics 的数据和日志文件。TDE transparently encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics data and log files. TDE 可以防范直接访问文件或其备份所造成的安全威胁。TDE protects against a compromise of direct access to the files or their backup. 这样就可以实现静态数据加密,且无需更改现有应用程序。This enables you to encrypt data at rest without changing existing applications. 应始终保持启用 TDE;不过,这无法阻止攻击者使用普通的访问路径。TDE should always stay enabled; however, this will not stop an attacker using the normal access path. 使用 TDE 能够符合各个行业制定的许多法律、法规和准则。TDE provides the ability to comply with many laws, regulations, and guidelines established in various industries.

Azure SQL 可以管理 TDE 存在的密钥相关问题。Azure SQL manages key related issues for TDE. 与使用 TDE 时一样,在本地操作以及移动数据库时也必须格外小心,确保能够恢复。As with TDE, on-premises special care must be taken to ensure recoverability and when moving databases. 在更复杂的方案中,可以通过可扩展的密钥管理在 Azure Key Vault 中显式管理密钥。In more sophisticated scenarios, the keys can be explicitly managed in Azure Key Vault through extensible key management. 请参阅使用 EKM 在 SQL Server 上启用 TDESee Enable TDE on SQL Server Using EKM. 此外,也允许通过 Azure Key Vault BYOK 功能自带密钥 (BYOK)。This also allows for Bring Your Own Key (BYOK) through Azure Key Vaults BYOK capability.

Azure SQL 通过 Always Encrypted 为列提供加密。Azure SQL provides encryption for columns through Always Encrypted. 这样,只有获得授权的应用程序才能访问敏感列。This allows only authorized applications access to sensitive columns. 使用这种加密可将针对已加密列的 SQL 查询限制为基于相等性的值。Using this kind of encryption limits SQL queries for encrypted columns to equality-based values.

对于某些特定的数据,也应该使用应用程序级加密。Application level encryption should also be used for selective data. 有时,可通过使用保存在适当国家/地区的密钥加密数据,来消除数据主权忧虑。Data sovereignty concerns can sometimes be mitigated by encrypting data with a key that is kept in the correct country/region. 这可以防止意外的数据传输导致问题,因为在使用强算法(例如 AES 256)的情况下,如果没有该密钥,将无法解密数据。This prevents even accidental data transfer from causing an issue since it is impossible to decrypt the data without the key, assuming a strong algorithm is used (such as AES 256).

可以使用其他预防措施来帮助保护数据库,例如,设计安全系统、加密机密资产,以及围绕数据库服务器构建防火墙。You can use additional precautions to help secure the database, such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers.

后续步骤Next steps

本文介绍了 SQL 数据库和 Azure Synapse Analytics 有关保护 PaaS Web 和移动应用程序的一组安全最佳做法。This article introduced you to a collection of SQL Database and Azure Synapse Analytics security best practices for securing your PaaS web and mobile applications. 若要了解有关保护 PaaS 部署的详细信息,请参阅:To learn more about securing your PaaS deployments, see: