使用 Azure 存储保护 PaaS Web 和移动应用程序的最佳做法Best practices for securing PaaS web and mobile applications using Azure Storage

本文介绍 Azure 存储安全在保护平台即服务 (PaaS) Web 和移动应用程序方面的最佳做法。In this article, we discuss a collection of Azure Storage security best practices for securing your platform-as-a-service (PaaS) web and mobile applications. 这些最佳实践衍生自我们的 Azure 经验和客户经验。These best practices are derived from our experience with Azure and the experiences of customers like yourself.

Azure 可以用本地不易实现的方式来部署并使用存储。Azure makes it possible to deploy and use storage in ways not easily achievable on-premises. 通过 Azure 存储,可用相对较少的工作量达到高水平的可伸缩性和可用性。With Azure storage, you can reach high levels of scalability and availability with relatively little effort. Azure 存储不仅是 Windows 和 Linux Azure 虚拟机的基础,还可以支持大型分布式应用程序。Not only is Azure Storage the foundation for Windows and Linux Azure Virtual Machines, it can also support large distributed applications.

Azure 存储提供了以下四种服务:Blob 存储、表存储、队列存储和文件存储。Azure Storage provides the following four services: Blob storage, Table storage, Queue storage, and File storage. 若要了解详细信息,请参阅 Azure 存储简介To learn more, see Introduction to Azure Storage.

Azure 存储安全指南是有关 Azure存储和安全性的详细信息的重要来源。The Azure Storage security guide is a great source for detailed information about Azure Storage and security. 本篇最佳做法文章高度概括地介绍了安全指南中的一些概念,并提供了获得详细信息的安全指南及其他来源的链接。This best practices article addresses at a high level some of the concepts found in the security guide and links to the security guide, as well as other sources, for more information.

本文将探讨以下最佳做法:This article addresses the following best practices:

  • 共享访问签名 (SAS)Shared access signatures (SAS)
  • Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC)
  • 高价值数据的客户端加密Client side encryption for high value data
  • 存储服务加密Storage Service Encryption

使用共享访问签名代替了存储帐户密钥Use a shared access signature instead of a storage account key

访问控制是关键。Access control is critical. 若要帮助控制对 Azure 存储的访问,当创建存储帐户时,Azure 将生成两个 512 位存储帐户密钥 (SAK)。To help you control access to Azure Storage, Azure generates two 512-bit storage account keys (SAKs) when you create a storage account. 在例程秘钥轮换期间,通过密钥冗余级别可避免服务中断。The level of key redundancy makes it possible for you to avoid service interruptions during routine key rotation.

存储访问密钥是高优先级的机密,只能由负责存储访问控制的人员访问。Storage access keys are high priority secrets and should only be accessible to those responsible for storage access control. 如果不当人员获取访问这些密钥的权限,他们就能够完全控制存储,并可以替换、删除文件或将文件添加到存储。If the wrong people get access to these keys, they will have complete control of storage and could replace, delete, or add files to storage. 这些文件包括恶意内容和可能会危及组织或客户的其他类型的内容。This includes malware and other types of content that can potentially compromise your organization or your customers.

但你仍然需要一种方法来提供存储中对象的访问权限。You still need a way to provide access to objects in storage. 若要提供更精细的访问权限,可以利用共享访问签名 (SAS)。To provide more granular access you can take advantage of shared access signature (SAS). 通过 SAS,可以使用特定权限在预定义的时间间隔共享存储中的特定对象。The SAS makes it possible for you to share specific objects in storage for a pre-defined time-interval and with specific permissions. 通过共享访问签名,可定义:A shared access signature allows you to define:

  • SAS 有效的时间间隔,包括开始时间和到期时间。The interval over which the SAS is valid, including the start time and the expiry time.
  • SAS 授予的权限。The permissions granted by the SAS. 例如,blob SAS 可能授予用户对 blob 的读取和写入权限,但不是删除权限。For example, a SAS on a blob might grant a user read and write permissions to that blob, but not delete permissions.
  • Azure 存储接受 SAS 的可选 IP 地址或 IP 地址范围。An optional IP address or range of IP addresses from which Azure Storage accepts the SAS. 例如,你可能指定属于组织的 IP 地址范围。For example, you might specify a range of IP addresses belonging to your organization. 这为 SAS 提供了另一个安全性度量。This provides another measure of security for your SAS.
  • Azure 存储接受 SAS 所依据的协议。The protocol over which Azure Storage accepts the SAS. 可通过此可选参数使用 HTTPS 限制对客户端的访问。You can use this optional parameter to restrict access to clients using HTTPS.

通过 SAS 可以用希望的方式共享内容,而无需分配存储帐户密钥。SAS allows you to share content the way you want to share it without giving away your storage account keys. 在应用程序中始终使用 SAS 可以安全地共享存储资源,不会危及存储帐户密钥。Always using SAS in your application is a secure way to share your storage resources without compromising your storage account keys.

若要了解有关共享访问签名的详细信息,请参阅使用共享访问签名To learn more about shared access signature, see Using shared access signatures.

使用 Azure 基于角色的访问控制Use Azure role-based access control

管理访问的另一种方法是使用 Azure 基于角色的访问控制 (Azure RBAC)。Another way to manage access is to use Azure role-based access control (Azure RBAC). 使用 Azure RBAC 时,可根据了解内容的需要和最低特权安全原则,重点考虑为员工提供所需的准确权限。With Azure RBAC, you focus on giving employees the exact permissions they need, based on the need to know and least privilege security principles. 权限过多,可能会向攻击者公开帐户。Too many permissions can expose an account to attackers. 权限太少意味着员工无法有效地完成其工作。Too few permissions means that employees can't get their work done efficiently. Azure RBAC 通过为 Azure 提供细致的访问管理来帮助你解决此问题。Azure RBAC helps address this problem by offering fine-grained access management for Azure. 对于想要实施数据访问安全策略的组织,这是必须要做的事。This is imperative for organizations that want to enforce security policies for data access.

可以使用 Azure 中的 Azure 内置角色向用户分配权限。You can use Azure built-in roles in Azure to assign privileges to users. 例如,将存储帐户参与者用于需要管理存储帐户的云操作员,并使用经典存储帐户参与者角色来管理经典存储帐户。For example, use Storage Account Contributor for cloud operators that need to manage storage accounts and Classic Storage Account Contributor role to manage classic storage accounts. 如果云操作员需要管理 VM 但不管理他们连接到的虚拟网络或存储帐户,则可以将他们添加到虚拟机参与者角色。For cloud operators that need to manage VMs but not the virtual network or storage account to which they are connected, you can add them to the Virtual Machine Contributor role.

未使用 Azure RBAC 之类的功能强制实施数据访问控制的组织可能会给其用户分配不必要的权限。Organizations that do not enforce data access control by using capabilities such as Azure RBAC may be giving more privileges than necessary for their users. 一开始就允许某些用户访问他们不应有权访问的数据可能会导致数据泄漏。This can lead to data compromise by allowing some users access to data they shouldn’t have in the first place.

若要详细了解 Azure RBAC,请参阅:To learn more about Azure RBAC see:

对高价值数据使用客户端加密Use client-side encryption for high value data

通过客户端加密,可在上传到 Azure 存储之前以编程方式加密传输中的数据,并在检索数据时以编程方式解密数据。Client-side encryption enables you to programmatically encrypt data in transit before uploading to Azure Storage, and programmatically decrypt data when retrieving it. 这提供传输中的数据加密,但也提供静态数据加密。This provides encryption of data in transit but it also provides encryption of data at rest. 客户端加密是最安全的加密数据方法,但它要求以编程方式更改应用程序,并将密钥管理程序放在正确的位置。Client-side encryption is the most secure method of encrypting your data but it does require you to make programmatic changes to your application and put key management processes in place.

客户端加密还可以对加密密钥进行单独控制。Client-side encryption also enables you to have sole control over your encryption keys. 可生成和管理自己的加密密钥。You can generate and manage your own encryption keys. 客户端加密使用信封技术,其中 Azure 存储客户端库生成内容加密密钥 (CEK),然后使用密钥加密密钥 (KEK) 包装(加密)密钥。It uses an envelope technique where the Azure storage client library generates a content encryption key (CEK) that is then wrapped (encrypted) using the key encryption key (KEK). KEK 由密钥标识符标识,可以是非对称密钥对或对称密钥,还可以在本地托管或存储在 Azure Key Vault 中。The KEK is identified by a key identifier and can be an asymmetric key pair or a symmetric key and can be managed locally or stored in Azure Key Vault.

客户端加密内置于 Java 和 .NET 存储客户端库中。Client-side encryption is built into the Java and the .NET storage client libraries. 请参阅适用于 Azure 存储的客户端加密和 Azure Key Vault,了解如何在客户端应用程序中加密数据,以及如何生成和管理自己的加密密钥。See Client-side encryption and Azure Key Vault for Azure Storage for information on encrypting data within client applications and generating and managing your own encryption keys.

为静态数据启用存储服务加密Enable Storage Service Encryption for data at rest

当启用文件存储的存储服务加密时,将使用 AES-256 加密自动加密数据。When Storage Service Encryption for File storage is enabled, the data is encrypted automatically using AES-256 encryption. Microsoft 处理所有加密、解密和密钥管理。Microsoft handles all the encryption, decryption, and key management. 此功能适用于 LRS 和 GRS 冗余类型。This feature is available for LRS and GRS redundancy types.

后续步骤Next steps

本文介绍了有关保护 PaaS Web 和移动应用程序的一系列 Azure 存储安全最佳做法。This article introduced you to a collection of Azure Storage security best practices for securing your PaaS web and mobile applications. 若要了解有关保护 PaaS 部署的详细信息,请参阅:To learn more about securing your PaaS deployments, see: