保护 PaaS 部署Securing PaaS deployments

参考本文中的信息,可以:This article provides information that helps you:

  • 了解云中的托管应用程序的安全优势Understand the security advantages of hosting applications in the cloud
  • 评估平台即服务 (PaaS) 相比其他云服务模型的安全优势Evaluate the security advantages of platform as a service (PaaS) versus other cloud service models
  • 将安全重心从以网络为中心的方案转换为以标识为中心的外围安全方案Change your security focus from a network-centric to an identity-centric perimeter security approach
  • 实施一般的 PaaS 安全最佳实践建议Implement general PaaS security best practices recommendations

在 Azure 上开发安全应用程序是一个常规指南,其针对的安全问题和控制是你在开发适用于云的应用程序时应该在软件开发生命周期的每个阶段考虑的。Developing secure applications on Azure is a general guide to the security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

云的安全优势Cloud security advantages

请务必了解你与 Microsoft 之间的责任分工It’s important to understand the division of responsibility between you and Microsoft. 在本地,拥有整个堆栈,但迁移到云后,某些责任将转移到 Microsoft。On-premises, you own the whole stack but as you move to the cloud some responsibilities transfer to Microsoft.

转移到云中可带来一定的安全优势There are security advantages to being in the cloud. 在本地环境中,组织的可用资源可能有限,无法尽责在安全措施上投资,使得攻击者能够利用所有层中的漏洞。In an on-premises environment, organizations likely have unmet responsibilities and limited resources available to invest in security, which creates an environment where attackers are able to exploit vulnerabilities at all layers.

组织可以使用提供商的基于云的安全功能和云智能来改善其威胁检测和响应时间。Organizations are able to improve their threat detection and response times by using a provider’s cloud-based security capabilities and cloud intelligence. 通过将责任转移到云提供商,组织可以扩大安全覆盖范围,为其他优先业务重新调配安全资源与预算。By shifting responsibilities to the cloud provider, organizations can get more security coverage, which enables them to reallocate security resources and budget to other business priorities.

PaaS 云服务模型的安全优势Security advantages of a PaaS cloud service model

让我们来了解一下 Azure PaaS 部署相比本地部署的安全优势。Let’s look at the security advantages of an Azure PaaS deployment versus on-premises.

PaaS 的安全优势

从堆栈的底部(即物理基础结构)开始,Microsoft 可以消除常见的风险和管理责任。Starting at the bottom of the stack, the physical infrastructure, Microsoft mitigates common risks and responsibilities. 由于 Azure 云受到 Microsoft 的持续监视,因此很难攻破。Because the Azure cloud is continually monitored by Microsoft, it is hard to attack. 对于攻击者而言,将 Azure 云作为目标没有任何意义。It doesn’t make sense for an attacker to pursue the Azure cloud as a target. 他们往往会改换目标,除非他们有大量的金钱和资源。Unless the attacker has lots of money and resources, the attacker is likely to move on to another target.

在堆栈的中间,PaaS 部署与本地之间没有差别。In the middle of the stack, there is no difference between a PaaS deployment and on-premises. 在应用程序层和帐户与访问管理层,面临的风险是类似的。At the application layer and the account and access management layer, you have similar risks. 本文的后续步骤部分将提供有关消除或尽量避免这些风险的最佳实践指导。In the next steps section of this article, we will guide you to best practices for eliminating or minimizing these risks.

堆栈的顶层(即数据监管和权限管理)存在一种风险,不过可以使用密钥管理来缓解。At the top of the stack, data governance and rights management, you take on one risk that can be mitigated by key management. (最佳实践中介绍了密钥管理。)尽管密钥管理是一个附加的责任,但你不再需要管理 PaaS 部署中的某些区域,因此可将资源转移到密钥管理。(Key management is covered in best practices.) While key management is an additional responsibility, you have areas in a PaaS deployment that you no longer have to manage so you can shift resources to key management.

Azure 平台还使用各种基于网络的技术提供强大的 DDoS 保护。The Azure platform also provides you strong DDoS protection by using various network-based technologies. 但是,根据链路和数据中心的不同,所有类型的基于网络的 DDoS 保护方法都有自身的限制。However, all types of network-based DDoS protection methods have their limits on a per-link and per-datacenter basis. 为了帮助避免大规模 DDoS 攻击造成的影响,可以利用 Azure 的核心云功能快速自动扩展,以防御 DDoS 攻击。To help avoid the impact of large DDoS attacks, you can take advantage of Azure’s core cloud capability of enabling you to quickly and automatically scale out to defend against DDoS attacks. 在建议的实践文章中,我们将更详细地介绍如何采取这种措施。We'll go into more detail on how you can do this in the recommended practices articles.

革新防御者的思维方式Modernizing the defender’s mindset

PaaS 部署为整体安全方案带来了变革。With PaaS deployments come a shift in your overall approach to security. 事必躬亲的局面现在可以改为与 Microsoft 分担责任。You shift from needing to control everything yourself to sharing responsibility with Microsoft.

PaaS 与传统本地部署之间的另一个重大差别在于,前者为主要安全边界的界定因素提供了全新的视野。Another significant difference between PaaS and traditional on-premises deployments, is a new view of what defines the primary security perimeter. 一直以来,主要的本地安全边界就是网络,大多数本地安全设计都使用网络作为主要安全枢纽。Historically, the primary on-premises security perimeter was your network and most on-premises security designs use the network as its primary security pivot. 在 PaaS 部署中,可将标识视为主要安全边界,从而改善安全性。For PaaS deployments, you are better served by considering identity to be the primary security perimeter.

采用标识用作主要安全边界的策略Adopt a policy of identity as the primary security perimeter

在云计算的五大基本特征中,一个特征就是网络访问范围广泛,这使得以网络为中心的理念显得有点毫不相干。One of the five essential characteristics of cloud computing is broad network access, which makes network-centric thinking less relevant. 许多云计算解决方案的目标是不管用户身居何处,都能允许他们访问资源。The goal of much of cloud computing is to allow users to access resources regardless of location. 对于大多数用户而言,他们的位置就是 Internet 上的某个节点。For most users, their location is going to be somewhere on the Internet.

下图演示了安全边界从网络边界演进成标识边界的过程。The following figure shows how the security perimeter has evolved from a network perimeter to an identity perimeter. 安全性越来越少地与如何保护网络相关,而更多地与如何保护数据,以及如何管理应用和用户的安全性相关。Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. 两者的关键差别在于如何为公司的重要资产提供更多的安全保障。The key difference is that you want to push security closer to what’s important to your company.


最初,Azure PaaS 服务(例如 Web 角色和 Azure SQL)提供的传统网络边界防护措施很少,或者根本不提供。Initially, Azure PaaS services (for example, web roles and Azure SQL) provided little or no traditional network perimeter defenses. 开发人员已认识到,设计元素的目的就是在 Internet 上公开(Web 角色),而身份验证可提供新的边界(例如 BLOB 或 Azure SQL)。It was understood that the element’s purpose was to be exposed to the Internet (web role) and that authentication provides the new perimeter (for example, BLOB or Azure SQL).

新式安全措施假设入侵者会突破网络边界。Modern security practices assume that the adversary has breached the network perimeter. 因此,新式防护措施已转移到标识。Therefore, modern defense practices have moved to identity. 组织必须使用强身份验证和授权保护机制建立基于标识的安全边界(最佳实践)。Organizations must establish an identity-based security perimeter with strong authentication and authorization hygiene (best practices).

网络边界的原理和模式早在几十年前就已建立。Principles and patterns for the network perimeter have been available for decades. 相比之下,行业在使用标识作为主要安全边界的经验相对缺乏。In contrast, the industry has relatively less experience with using identity as the primary security perimeter. 正因如此,我们累积了足够的经验,乐于提供已在现场得到证实的、适用于几乎所有 PaaS 服务的一些普通建议。With that said, we have accumulated enough experience to provide some general recommendations that are proven in the field and apply to almost all PaaS services.

下面是管理标识边界的最佳做法。The following are best practices for managing the identity perimeter.

最佳做法:不要将凭据和其他机密放入源代码或 GitHub。Best practice: Don’t put credentials and other secrets in source code or GitHub.
详细信息:唯一比丢失密钥和凭据更遭糕的事情是让未经授权的一方获取这些密钥和凭据的访问权限。Detail: The only thing worse than losing your keys and credentials is having an unauthorized party gain access to them. 攻击者可以利用 bot 技术来查找 GitHub 等代码存储库中存储的密钥和机密。Attackers can take advantage of bot technologies to find keys and secrets stored in code repositories such as GitHub. 请不要将密钥和机密放入这些公共代码存储库。Do not put key and secrets in these public code repositories.

最佳做法:通过使用可以直接远程管理这些 VM 的管理接口来保护混合 PaaS 和 IaaS 服务上的 VM 管理接口。Best practice: Protect your VM management interfaces on hybrid PaaS and IaaS services by using a management interface that enables you to remote manage these VMs directly.
详细信息:可以使用 SSH、RDPPowerShell 远程处理等远程管理协议。Detail: Remote management protocols such as SSH, RDP, and PowerShell remoting can be used. 通常,我们建议不要从 Internet 启用对 VM 的直接远程访问。In general, we recommend that you do not enable direct remote access to VMs from the internet.

如果可以,请使用替代方法,例如在 Azure 虚拟网络中使用虚拟专用网络。If possible, use alternate approaches like using virtual private networks in an Azure virtual network. 如果无法使用替代方法,请确保使用复杂的通行短语,并使用双重身份验证(例如 Azure AD 多重身份验证)。If alternative approaches are not available, ensure that you use complex passphrases and two-factor authentication (such as Azure AD Multi-Factor Authentication).

最佳做法:使用强身份验证和授权平台。Best practice: Use strong authentication and authorization platforms.
详细信息:在 Azure AD 而不是自定义用户存储中使用联合标识。Detail: Use federated identities in Azure AD instead of custom user stores. 使用联合标识时,可以利用基于平台的方法,将已获授权的标识的管理权限委托给合作伙伴。When you use federated identities, you take advantage of a platform-based approach and you delegate the management of authorized identities to your partners. 如果员工离职后,需要通过多个标识和授权系统反映该信息,则联合标识方法就特别重要。A federated identity approach is especially important when employees are terminated and that information needs to be reflected through multiple identity and authorization systems.

使用平台提供的身份验证和授权机制,而不要使用自定义代码。Use platform-supplied authentication and authorization mechanisms instead of custom code. 原因是开发自定义身份验证代码可能很容易出错。The reason is that developing custom authentication code can be error prone. 大部分开发人员都不是安全专家,不太可能会注意到身份验证和授权的细微之处与最新开发情况。Most of your developers are not security experts and are unlikely to be aware of the subtleties and the latest developments in authentication and authorization. 商业代码(例如 Microsoft 编写的代码)通常会接受广泛的安全性评审。Commercial code (for example, from Microsoft) is often extensively security reviewed.

使用双重身份验证。Use two-factor authentication. 双重身份验证是最新的身份验证和授权标准,它避免了用户名与密码类型的身份验证所固有的安全漏洞。Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses inherent in username and password types of authentication. 需要访问 Azure 管理界面(门户/远程 PowerShell)和面向客户的服务的应用程序应设计并配置为使用 Azure AD 多重身份验证Access to both the Azure management (portal/remote PowerShell) interfaces and customer-facing services should be designed and configured to use Azure AD Multi-Factor Authentication.

使用 OAuth2 和 Kerberos 等标准身份验证协议。Use standard authentication protocols, such as OAuth2 and Kerberos. 这些协议经过广泛的同行评审,有时可实现为平台库的一部分用于身份验证和授权。These protocols have been extensively peer reviewed and are likely implemented as part of your platform libraries for authentication and authorization.

在应用程序设计期间使用威胁建模Use threat modeling during application design

Microsoft 安全开发生命周期指定团队应在设计阶段参与名为威胁建模的过程。The Microsoft Security Development Lifecycle specifies that teams should engage in a process called threat modeling during the design phase. 为了帮助简化此过程,Microsoft 已创建 SDL 威胁建模工具To help facilitate this process, Microsoft has created the SDL Threat Modeling Tool. 对应用程序设计进行建模以及跨所有信任边界枚举 STRIDE 威胁可以在早期捕获设计错误。Modeling the application design and enumerating STRIDE threats across all trust boundaries can catch design errors early on.

下表列出了 STRIDE 威胁,并提供了一些使用 Azure 功能的示例缓解措施。The following table lists the STRIDE threats and gives some example mitigations that use Azure features. 这些缓解措施并非在每种情况下都起作用。These mitigations won’t work in every situation.

威胁Threat 安全属性Security property 潜在的 Azure 平台迁移Potential Azure platform mitigations
欺骗Spoofing 身份验证Authentication 需要 HTTPS 连接。Require HTTPS connections.
篡改Tampering 完整性Integrity 验证 TLS/SSL 证书。Validate TLS/SSL certificates.
否认性Repudiation 不可否认性Non-repudiation 启用 Azure 监视和诊断Enable Azure monitoring and diagnostics.
信息泄露Information disclosure 机密性Confidentiality 使用服务证书加密静态敏感数据。Encrypt sensitive data at rest by using service certificates.
拒绝服务Denial of service 可用性Availability 监视潜在拒绝服务条件的性能指标。Monitor performance metrics for potential denial-of-service conditions. 实现连接筛选器。Implement connection filters.
特权提升Elevation of privilege 授权Authorization 使用特权标识管理Use Privileged Identity Management.

在 Azure 应用服务上开发Develop on Azure App Service

Azure App Service 是一个 PaaS 产品,可创建适用于任何平台或设备的 Web 和移动应用,并可连接到云中或本地任何位置的数据。Azure App Service is a PaaS offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. 应用服务所包括的 Web 功能和移动功能是以前作为 Azure 网站和 Azure 移动服务单独交付的。App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services. 它还包括各种新功能,可以实现业务流程的自动化,并可托管云 API。It also includes new capabilities for automating business processes and hosting cloud APIs. 应用服务以单个集成服务的形式为 Web、移动和集成方案提供一组丰富的功能。As a single integrated service, App Service brings a rich set of capabilities to web, mobile, and integration scenarios.

下面是使用应用服务的最佳做法。Following are best practices for using App Service.

最佳做法通过 Azure Active Directory 进行身份验证Best practice: Authenticate through Azure Active Directory.
详细信息:应用服务为标识提供者提供 OAuth 2.0 服务。Detail: App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 注重简化客户端开发人员的工作,同时为 Web 应用程序、桌面应用程序和移动电话提供特定的授权流。OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Azure AD 使用 OAuth 2.0,可让你授予移动和 Web 应用程序的访问权限。Azure AD uses OAuth 2.0 to enable you to authorize access to mobile and web applications.

最佳做法:根据“需要知道”和“最低权限”安全原则限制访问。Best practice: Restrict access based on the need to know and least privilege security principles.
详细信息:对于想要实施数据访问安全策略的组织,限制访问是必须要做的事。Detail: Restricting access is imperative for organizations that want to enforce security policies for data access. 可以使用 Azure RBAC 向用户、组和应用程序分配对特定作用域的权限。You can use Azure RBAC to assign permissions to users, groups, and applications at a certain scope. 若要了解有关向用户授予应用程序访问权限的详细信息,请参阅访问管理入门To learn more about granting users access to applications, see Get started with access management.

最佳做法:保护密钥。Best practice: Protect your keys.
详细信息:Azure Key Vault 可帮助保护云应用程序和服务使用的加密密钥和机密。Detail: Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. 请参阅 Azure Key Vault 了解详细信息。See Azure Key Vault to learn more. 还可以使用 Key Vault 和自动续订来管理 TLS 证书。You can also use Key Vault to manage your TLS certificates with auto-renewal.

最佳做法:限制传入的源 IP 地址。Best practice: Restrict incoming source IP addresses.
详细信息应用服务环境提供虚拟网络集成功能,可帮助你通过网络安全组限制传入的源 IP 地址。Detail: App Service Environment has a virtual network integration feature that helps you restrict incoming source IP addresses through network security groups. 使用虚拟网络可将 Azure 资源置于可以控制其访问权限但无法通过 Internet 路由的网络中。Virtual networks enable you to place Azure resources in a non-internet, routable network that you control access to. 若要了解详细信息,请参阅将应用与 Azure 虚拟网络集成To learn more, see Integrate your app with an Azure virtual network.

最佳做法:监视应用服务环境的安全状态。Best practice: Monitor the security state of your App Service environments.
详细信息:使用 Azure 安全中心监视应用服务环境。Detail: Use Azure Security Center to monitor your App Service environments. 在安全中心识别潜在的安全漏洞时,它会创建一些建议,这些建议会指导完成配置所需控件的过程。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls.


监视应用服务的功能以预览版提供,仅适用于安全中心的标准层Monitoring App Service is in preview and available only on the Standard tier of Security Center.

安装 Web 应用程序防火墙Install a web application firewall

Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 这些攻击中最常见的攻击包括 SQL 注入攻击、跨站点脚本攻击等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 防止应用程序代码中的此类攻击颇具挑战性,可能需要在应用程序拓扑的多个层进行严格的维护、修补和监视。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. 集中式 Web 应用程序防火墙有助于大幅简化安全管理,为抵卸威胁或入侵的应用程序管理员提供更好的保障。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 可将现有应用程序网关轻松转换为支持 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

监视应用程序的性能Monitor the performance of your applications

监视是一种数据收集和分析操作,用于确定应用程序的性能、运行状况及可用性。Monitoring is the act of collecting and analyzing data to determine the performance, health, and availability of your application. 有效的监视策略有助于了解应用程序组件的详细运行状况,An effective monitoring strategy helps you understand the detailed operation of the components of your application. 它有助于向你发送关键情况的通知,让你在这些情况成为问题之前解决它们,从而提高运行时间。It helps you increase your uptime by notifying you of critical issues so that you can resolve them before they become problems. 它还有助于检测可能与安全相关的异常。It also helps you detect anomalies that might be security related.

使用 Azure Application Insights 监视应用程序的可用性、性能和使用情况,不管其是托管在云中还是在本地。Use Azure Application Insights to monitor availability, performance, and usage of your application, whether it's hosted in the cloud or on-premises. 通过使用 Application Insights,可以快速确定并诊断应用程序中的错误,而无需等待用户报告这些错误。By using Application Insights, you can quickly identify and diagnose errors in your application without waiting for a user to report them. 利用所收集的信息,可作出有关应用程序维护和优化的明智抉择。With the information that you collect, you can make informed choices on your application's maintenance and improvements.

Application Insights 提供各种可以与所收集的数据交互的工具。Application Insights has extensive tools for interacting with the data that it collects. Application Insights 在公用存储库中存储其数据。Application Insights stores its data in a common repository. 它可以通过 Kusto 查询语言充分利用各种共享功能,例如警报、仪表板和深入分析。It can take advantage of shared functionality such as alerts, dashboards, and deep analysis with the Kusto query language.

执行安全渗透测试Perform security penetration testing

验证安全防御与测试任何其他功能一样重要。Validating security defenses is as important as testing any other functionality. 渗透测试规定为生成和部署过程的标准组成部分。Make penetration testing a standard part of your build and deployment process. 针对已部署应用程序对定期安全测试和漏洞扫描进行计划,并监视打开的端口、终结点和攻击活动。Schedule regular security tests and vulnerability scanning on deployed applications, and monitor for open ports, endpoints, and attacks.

模糊测试是一种通过将格式错误的输入数据提供给分析并使用此数据的程序接口(入口点)来查找程序故障(代码错误)的方法。Fuzz testing is a method for finding program failures (code errors) by supplying malformed input data to program interfaces (entry points) that parse and consume this data. Microsoft 安全风险检测是一种基于云的工具,可以在将软件部署到 Azure 之前,使用该工具查找软件中的 bug 和其他安全漏洞。Microsoft Security Risk Detection is a cloud-based tool that you can use to look for bugs and other security vulnerabilities in your software before you deploy it to Azure. 该工具设计为在部署软件前捕获漏洞,因此你无需在软件发布后修补 bug、处理崩溃或响应攻击。The tool is designed to catch vulnerabilities before you deploy software so you don’t have to patch a bug, deal with crashes, or respond to an attack after the software is released.

后续步骤Next steps

本文重点介绍了 Azure PaaS 部署的安全优势以及云应用程序的最佳安全做法。In this article, we focused on security advantages of an Azure PaaS deployment and security best practices for cloud applications. 接下来,请阅读有关使用特定 Azure 服务保护 PaaS Web 和移动解决方案的建议做法。Next, learn recommended practices for securing your PaaS web and mobile solutions using specific Azure services. 首先,我们介绍如何保护 Azure 应用服务、Azure SQL 数据库和 Azure Synapse Analytics,以及 Azure 存储。We’ll start with Azure App Service, Azure SQL Database and Azure Synapse Analytics, and Azure Storage. 随着适用于其他 Azure 服务的建议做法文章的发布,我们会在以下列表中提供相应的链接:As articles on recommended practices for other Azure services become available, links will be provided in the following list:

有关在开发适用于云的应用程序时,应在软件开发生命周期的每个阶段中考虑的安全性问题和控件,请参见在 Azure 上开发安全的应用程序See Developing secure applications on Azure for security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

以下资源提供了有关 Azure 安全性及相关 Microsoft 服务的更多常规信息:The following resources are available to provide more general information about Azure security and related Microsoft services: