Azure 虚拟机安全概述Azure Virtual Machines security overview

本文概述了可用于虚拟机的核心 Azure 安全功能。This article provides an overview of the core Azure security features that can be used with virtual machines.

可使用 Azure 虚拟机灵活地部署各种计算解决方案。You can use Azure Virtual Machines to deploy a wide range of computing solutions in an agile way. 该服务支持 Microsoft Windows、Linux、Microsoft SQL Server、Oracle、IBM、SAP 和 Azure BizTalk Services。The service supports Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services. 因此,几乎可在任何操作系统上部署任何工作负载和任何语言。So you can deploy any workload and any language on nearly any operating system.

Azure 虚拟机让你能够灵活地进行虚拟化,而无需购买和维护运行虚拟机的物理硬件。An Azure virtual machine gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs the virtual machine. 可生成并部署应用程序,并保证数据在高度安全的数据中心受到保护且是安全的。You can build and deploy your applications with the assurance that your data is protected and safe in highly secure datacenters.

使用 Azure 可以构建安全增强且符合法规的解决方案:With Azure, you can build security-enhanced, compliant solutions that:

  • 保护虚拟机不受病毒和恶意软件的侵害。Protect your virtual machines from viruses and malware.
  • 加密敏感数据。Encrypt your sensitive data.
  • 保护网络流量的安全。Secure network traffic.
  • 识别和检测威胁。Identify and detect threats.
  • 满足符合性要求。Meet compliance requirements.

反恶意软件Antimalware

通过 Azure,可使用安全供应商(例如 Microsoft、Symantec、Trend Micro 和 Kaspersky)提供的反恶意软件。With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and Kaspersky. 此软件可帮助保护虚拟机免受恶意文件、广告程序和其他威胁的侵害。This software helps protect your virtual machines from malicious files, adware, and other threats.

适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种实时保护功能,可帮助识别并移除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. 适用于 Azure 的 Microsoft 反恶意软件提供可配置警报,能在已知恶意软件或不需要的软件试图自行安装或在 Azure 系统上运行时进行警报通知。Microsoft Antimalware for Azure provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.

适用于 Azure 的 Microsoft 反恶意软件是针对应用程序和租户环境的单一代理解决方案。Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments. 它旨在后台运行,且无需人工干预。It's designed to run in the background without human intervention. 可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

详细了解 Microsoft Antimalware for Azure 和可用的核心功能。Learn more about Microsoft Antimalware for Azure and the core features available.

了解有关反恶意软件的详细信息以保护虚拟机:Learn more about antimalware software to help protect your virtual machines:

若要实现更强大的保护,请考虑使用 Windows Defender 高级威胁防护For even more powerful protection, consider using Windows Defender Advanced Threat Protection. 使用 Windows Defender ATP,可以实现:With Windows Defender ATP, you get:

了解详细信息:Learn more:

硬件安全模块Hardware security module

提高密钥安全性可增强加密和身份验证保护。Improving key security can enhance encryption and authentication protections. 通过将关键密码和密钥存储在 Azure 密钥保管库中,可以简化此类密码和密钥的管理和保护。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault.

密钥保管库提供将你的密钥存储在已通过 FIPS 140-2 Level 2 标准认证的硬件安全性模块 (HSM) 中的选项。Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 用于备份或 透明数据加密 的 SQL Server 加密密钥可以存储在密钥保管库中,此外还可存储应用程序中的任意密钥或机密。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 对这些受保护项的权限和访问权限通过 Azure Active Directory进行管理。Permissions and access to these protected items are managed through Azure Active Directory.

了解详细信息:Learn more:

虚拟机磁盘加密Virtual machine disk encryption

Azure 磁盘加密是用于加密 Windows 和 Linux 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability for encrypting your Windows and Linux virtual machine disks. Azure 磁盘加密利用 Windows 的行业标准 BitLocker 功能和 Linux 的 dm-crypt 功能,为 OS 和数据磁盘提供卷加密。Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and the data disks.

该解决方案与 Azure Key Vault 集成,帮助用户控制和管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription. 它可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。It ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage.

了解详细信息:Learn more:

虚拟机备份Virtual machine backup

Azure 备份是一种可缩放的解决方案,无需资本投资便可帮助保护应用程序数据,从而最大限度降低运营成本。Azure Backup is a scalable solution that helps protect your application data with zero capital investment and minimal operating costs. 应用程序错误可能会损坏数据,人为错误可能会将 bug 引入应用程序。Application errors can corrupt your data, and human errors can introduce bugs into your applications. 使用 Azure 备份可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

了解详细信息:Learn more:

Azure Site RecoveryAzure Site Recovery

组织的 BCDR 策略的其中一个重要部分是,找出在发生计划的和非计划的中断时让企业工作负荷和应用保持运行的方法。An important part of your organization's BCDR strategy is figuring out how to keep corporate workloads and apps running when planned and unplanned outages occur. Azure Site Recovery 可帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they're available from a secondary location if your primary location goes down.

Site Recovery:Site Recovery:

  • 简化 BCDR 策略:通过 Site Recovery 可从一个位置轻松处理多个业务工作负荷和应用的复制、故障转移及恢复。Simplifies your BCDR strategy: Site Recovery makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single location. Site Recovery 会协调复制和故障转移,但不会拦截应用程序数据或拥有任何相关信息。Site Recovery orchestrates replication and failover but doesn't intercept your application data or have any information about it.
  • 提供灵活的复制:借助 Site Recovery,可以复制 Hyper-V 虚拟机、VMware 虚拟机和 Windows/Linux 物理服务器上运行的工作负荷。Provides flexible replication: By using Site Recovery, you can replicate workloads running on Hyper-V virtual machines, VMware virtual machines, and Windows/Linux physical servers.
  • 支持故障转移和恢复:Site Recovery 提供测试故障转移,既能支持灾难恢复练习,又不会影响生产环境。Supports failover and recovery: Site Recovery provides test failovers to support disaster recovery drills without affecting production environments. 还可针对预期会出现的中断运行计划内故障转移,确保不丢失任何数据;或者针对意外灾难运行计划外故障转移,尽量减少数据丢失(具体取决于复制频率)。You can also run planned failovers with a zero-data loss for expected outages, or unplanned failovers with minimal data loss (depending on replication frequency) for unexpected disasters. 故障转移之后,可故障回复到主站点。After failover, you can fail back to your primary sites. Site Recovery 提供包含脚本和 Azure 自动化工作簿的恢复计划,以供你自定义多层应用程序的故障转移和恢复。Site Recovery provides recovery plans that can include scripts and Azure automation workbooks so that you can customize failover and recovery of multi-tier applications.
  • 消除辅助数据中心:可复制到辅助本地站点,或复制到 Azure。Eliminates secondary datacenters: You can replicate to a secondary on-premises site, or to Azure. 使用 Azure 作为灾难恢复的目标可以消除维护辅助站点所带来的成本和复杂性。Using Azure as a destination for disaster recovery eliminates the cost and complexity of maintaining a secondary site. 复制的数据存储在 Azure 存储中。Replicated data is stored in Azure Storage.
  • 与现有 BCDR 技术集成:Site Recovery 能够与其他应用程序的 BCDR 功能结合使用。Integrates with existing BCDR technologies: Site Recovery partners with other applications' BCDR features. 例如,可使用 Site Recovery 来帮助保护公司工作负荷的 SQL Server 后端。For example, you can use Site Recovery to help protect the SQL Server back end of corporate workloads. 这包括对 SQL Server AlwaysOn 的本机支持以管理可用性组的故障转移。This includes native support for SQL Server Always On to manage the failover of availability groups.

了解详细信息:Learn more:

虚拟网络Virtual networking

虚拟机需要网络连接。Virtual machines need network connectivity. 若要支持该需求,Azure 要求将虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure virtual network.

Azure 虚拟网络是一个构建于物理 Azure 网络结构之上的逻辑构造。An Azure virtual network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络都独立于所有其他 Azure 虚拟网络。Each logical Azure virtual network is isolated from all other Azure virtual networks. 这种隔离有助于确保其他 Microsoft Azure 客户无法访问部署中的网络流量。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

了解详细信息:Learn more:

安全策略管理和报告Security policy management and reporting

Azure 安全中心可帮助防范、检测和应对威胁。Azure Security Center helps you prevent, detect, and respond to threats. 通过安全中心可提高对 Azure 资源安全性的可见性和控制力度。Security Center gives you increased visibility into, and control over, the security of your Azure resources. 它为 Azure 订阅提供集成的安全监控和策略管理。It provides integrated security monitoring and policy management across your Azure subscriptions. 它有助于检测可能会被忽视的威胁,适用于各种安全解决方案生态系统。It helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

安全中心通过以下方式帮助优化和监视虚拟机的安全:Security Center helps you optimize and monitor the security of your virtual machines by:

  • 为虚拟机提供安全建议Providing security recommendations for the virtual machines. 示例建议包括:应用系统更新、配置 ACL 终结点、启用反恶意软件、启用网络安全组和应用磁盘加密。Example recommendations include: apply system updates, configure ACLs endpoints, enable antimalware, enable network security groups, and apply disk encryption.
  • 监视虚拟机的状态。Monitoring the state of your virtual machines.

了解详细信息:Learn more:

合规性Compliance

Azure 虚拟机已针对 FISMA、FedRAMP、HIPAA、PCI DSS Level 1 和其他关键合规性计划进行了认证。Azure Virtual Machines is certified for FISMA, FedRAMP, HIPAA, PCI DSS Level 1, and other key compliance programs. 此认证使自己的 Azure 应用程序更容易满足合规性要求,并使企业更容易应对各种国内和国际法规要求。This certification makes it easier for your own Azure applications to meet compliance requirements and for your business to address a wide range of domestic and international regulatory requirements.

了解详细信息:Learn more:

机密计算Confidential Computing

虽然机密计算在技术方面不是虚拟机安全性的一部分,但是虚拟机安全性的主题属于“计算”安全性的更高级别的主题。While confidential computing is not technically part of virtual machine security, the topic of virtual machine security belongs to the higher-level subject of “compute” security. 机密计算属于“计算”安全性类别。Confidential computing belongs within the category of “compute” security.

当数据“采用明文”(这是进行高效处理所必需的)时,机密计算可确保数据在可信执行环境 https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - 也称为飞地)中受到保护,下图显示了一个这样的示例。Confidential computing ensures that when data is “in the clear,” which is required for efficient processing, the data is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below.

TEE 可以确保无法从外部查看数据或执行操作,即使通过调试程序也不可以。TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. 它们甚至可以确保只有经过授权的代码才能访问数据。They even ensure that only authorized code is permitted to access data. 如果代码被更改或篡改,则会拒绝操作并禁用环境。If the code is altered or tampered, the operations are denied and the environment disabled. TEE 会在代码在它中执行的整个过程中实施这些保护。The TEE enforces these protections throughout the execution of code within it.

了解详细信息:Learn more: