Azure 存储安全概述Azure Storage security overview

Azure 存储是依赖于持续性、可用性和伸缩性来满足客户需求的现代应用程序的云存储解决方案。Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure 存储提供全面的安全功能。Azure Storage provides a comprehensive set of security capabilities. 方法:You can:

  • 使用基于角色的访问控制 (RBAC) 和 Azure Active Directory 对存储帐户进行安全保护。Secure the storage account by using Role-Based Access Control (RBAC) and Azure Active Directory.
  • 使用客户端加密、HTTPS 或 SMB 3.0 对应用程序和 Azure 之间传输的数据进行安全保护。Secure data in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0.
  • 可将数据设置为在写入 Azure 存储时使用存储服务加密自动进行加密。Set data to be automatically encrypted when it's written to Azure Storage by using Storage Service Encryption.
  • 将虚拟机 (VM) 使用的 OS 和数据磁盘设置为使用 Azure 磁盘加密进行加密。Set OS and data disks used by virtual machines (VMs) to be encrypted by using Azure Disk Encryption.
  • 使用共享访问签名 (SAS) 授予对 Azure 存储中数据对象的委派访问权限。Grant delegated access to the data objects in Azure Storage by using shared access signatures (SASs).
  • 使用分析来跟踪某人访问存储时使用的身份验证方法。Use analytics to track the authentication method that someone is using when they access Storage.

有关 Azure 存储中安全性的详细信息,请参阅 Azure Storage security guide(Azure 存储安全指南)。For a more detailed look at security in Azure Storage, see the Azure Storage security guide. 本指南深入介绍了 Azure 存储的安全功能。This guide provides a deep dive into the security features of Azure Storage. 这些功能包括存储帐户密钥、传输中和静态中的数据加密以及存储分析。These features include storage account keys, data encryption in transit and at rest, and storage analytics.

基于角色的访问控制Role-Based Access Control

可使用基于角色的访问控制来帮助保护存储帐户。You can help secure your storage account by using Role-Based Access Control. 对于想要实施数据访问安全策略的组织而言,必须根据需要知道最低权限安全策略限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. 这些访问权限是通过将相应的 RBAC 角色分配给特定范围内的组和应用程序来授予的。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 可以使用内置 RBAC 角色(例如存储帐户参与者)将权限分配给用户。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

了解详细信息:Learn more:

存储对象的委托访问权限Delegated access to storage objects

共享访问签名对存储帐户中的资源提供委托访问。A shared access signature provides delegated access to resources in your storage account. 使用 SAS,意味着可以授权客户端在指定时间段内,以一组指定权限有限访问存储帐户中的对象。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。You can grant these limited permissions without having to share your account access keys.

SAS 是在其查询参数中包含对存储资源进行验证了身份的访问所需的所有信息的 URI。The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. 要使用 SAS 访问存储资源,客户端只需将 SAS 提供给相应的构造函数或方法。To access storage resources with the SAS, the client only needs to provide the SAS to the appropriate constructor or method.

了解详细信息:Learn more:

传输中加密Encryption in transit

传输中加密是通过网络传输数据时保护数据的一种机制。Encryption in transit is a mechanism of protecting data when it's transmitted across networks. 在 Azure 存储中,可使用以下功能保护数据:With Azure Storage, you can secure data by using:

  • 传输级别加密,例如将数据传入或传出 Azure 存储时使用的 HTTPS。Transport-level encryption, such as HTTPS, when you transfer data into or out of Azure Storage.
  • 线路加密,例如 Azure 文件共享的 SMB 3.0 加密。Wire encryption, such as SMB 3.0 encryption, for Azure file shares.
  • 客户端加密,在将数据传输到存储之前加密数据,以及从存储传出数据后解密数据。Client-side encryption, to encrypt the data before it's transferred into Storage and to decrypt the data after it is transferred out of Storage.

了解有关客户端加密的详细信息:Learn more about client-side encryption:

静态加密Encryption at rest

对许多组织而言,静态数据加密是实现数据隐私性、符合性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. 可通过三种 Azure 功能进行静态数据加密:Three Azure features provide encryption of data that's at rest:

了解有关存储服务加密的详细信息:Learn more about Storage Service Encryption:

Azure 磁盘加密Azure Disk Encryption

适用于虚拟机的 Azure 磁盘加密有助于解决组织安全性和符合性要求。Azure Disk Encryption for virtual machines helps you address organizational security and compliance requirements. 它使用 Azure Key Vault 中控制的密钥和策略来加密 VM 磁盘(包括启动盘和数据磁盘)。It encrypts your VM disks (including boot and data disks) by using keys and policies that you control in Azure Key Vault.

适用于 VM 的磁盘加密可用于 Linux 与 Windows 操作系统。Disk Encryption for VMs works for Linux and Windows operating systems. 它也使用密钥保管库帮助保护、管理和审核磁盘加密密钥的使用。It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. 在 Azure 存储帐户中使用行业标准加密技术,对 VM 磁盘中的所有数据进行静态加密。All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure storage accounts. 适用于 Windows 的磁盘加密解决方案是基于 Microsoft BitLocker 驱动器加密技术,Linux 解决方案基于 dm-cryptThe Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

Azure Key VaultAzure Key Vault

Azure 磁盘加密使用 Azure 密钥保管库 来帮助控制和管理密钥保管库订阅中的磁盘加密密钥和机密,同时确保虚拟机磁盘中的所有数据可在 Azure 存储中静态加密。Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure Storage. 应使用密钥保管库来审核密钥和策略用法。You should use Key Vault to audit keys and policy usage.

了解详细信息Learn more