Azure 存储安全概述Azure storage security overview

Azure 存储是依赖于持续性、可用性和伸缩性来满足客户需求的现代应用程序的云存储解决方案。Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure 存储提供配套的安全功能:Azure Storage provides a comprehensive set of security capabilities:

  • 存储帐户可以通过基于角色的访问控制和 Azure Active Directory 来保护。The storage account can be secured using Role-Based Access Control and Azure Active Directory.

  • 在应用程序和 Azure 之间传输数据时,可以使用客户端加密、HTTPS 或 SMB 3.0 来保护数据。Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.

  • 使用存储服务加密写入 Azure 存储时,可将数据设置为自动加密。Data can be set to be automatically encrypted when written to Azure Storage using Storage Service Encryption.

  • 可以使用共享访问签名来授予对 Azure 存储中数据对象的委派访问权限。Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures.

  • 可以使用存储分析来跟踪某人访问存储时使用的身份验证方法。The authentication method used by someone when they access storage can be tracked using Storage analytics.

有关 Azure 存储中安全性的详细信息,请参阅 Azure Storage security guide(Azure 存储安全指南)。For a more detailed look at security in Azure Storage, see the Azure Storage security guide. 本指南深入探讨 Azure 存储的安全功能,例如存储帐户密钥、传输中数据的静态加密,以及存储分析。This guide provides a deep dive into the security features of Azure Storage such as storage account keys, data encryption in transit and at rest, and storage analytics.

本文提供可与 Azure 存储配合使用的 Azure 安全功能概述。This article provides an overview of Azure security features that can be used with Azure Storage. 此外,提供了有关每项功能详细信息的文章链接。Links are provided to articles that give details of each feature so you can learn more.

下面是本文介绍的核心功能:Here are the core features to be covered in this article:

  • 基于角色的访问控制Role-Based Access Control
  • 存储对象的委托访问权限Delegated access to storage objects
  • 传输中加密Encryption in transit
  • 静态加密/存储服务加密Encryption at rest/Storage Service Encryption
  • Azure 磁盘加密Azure Disk Encryption
  • Azure Key VaultAzure Key Vault

基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC)

可以使用基于角色的访问控制 (RBAC) 来保护存储帐户。You can secure your storage account with Role-Based Access Control (RBAC). 对于想要实施数据访问安全策略的组织而言,必须根据需要知道最低权限安全策略限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. 这些访问权限是通过将相应的 RBAC 角色分配给特定范围内的组和应用程序来授予的。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 可以使用 内置 RBAC 角色(例如存储帐户参与者)将权限分配给用户。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

了解详细信息:Learn more:

存储对象的委托访问权限Delegated access to storage objects

共享访问签名 (SAS) 用于对存储帐户中的资源进行委托访问。A shared access signature (SAS) provides delegated access to resources in your storage account. 使用 SAS 这意味着可以授权客户端在指定时间段内,以一组指定权限有限地访问你的存储帐户中的对象。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period of time and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。You can grant these limited permissions without having to share your account access keys. SAS 是在其查询参数中包含对存储资源进行验证了身份的访问所需的所有信息的 URI。The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. 若要使用 SAS 访问存储资源,客户端只需将 SAS 传入到相应的构造函数或方法。To access storage resources with the SAS, the client only needs to pass in the SAS to the appropriate constructor or method.

了解详细信息:Learn more:

传输中加密Encryption in transit

传输中加密是通过网络传输数据时用于保护数据的机制。Encryption in transit is a mechanism of protecting data when it is transmitted across networks. 在 Azure 存储中,可以使用以下功能保护数据:With Azure Storage you can secure data using:

  • 传输级别加密,例如从 Azure 存储传入或传出数据时使用的 HTTPS。Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage.
  • 线路加密,例如 Azure 文件共享的 SMB 3.0 加密。Wire encryption, such as SMB 3.0 encryption for Azure File Shares.
  • 客户端加密,在将数据传输到存储之前加密数据,以及从存储传出数据后解密数据。Client-side encryption, to encrypt the data before it is transferred into storage and to decrypt the data after it is transferred out of storage.

了解有关客户端加密的详细信息:Learn more about client-side encryption:

静态加密Encryption at rest

对许多组织而言, 静态数据加密 是实现数据隐私性、合规性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. 有三项 Azure 功能可提供“静态”数据加密:There are three Azure features that provide encryption of data that is “at rest”:

了解有关存储服务加密的详细信息:Learn more about Storage Service Encryption:

Azure 磁盘加密Azure Disk Encryption

适用于虚拟机 (VM) 的 Azure 磁盘加密通过使用 Azure Key Vault 中控制的密钥和策略加密你的 VM 磁盘(包括引导磁盘和数据磁盘),帮助解决企业的安全和合规性要求。Azure Disk Encryption for virtual machines (VMs) helps you address organizational security and compliance requirements by encrypting your VM disks (including boot and data disks) with keys and policies you control in Azure Key Vault.

适用于 VM 的磁盘加密可用于 Linux 与 Windows 操作系统。Disk Encryption for VMs works for Linux and Windows operating systems. 它也使用密钥保管库帮助保护、管理和审核磁盘加密密钥的使用。It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. 在虚拟机休息时使用 Azure 存储帐户的行业标准加密技术对 VM 磁盘中的所有数据进行加密。All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure Storage accounts. 适用于 Windows 的磁盘加密解决方案是基于 Microsoft BitLocker 驱动器加密技术,Linux 解决方案基于 dm-cryptThe Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

了解更多:Learn more:

Azure 密钥保管库Azure Key Vault

Azure 磁盘加密使用 Azure 密钥保管库 来帮助控制和管理密钥保管库订阅中的磁盘加密密钥和机密,同时确保虚拟机磁盘中的所有数据可在 Azure 存储中静态加密。Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure Storage. 应使用密钥保管库来审核密钥和策略用法。You should use Key Vault to audit keys and policy usage.

了解详细信息:Learn more: