Azure Service Fabric 的安全控制Security controls for Azure Service Fabric

本文介绍 Azure Service Fabric 中内置的安全控制。This article documents the security controls built into Azure Service Fabric.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support Yes
VNet 注入支持VNet injection support Yes
网络隔离和防火墙支持Network isolation and firewalling support Yes 使用网络安全组 (NSG)。Using networking security groups (NSG).
强制隧道支持Forced tunneling support Yes Azure 网络支持强制隧道。Azure networking provides forced tunneling.

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 使用 Azure 监视支持和第三方支持。Using Azure monitoring support and third-party support.
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 所有控制平面操作都需经过审核和审批流程。All control plane operations run through processes for auditing and approvals.
数据平面日志记录和审核Data plane logging and audit 不适用N/A 客户拥有群集。Customer owns the cluster.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes
身份验证Authentication Yes 身份验证通过 Azure Active Directory 来进行。Authentication is through Azure Active Directory.
授权Authorization Yes 通过 SFRP 进行针对调用的标识和访问管理 (IAM)。Identity and access management (IAM) for calls via SFRP. 直接对群集终结点进行的调用支持两个角色:用户和管理员。客户可以将 API 映射到任一角色。Calls directly to cluster end point supports two roles: User and Admin. The customer can map the APIs to either role.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes
服务器端静态加密:Azure 托管的密钥Server-side encryption at rest: Azure-managed keys Yes 客户拥有群集以及作为群集构建基础的虚拟机规模集。The customer owns the cluster and the virtual machine scale set on which the cluster is built. 可以在虚拟机规模集上启用 Azure 磁盘加密。Azure disk encryption can be enabled on the virtual machine scale set.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) Yes 客户拥有群集以及作为群集构建基础的虚拟机规模集。The customer owns the cluster and the virtual machine scale set on which the cluster is built. 可以在虚拟机规模集上启用 Azure 磁盘加密。Azure disk encryption can be enabled on the virtual machine scale set.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 不适用N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes
加密的 API 调用API calls encrypted Yes Service Fabric API 调用通过 Azure 资源管理器进行。Service Fabric API calls are made through Azure Resource Manager. 需要有效 JSON web 令牌 (JWT)。A valid JSON web token (JWT) is required.

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes