Azure SQL 数据库的高级数据安全Advanced data security for Azure SQL Database

高级数据安全是高级 SQL 安全功能的统一程序包。Advanced data security is a unified package for advanced SQL security capabilities. 它包括用于发现和分类敏感数据、呈现和减少潜在数据库漏洞,以及检测可能表明数据库有威胁的异常活动的功能。It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. 它提供用于启用和管理这些功能的一个转到位置。It provides a single go-to location for enabling and managing these capabilities.

概述Overview

高级数据安全性 (ADS) 提供一组高级 SQL 安全功能,包括数据发现和分类、漏洞评估和高级威胁防护。Advanced data security (ADS) provides a set of advanced SQL security capabilities, including data discovery & classification, vulnerability assessment, and Advanced Threat Protection.

  • 数据发现和分类(当前为预览版)提供内置于 Azure SQL 数据库的功能,可用于发现、分类、标记和保护数据库中的敏感数据。Data discovery & classification (currently in preview) provides capabilities built into Azure SQL Database for discovering, classifying, labeling & protecting the sensitive data in your databases. 它可用于直观查看数据库分类状态,以及跟踪对数据库内和其边界外的敏感数据的访问。It can be used to provide visibility into your database classification state, and to track the access to sensitive data within the database and beyond its borders.
  • 漏洞评估是一项易于配置的服务,可以发现、跟踪并帮助修正潜在的数据库漏洞。Vulnerability assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. 它可直观查看安全状态,包括解决安全问题的可操作步骤,并可加强数据库的防御工事。It provides visibility into your security state, and includes actionable steps to resolve security issues, and enhance your database fortifications.
  • 高级威胁防护检测异常活动,指出尝试访问或利用数据库的行为异常且可能有害。Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. 它不断监视数据库的可疑活动,并针对潜在漏洞、SQL 注入攻击和异常数据库访问模式提供即时的安全警报。It continuously monitors your database for suspicious activities, and provides immediate security alerts on potential vulnerabilities, SQL injection attacks, and anomalous database access patterns. 高级威胁防护警报提供可疑活动的详细信息,并建议如何调查和缓解威胁。Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

一旦启用 SQL ADS,其包含的所有功能都会启用。Enable SQL ADS once to enable all of these included features. 只需单击一次,即可为 SQL 数据库服务器或托管实例上的所有数据库启用 ADS。With one click, you can enable ADS for all databases on your SQL Database server or managed instance. 需要属于 SQL 安全管理器 角色、SQL 数据库管理员角色或 SQL Server 管理员角色才能启用或管理 ADS 设置。Enabling or managing ADS settings requires belonging to the SQL security manager role, SQL database admin role or SQL server admin role.

ADS 定价遵循 Azure 安全中心“标准”层级定价,其中每个受保护的 SQL 数据库服务器或托管实例视为一个节点。ADS pricing aligns with Azure Security Center standard tier, where each protected SQL Database server or managed instance is counted as one node. 新的受保护资源符合安全中心标准层免费试用版资格。Newly protected resources qualify for a free trial of Security Center standard tier. 有关详细信息,请参阅 Azure 安全中心定价页For more information, see the Azure Security Center pricing page.

ADS 入门Getting Started with ADS

以下步骤帮助你开始使用 ADS。The following steps get you started with ADS.

1.启用 ADS1. Enable ADS

若要启用 ADS,请导航到“安全” 下的“高级数据安全” 来访问 SQL 数据库服务器或托管实例。Enable ADS by navigating to Advanced Data Security under the Security heading for your SQL Database server or manged instance. 若要为数据库服务器或托管实例上的所有数据库启用 ADS,请单击“在服务器上启用高级数据安全” 。To enable ADS for all databases on the database server or managed instance, click Enable Advanced Data Security on the server.

Note

系统会自动创建一个存储帐户用于存储漏洞评估的扫描结果。A storage account is automatically created and configured to store your Vulnerability Assessment scan results. 如果为同一个资源组和区域中的另一台服务器启用了 ADS,则使用现有的存储帐户。If you've already enabled ADS for another server in the same resource group and region, then the existing storage account is used.

启用 ADS

Note

ADS 的成本遵循每个节点的 Azure 安全中心“标准”层级定价,其中节点是整个 SQL 数据库服务器或托管实例。The cost of ADS is aligned with Azure Security Center standard tier pricing per node, where a node is the entire SQL Database server or managed instance. 因此,仅需支付一次,即可使用 ADS 保护数据库服务器或托管实例上的所有数据库。You are thus paying only once for protecting all databases on the database server or managed instance with ADS. 你可以从免费试用版开始试用 ADS。You can try ADS out initially with a free trial.

2.开始对数据分类、跟踪漏洞和调查威胁警报2. Start classifying data, tracking vulnerabilities, and investigating threat alerts

单击“数据发现和分类”卡,查看建议进行分类的敏感列,并使用永久性敏感标签对数据分类 。Click the Data Discovery & Classification card to see recommended sensitive columns to classify and to classify your data with persistent sensitivity labels. 单击“漏洞评估”卡,查看和管理漏洞扫描和报告,并跟踪安全状况 。Click the Vulnerability Assessment card to view and manage vulnerability scans and reports, and to track your security stature. 如果收到安全警报,请单击“高级威胁防护”卡,查看警报的详细信息,并通过 Azure 安全中心安全警报页面查看 Azure 订阅中所有警报的综合报告 。If security alerts have been received, click the Advanced Threat Protection card to view details of the alerts and to see a consolidated report on all alerts in your Azure subscription via the Azure Security Center security alerts page.

3.管理 SQL 数据库服务器或托管实例上的 ADS 设置3. Manage ADS settings on your SQL Database server or managed instance

要查看和管理 ADS 设置,请导航到“安全”下的“高级数据安全”来访问 SQL 数据库服务器或托管实例 。To view and manage ADS settings, navigate to Advanced Data Security under the Security heading for your SQL Database server or managed instance. 在此页上,可以启用或禁用 ADS,并修改整个 SQL 数据库服务器或托管实例的漏洞评估和高级威胁防护设置。On this page, you can enable or disable ADS, and modify vulnerability assessment and Advanced Threat Protection settings for your entire SQL Database server or managed instance.

服务器设置

4.管理 SQL 数据库的 ADS 设置4. Manage ADS settings for a SQL database

要重写特定数据库的 ADS 设置,请勾选“在数据库级别启用高级数据安全”复选框 。To override ADS settings for a particular database, check the Enable Advanced Data Security at the database level checkbox. 仅当有接收单个数据库的单独高级威胁防护警报或漏洞评估结果这一特殊要求时才使用此选项,以代替或补充为数据库服务器或托管实例上的所有数据库接收的警报和结果。Use this option only if you have a particular requirement to receive separate Advanced Threat Protection alerts or vulnerability assessment results for the individual database, in place of or in addition to the alerts and results received for all databases on the database server or managed instance.

选中该复选框后,可以配置此数据库的相关设置。Once the checkbox is selected, you can then configure the relevant settings for this database.

数据库和高级威胁防护设置

还可以从 ADS 数据库窗格访问数据库服务器或托管实例的高级数据安全设置。Advanced data security settings for your database server or managed instance can also be reached from the ADS database pane. 单击主 ADS 窗格中的“设置” ,然后单击“查看高级数据安全服务器设置” 。Click Settings in the main ADS pane, and then click View Advanced Data Security server settings.

数据库设置

后续步骤Next steps