Azure SQL 数据库和 Azure Synapse Analytics 的数据发现和分类Data Discovery & Classification for Azure SQL Database and Azure Synapse Analytics

数据发现和分类提供了内置于 Azure SQL 数据库中的高级功能,用于发现、标记和报告数据库中的敏感数据以及对其进行分类。 Data Discovery & Classification provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling & reporting the sensitive data in your databases.

发现最敏感的数据(如商业、金融、医疗和个人身份数据等)并对其进行分类可在组织的信息保护方面起到关键作用。Discovering and classifying your most sensitive data (business, financial, healthcare, personally identifiable data, and so on.) can play a pivotal role in your organizational information protection stature. 它可以充当基础结构,用于:It can serve as infrastructure for:

  • 帮助满足数据隐私标准和法规符合性要求。Helping meet data privacy standards and regulatory compliance requirements.
  • 各种安全方案,如监视(审核)并在敏感数据存在异常访问时发出警报。Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • 控制对包含高度敏感数据的数据库的访问并强化其安全性。Controlling access to and hardening the security of databases containing highly sensitive data.

数据发现和分类包含在高级数据安全 (ADS) 产品/服务中,该产品是高级 SQL 安全功能统一软件包。Data Discovery & Classification is part of the Advanced Data Security (ADS) offering, which is a unified package for advanced SQL security capabilities. 可通过中心 SQL ADS 门户访问和管理数据发现和分类。data discovery & classification can be accessed and managed via the central SQL ADS portal.

Note

本文档与 Azure SQL 数据库和 Azure Synapse 相关。This document relates to Azure SQL Database and Azure Synapse. 为简单起见,在提到 SQL 数据库和 Azure Synapse 时,本文统称 SQL 数据库。For simplicity, SQL Database is used when referring to both SQL Database and Azure Synapse. 对于 SQL Server(本地),请参阅 SQL 数据发现和分类For SQL Server (on premises), see SQL Data Discovery and Classification.

什么是数据发现和分类What is data discovery & classification

数据发现和分类引入了一套高级的服务和新的 SQL 功能,形成了新的 SQL 信息保护模式,旨在保护数据,而不仅仅是数据库:Data Discovery & Classification introduces a set of advanced services and new SQL capabilities, forming a new SQL Information Protection paradigm aimed at protecting the data, not just the database:

  • 发现和建议Discovery & recommendations

    分类引擎扫描数据库,并识别包含潜在敏感数据的列。The classification engine scans your database and identifies columns containing potentially sensitive data. 使用此功能可以通过 Azure 门户轻松地查看和应用适当的分类建议。It then provides you an easy way to review and apply the appropriate classification recommendations via the Azure portal.

  • 标记Labeling

    使用 SQL 引擎中引入的新分类元数据属性,可在列上永久标记敏感度分类标签。Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. 然后,此元数据可用于基于敏感度的高级审核和保护方案。This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.

  • 查询结果集敏感度Query result set sensitivity

    实时计算查询结果集的敏感度以供审核。The sensitivity of query result set is calculated in real time for auditing purposes.

  • 可见性Visibility

    在门户中详细的仪表板中可以查看数据库分类状态。The database classification state can be viewed in a detailed dashboard in the portal. 此外,还可以下载用于符合性和审核目的以及其他需求的报表(Excel 格式)。Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

发现、分类和标记敏感列Discover, classify & label sensitive columns

以下部分介绍如何在数据库中发现包含敏感数据的列并对其进行分类和标记、如何查看数据库的当前分类状态,以及如何导出报表。The following section describes the steps for discovering, classifying, and labeling columns containing sensitive data in your database, as well as viewing the current classification state of your database and exporting reports.

分类包含两种元数据属性:The classification includes two metadata attributes:

  • 标签 - 主要分类属性,用于定义列中存储数据的敏感度级别。Labels - The main classification attributes, used to define the sensitivity level of the data stored in the column.
  • 信息类型 - 为列中存储的数据类型提供额外的粒度。Information Types - Provide additional granularity into the type of data stored in the column.

定义和自定义分类Define and customize your classification taxonomy

数据发现和分类附带了一组内置的敏感度标签和一组内置的信息类型和发现逻辑。Data Discovery & Classification comes with a built-in set of sensitivity labels and a built-in set of information types and discovery logic. 现在,可以自定义此分类并专门针对你的环境定义分类构造的集合和级别。You now have the ability to customize this taxonomy and define a set and ranking of classification constructs specifically for your environment.

分类的定义和自定义是在一个中心位置针对你的整个 Azure 租户进行的。Definition and customization of your classification taxonomy is done in one central place for your entire Azure tenant. 该位置在 Azure 安全中心内,是你的安全策略的一部分。That location is in Azure Security Center, as part of your Security Policy. 只有对租户根管理组具有管理权限的人员可以执行此任务。Only someone with administrative rights on the Tenant root management group can perform this task.

在 SQL 信息保护策略管理过程中,你可以定义自定义标签、对其进行分级,并将其与选定的一组信息类型相关联。As part of the SQL Information Protection policy management, you can define custom labels, rank them, and associate them with a selected set of information types. 你还可以添加自己的自定义信息类型,并为其配置字符串模式,这些模式将添加到发现逻辑以用于识别数据库中此类型的数据。You can also add your own custom information types and configure them with string patterns, which are added to the discovery logic for identifying this type of data in your databases.

在定义租户级策略后,可以继续使用自定义的策略对各个数据库进行分类。Once the tenant-wide policy has been defined, you can continue with the classification of individual databases using your customized policy.

对 SQL 数据库进行分类Classify your SQL Database

  1. 转到 Azure 门户Go to the Azure portal.

  2. 导航到 Azure SQL 数据库窗格“安全”标题下的“高级数据安全” 。Navigate to Advanced Data Security under the Security heading in your Azure SQL Database pane. 单击以启用“高级数据安全”,然后单击“数据发现和分类”卡 。Click to enable advanced data security, and then click on the Data discovery & classification card.

    扫描数据库

  3. “概述”选项卡包含数据库当前分类状态的摘要,其中包括所有已分类列的详细列表,你还可以筛选此列表,仅查看特定的架构部分、信息类型和标签 。The Overview tab includes a summary of the current classification state of the database, including a detailed list of all classified columns, which you can also filter to view only specific schema parts, information types and labels. 如果尚未对任何列进行分类,请跳到步骤 5If you haven't yet classified any columns, skip to step 5.

    当前分类状态摘要

  4. 要下载 Excel 格式的报表,请单击窗口顶部菜单中的“导出”选项 。To download a report in Excel format, click on the Export option in the top menu of the window.

  5. 要开始对数据进行分类,请单击窗口顶部的“分类”选项卡 。To begin classifying your data, click on the Classification tab at the top of the window.

  6. 分类引擎会扫描数据库,查找包含潜在敏感数据的列,并提供“建议列分类”列表 。The classification engine scans your database for columns containing potentially sensitive data and provides a list of recommended column classifications. 查看并应用分类建议:To view and apply classification recommendations:

    • 若要查看建议的列分类列表,请单击窗口底部的“建议”面板To view the list of recommended column classifications, click on the recommendations panel at the bottom of the window

    • 查看建议列表 - 要接受特定列的建议,请选中相关行左侧列中的复选框。Review the list of recommendations - to accept a recommendation for a specific column, check the checkbox in the left column of the relevant row. 还可以选中建议表标头中的复选框,将所有建议标记为“接受” 。You can also mark all recommendations as accepted by checking the checkbox in the recommendations table header.

      查看建议列表

    • 要应用所选建议,请单击蓝色的“接受所选建议”按钮 。To apply the selected recommendations, click on the blue Accept selected recommendations button.

  7. 此外,还可以手动对列进行分类,或基于建议分类: You can also manually classify columns as an alternative, or in addition, to the recommendation-based classification:

    • 单击窗口顶部菜单中的“添加分类” 。Click on Add classification in the top menu of the window.

    • 在打开的上下文窗口中,选择要分类的“架构”>“表”>“列”,并选择信息类型和敏感度标签。In the context window that opens, select the schema > table > column that you want to classify, and the information type and sensitivity label. 然后单击上下文窗口底部的蓝色“添加分类”按钮 。Then click on the blue Add classification button at the bottom of the context window.

      选择要进行分类的列

  8. 要完成分类,并永久地使用新分类元数据标记数据库列,请在窗口顶部菜单中单击“保存” 。To complete your classification and persistently label (tag) the database columns with the new classification metadata, click on Save in the top menu of the window.

审核对敏感数据的访问Auditing access to sensitive data

信息保护范例的一个重要方面是能够监视对敏感数据的访问。An important aspect of the information protection paradigm is the ability to monitor access to sensitive data. Azure SQL 数据库审核 已经过增强,在审核日志中包含了名为 data_sensitivity_information 的新字段,该字段会记录查询返回的实际数据的敏感度分类(标签) 。Azure SQL Database Auditing has been enhanced to include a new field in the audit log called data_sensitivity_information, which logs the sensitivity classifications (labels) of the actual data that was returned by the query.

审核日志

权限Permissions

以下内置角色可以读取 Azure SQL 数据库的数据分类:OwnerReaderContributorSQL Security ManagerUser Access AdministratorThe following built-in roles can read the data classification of an Azure SQL database: Owner, Reader, Contributor, SQL Security Manager and User Access Administrator.

以下内置角色可以修改 Azure SQL 数据库的数据分类:OwnerContributorSQL Security ManagerThe following built-in roles can modify the data classification of an Azure SQL database: Owner, Contributor, SQL Security Manager.

详细了解 Azure 资源的 RBACLearn more about RBAC for Azure resources

管理分类Manage classifications

使用 T-SQLUsing T-SQL

可以使用 T-SQL 添加/删除列分类,以及检索整个数据库的所有分类。You can use T-SQL to add/remove column classifications, as well as retrieve all classifications for the entire database.

Note

如果使用 T-SQL 管理标签,则不会验证组织信息保护策略中是否存在添加到列的标签(门户建议中显示的标签集)。When using T-SQL to manage labels, there is no validation that labels added to a column exist in the organizational information protection policy (the set of labels that appear in the portal recommendations). 因此,是否要验证这一点完全由你决定。It is therefore up to you to validate this.

使用 REST APIUsing Rest API

可以使用 REST API 以编程方式管理分类和建议。You can use REST API to programmatically manage classifications and recommendations. 已发布的 REST API 支持以下操作:The published REST API support the following operations:

使用 PowerShell CmdletUsing PowerShell Cmdlet

可以使用 PowerShell 管理 Azure SQL 数据库和托管实例的分类和建议。You can use PowerShell to manage classifications and recommendations for Azure SQL Database and Managed Instance.

适用于 Azure SQL 数据库的 PowerShell CmdletPowerShell Cmdlet for Azure SQL Database

适用于托管实例的 PowerShell CmdletPowerShell Cmdlets for Managed Instance

后续步骤Next steps