Azure SQL 数据库安全功能概述An overview of Azure SQL Database security capabilities

本文概述了使用 Azure SQL 数据库保护应用程序数据层的基础知识。This article outlines the basics of securing the data tier of an application using Azure SQL Database. 所述的安全策略遵循如下图所示的分层深度防御方法,并从外向内移动:The security strategy described follows the layered defense-in-depth approach as shown in the picture below, and moves from the outside in:

sql-security-layer.png

网络安全性Network security

Azure SQL 数据库为云和企业应用程序提供关系数据库服务。Azure SQL Database provides a relational database service for cloud and enterprise applications. 为了帮助保护客户数据,防火墙会阻止对数据库服务器的网络访问,直到根据 IP 地址或 Azure 虚拟网络流量源显式授予访问权限。To help protect customer data, firewalls prevent network access to the database server until access is explicitly granted based on IP address or Azure Virtual network traffic origin.

IP 防火墙规则IP firewall rules

IP 防火墙规则基于每个请求的起始 IP 地址授予对数据库的访问权限。IP firewall rules grant access to databases based on the originating IP address of each request. 有关详细信息,请参阅 Azure SQL 数据库和 SQL 数据仓库防火墙规则概述For more information, see Overview of Azure SQL Database and SQL Data Warehouse firewall rules.

虚拟网络防火墙规则Virtual network firewall rules

虚拟网络服务终结点将虚拟网络连接扩展到 Azure 主干网,并使 Azure SQL 数据库能够识别作为流量来源的虚拟网络子网。Virtual network service endpoints extend your virtual network connectivity over the Azure backbone and enable Azure SQL Database to identify the virtual network subnet that traffic originates from. 若要允许流量到达 Azure SQL 数据库,请使用 SQL 服务标记,以允许出站流量通过网络安全组。To allow traffic to reach Azure SQL Database, use the SQL service tags to allow outbound traffic through Network Security Groups.

虚拟网络规则使 Azure SQL 数据库仅接受从虚拟网络中的所选子网发送的通信。Virtual network rules enable Azure SQL Database to only accept communications that are sent from selected subnets inside a virtual network.

访问管理Access management

Important

管理 Azure 中的数据库和数据库服务器由门户用户帐户的角色分配控制。Managing databases and database servers within Azure is controlled by your portal user account's role assignments. 有关本文的详细信息,请参阅 Azure 门户中基于角色的访问控制For more information on this article, see Role-based access control in Azure portal.

身份验证Authentication

身份验证是证明用户所声明身份的过程。Authentication is the process of proving the user is who they claim to be. Azure SQL 数据库支持两种类型的身份验证:Azure SQL Database supports two types of authentication:

  • SQL 身份验证SQL authentication:

    SQL 数据库身份验证是指使用用户名和密码连接到 Azure SQL 数据库时对用户进行的身份验证。SQL database authentication refers to the authentication of a user when connecting to Azure SQL Database using username and password. 在为数据库创建数据库服务器期间,必须指定具有用户名和密码的“服务器管理员”登录。During the database server creation for the database, a "Server admin" login with a username and password must be specified. 借助这些凭据,“服务器管理员”可以使用数据库所有者的身份通过数据库服务器上任何数据库的身份验证。Using these credentials, a "server admin" can authenticate to any database on that database server as the database owner. 之后,服务器管理员可以创建额外的 SQL 登录和用户,以允许用户使用用户名和密码进行连接。After that, additional SQL logins and users can be created by the server admin, which enable users to connect using username and password.

  • Azure Active Directory 身份验证Azure Active Directory authentication:

    Azure Active Directory 身份验证是使用 Azure Active Directory (Azure AD) 中的标识连接到 Azure SQL 数据库SQL 数据仓库的一种机制。Azure Active Directory authentication is a mechanism of connecting to Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). 使用 Azure AD 身份验证,管理员可在一个中心位置集中管理数据库用户以及其他 Azure 服务的标识和权限。Azure AD authentication allows administrators to centrally manage the identities and permissions of database users along with other Azure services in one central location. 这包括最小化密码存储并启用集中式密码轮换策略。This includes the minimization of password storage and enables centralized password rotation policies.

    必须创建一个名为“Active Directory 管理员”的服务器管理员,以便在 SQL 数据库中使用 Azure AD 身份验证。A server admin called the Active Directory administrator must be created to use Azure AD authentication with SQL Database. 有关详细信息,请参阅使用 Azure Active Directory 身份验证连接到 SQL 数据库For more information, see Connecting to SQL Database By Using Azure Active Directory Authentication. Azure AD 身份验证同时支持托管帐户和联合帐户。Azure AD authentication supports both managed and federated accounts. 联合帐户支持与 Azure AD 联合的客户域的 Windows 用户和组。The federated accounts support Windows users and groups for a customer domain federated with Azure AD.

    其他可用的 Azure AD 身份验证选项包括适用于 SQL Server Management Studio 的 Active Directory 通用身份验证连接,例如多重身份验证Additional Azure AD authentication options available are Active Directory Universal Authentication for SQL Server Management Studio connections including Multi-Factor Authentication.

授权Authorization

授权是指在 Azure SQL 数据库中分配给用户的权限,并决定允许用户执行的操作。Authorization refers to the permissions assigned to a user within an Azure SQL Database, and determines what the user is allowed to do. 权限控制通过将用户帐户添加到数据库角色并向这些角色分配数据库级权限来实现,也可以通过授予用户特定的对象级权限来实现。Permissions are controlled by adding user accounts to database roles and assigning database-level permissions to those roles or by granting the user certain object-level permissions. 有关详细信息,请参阅登录和用户For more information, see Logins and users

最佳做法是根据需要创建自定义角色。As a best practice, create custom roles when needed. 将用户添加到具有完成其作业功能所需的最低权限的角色中。Add users to the role with the least privileges required to do their job function. 请勿直接将权限分配给用户。Do not assign permissions directly to users. 服务器管理员帐户是内置的 db_owner 角色的成员,该角色具有广泛权限,只应将其授予部分具有管理职责的用户。The server admin account is a member of the built-in db_owner role, which has extensive permissions and should only be granted to few users with administrative duties. 对于 Azure SQL 数据库应用程序,请使用 EXECUTE AS 来指定被调用模块的执行上下文,或者使用权限受限的应用程序角色For Azure SQL Database applications, use the EXECUTE AS to specify the execution context of the called module or use Application Roles with limited permissions. 此做法可确保连接到数据库的应用程序具有应用程序所需的最低权限。This practice ensures that the application that connects to the database has the least privileges needed by the application. 按这些最佳做法操作也有助于职责分离。Following these best practices also fosters separation of duties.

行级别安全性Row-level security

行级别安全性使客户能够根据执行查询的用户特征(例如,按组成员身份或执行上下文),控制对数据库表中的行的访问。Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query (for example, group membership or execution context). 行级别安全性也可用于实现基于自定义标签的安全概念。Row-Level Security can also be used to implement custom Label-based security concepts. 有关详细信息,请参阅行级别安全性For more information, see Row-Level security.

azure-database-rls.png

威胁防护Threat protection

SQL 数据库通过提供审核和威胁检测功能来保护客户数据。SQL Database secures customer data by providing auditing and threat detection capabilities.

审核Auditing

SQL 数据库审核可跟踪数据库活动,通过将数据库事件记录到客户所有的 Azure 存储帐户中的审核日志,帮助用户保持符合安全标准。SQL Database auditing tracks database activities and helps to maintain compliance with security standards by recording database events to an audit log in a customer-owned Azure storage account. 用户可以通过审核监视正在进行的数据库活动,以及分析和调查历史活动,以标识潜在威胁或可疑的滥用行为和安全违规。Auditing allows users to monitor ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations. 有关详细信息,请参阅 SQL 数据库审核入门For more information, see Get started with SQL Database Auditing.

高级威胁防护Advanced Threat Protection

高级威胁防护通过对你的 SQL Server 日志进行分析来检测异常行为和对数据库的潜在恶意访问或利用。Advanced Threat Protection is analyzing your SQL Server logs to detect unusual behavior and potentially harmful attempts to access or exploit databases. 针对可疑活动(例如 SQL注入、潜在的数据渗透和暴力攻击)或访问模式中的异常情况创建警报,以捕获特权提升和违规的凭据使用。Alerts are created for suspicious activities such as SQL injection, potential data infiltration, and brute force attacks or for anomalies in access patterns to catch privilege escalations and breached credentials use. 可以从 Azure 安全中心查看警报,其中提供了可疑活动的详细信息,并给出了进一步调查建议以及缓解威胁的措施。Alerts are viewed from the Azure Security Center, where the details of the suspicious activities are provided and recommendations for further investigation given along with actions to mitigate the threat. 可以为每台服务器启用高级威胁防护,但需要额外付费。Advanced Threat Protection can be enabled per server for an additional fee. 有关详细信息,请参阅 SQL 数据库高级威胁防护入门For more information, see Get started with SQL Database Advanced Threat Protection.

azure-database-td.jpg

信息保护和加密Information protection and encryption

传输层安全性 TLS(传输中加密)Transport Layer Security TLS (Encryption-in-transit)

SQL 数据库通过使用传输层安全加密动态数据来保护客户数据。SQL Database secures customer data by encrypting data in motion with Transport Layer Security.

SQL Server 始终对所有连接强制要求加密 (SSL/TLS)。Sql Server enforces encryption (SSL/TLS) at all times for all connections. 这样可以确保在客户端与服务器之间传输的所有数据经过加密,而不管连接字符串中的 EncryptTrustServerCertificate 设置如何。This ensures all data is encrypted "in transit" between the client and server irrespective of the setting of Encrypt or TrustServerCertificate in the connection string.

作为最佳做法,我们建议在应用程序的连接字符串中指定加密的连接,而不要信任服务器证书。__As a best practice, recommend that in your application's connection string you specify an encrypted connection and not trust the server certificate. 这会强制应用程序验证服务器证书,因此可以防止中间人攻击利用应用程序的漏洞。This forces the your application to verify the server certificate and thus prevents your application from being vulnerable to man in the middle type attacks .

例如,使用 ADO.NET 驱动程序时,可以通过 Encrypt=TrueTrustServerCertificate=False 实现此目的。如果从 Azure 门户获取连接字符串,其中会包含正确的设置。For example when using the ADO.NET driver this is accomplished via Encrypt=True and TrustServerCertificate=False.If you obtain your connection string from the Azure portal, it will have the correct settings.

Important

请注意,某些非 Azure 驱动程序默认可能不使用 TLS,或者依赖于旧版 TLS (<1.2) 来正常运行。Note that some non-Azure drivers may not use TLS by default or rely on an older version of TLS (<1.2) in order to function. 在这种情况下,SQL Server 仍允许连接到数据库。In this case SQL Server still allows you to connect to your database. 但是,我们建议评估允许此类驱动程序和应用程序连接到 SQL 数据库所带来的安全风险,尤其是存储敏感数据时。However, we recommend that you evaluate the security risks of allowing such drivers and application to connect to SQL Database, especially if you store sensitive data.

有关 TLS 和连接的更多信息,请参阅 TLS 注意事项For further information about TLS and connectivity, see TLS considerations

透明数据加密(静态加密)Transparent Data Encryption (Encryption-at-rest)

Azure SQL 数据库的透明数据加密 (TDE) 进一步加强了安全性,帮助保护静态数据不受未经授权或脱机访问原始文件或备份的影响。Transparent Data Encryption (TDE) for Azure SQL Database adds a layer of security to help protect data at rest from unauthorized or offline access to raw files or backups. 常见方案包括数据中心被盗或对硬件或媒体(如磁盘驱动器和备份磁带)的不安全处置。Common scenarios include datacenter theft or unsecured disposal of hardware or media such as disk drives and backup tapes. TDE 使用 AES 加密算法加密整个数据库,无需应用程序开发人员对现有应用程序进行任何更改。 TDE encrypts the entire database using an AES encryption algorithm, which doesn’t require application developers to make any changes to existing applications.

在 Azure 中,所有新创建的 SQL 数据库都默认处于加密状态,且数据库加密密钥通过一个内置的服务器证书保护。In Azure, all newly created SQL databases are encrypted by default and the database encryption key is protected by a built-in server certificate. 证书维护和轮换由服务管理,无需用户输入。Certificate maintenance and rotation are managed by the service and requires no input from the user. 喜欢控制加密密钥的客户可以管理 Azure Key Vault 中的密钥。Customers who prefer to take control of the encryption keys can manage the keys in Azure Key Vault.

使用 Azure Key Vault 的密钥管理Key management with Azure Key Vault

创建自己的密钥 (BYOK) 支持 透明数据加密 (TDE),允许客户使用  Azure Key Vault(Azure 基于云的外部密钥管理系统)来获得密钥管理和轮换的所有权。Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE) allows customers to take ownership of key management and rotation using Azure Key Vault, Azure’s cloud-based external key management system. 如果撤销了数据库对密钥保管库的访问权限,则无法解密数据库和将其读入内存。If the database's access to the key vault is revoked, a database cannot be decrypted and read into memory. Azure Key Vault 提供集中密钥管理平台,利用严格监控的硬件安全模块 (HSM),并可在密钥与数据管理之间实现职责分离,以帮助满足安全合规性要求。Azure Key Vault provides a central key management platform, leverages tightly monitored hardware security modules (HSMs), and enables separation of duties between management of keys and data to help meet security compliance requirements.

Always Encrypted(使用中加密)Always Encrypted (Encryption-in-use)

azure-database-ae.png

Always Encrypted 功能旨在保护特定数据库列中存储的敏感数据不被访问(如信用卡号或、国民身份证号或视需要而定的数据)。Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). 这包括数据库管理员或其他特权用户,他们被授权访问数据库以执行管理任务,但不需要访问加密列中的特定数据。This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns. 数据始终处于加密状态,这意味着加密数据只在有权访问加密密钥的客户端应用程序需要处理数据时才解密。The data is always encrypted, which means the encrypted data is decrypted only for processing by client applications with access to the encryption key. 加密密钥从不暴露给 SQL,而且可以存储在 Windows 证书存储区Azure Key Vault 中。The encryption key is never exposed to SQL and can be stored either in the Windows Certificate Store or in Azure Key Vault.

掩码Masking

azure-database-ddm.png

动态数据屏蔽Dynamic data masking

SQL 数据库动态数据掩码通过对非特权用户模糊化敏感数据来限制此类数据的泄露。SQL Database dynamic data masking limits sensitive data exposure by masking it to non-privileged users. 动态数据掩码可自动发现 Azure SQL 数据库中潜在的敏感数据,提供可行的建议来掩码这些字段,对应用程序层造成的影响可忽略不计。Dynamic data masking automatically discovers potentially sensitive data in Azure SQL Database and provides actionable recommendations to mask these fields, with minimal impact on the application layer. 它的工作原理是在针对指定的数据库字段运行查询后返回的结果集中隐藏敏感数据,同时保持数据库中的数据不变。It works by obfuscating the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. 有关详细信息,请参阅 SQL 数据库动态数据掩码入门For more information, see Get started with SQL Database dynamic data masking.

静态数据掩码Static data masking

静态数据掩码是一款客户端工具,在 SQL Server Management Studio 18.0 预览版 5 和更高版本中可用。Static Data Masking is a client-side tool available in SQL Server Management Studio 18.0 preview 5 and higher. 用户可通过静态数据掩码创建数据库副本,其中选定列中的数据已被永久屏蔽。Static Data Masking allows users to create a copy of a database where the data in selected columns has been permanently masked. 可用的掩码函数包括 NULL 掩码、单值掩码、shuffle 和组 shuffle 掩码,以及字符串复合掩码。The masking functions available include NULL masking, single value masking, shuffle and group shuffle masking, and string composite masking. 使用数据库的掩码副本,组织可以通过共享掩码副本来分离生产环境和测试环境。With the masked copy of the database, organizations are able to separate production and test environments by sharing the masked copy. 敏感数据得到充分保护,并保留了所有其他数据库特征。The sensitive data is sufficiently protected and all other database characteristics have been maintained. 如果需要第三方访问数据库,建议使用掩码数据库。Masking databases is recommended where third-party access to databases is required.

安全管理Security management

漏洞评估Vulnerability assessment

漏洞评估是一项易于配置的服务,可以发现、跟踪和帮助修正潜在的数据库漏洞,旨在主动提高整体数据库安全性。Vulnerability assessment is an easy to configure service that can discover, track, and help remediate potential database vulnerabilities with the goal to proactively improve overall database security. 漏洞评估 (VA) 是高级数据安全 (ADS) 产品/服务(它是高级 SQL 安全功能的一个统一包)的一部分。Vulnerability assessment (VA) is part of the advanced data security (ADS) offering, which is a unified package for advanced SQL security capabilities. 可通过中心 SQL ADS 门户访问和管理漏洞评估。Vulnerability assessment can be accessed and managed via the central SQL ADS portal.

数据发现和分类Data discovery & classification

数据发现和分类(当前为预览版)提供了内置于 Azure SQL 数据库的高级功能,可用于发现、分类、标记和保护数据库中的敏感数据。Data discovery & classification (currently in preview) provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling, and protecting the sensitive data in your databases. 发现最敏感的数据(业务/财务、医疗保健、个人数据等)并进行分类,可在组织的信息保护方面发挥关键作用。Discovering and classifying your utmost sensitive data (business/financial, healthcare, personal data, etc.) can play a pivotal role in your organizational Information protection stature. 它可以作为基础结构,用于:It can serve as infrastructure for:

  • 各种安全方案,如监视(审核)并在敏感数据存在异常访问时发出警报。Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • 控制对包含高度敏感数据的数据库的访问并增强其安全性。Controlling access to, and hardening the security of, databases containing highly sensitive data.
  • 帮助满足数据隐私标准和法规符合性要求。Helping meet data privacy standards and regulatory compliance requirements.

有关详细信息,请参阅数据发现和分类入门For more information, see Get started with data discovery & classification.

合规性Compliance

除了上述有助于应用程序符合各项安全要求的特性和功能以外,Azure SQL 数据库还定期参与审核,并已通过许多法规标准的认证。In addition to the above features and functionality that can help your application meet various security requirements, Azure SQL Database also participates in regular audits, and has been certified against a number of compliance standards. 有关详细信息,请参阅 Azure 信任中心,可以从中找到 SQL 数据库合规认证的最新列表。For more information, see the Azure Trust Center where you can find the most current list of SQL Database compliance certifications.

后续步骤Next steps