【Azure安全】Azure中的端到端安全

语言 Chinese, Simplified

SEO Title

End-to-end security in Azure

Microsoft安全服务图

安全服务映射按它们保护的资源组织服务（列）。该图还将服务分为以下类别（行）：

安全和保护-允许您在身份、主机、网络和数据之间实施分层、深入防御策略的服务。此安全服务和功能集合提供了一种了解和改进您在Azure环境中的安全态势的方法。
检测威胁——识别可疑活动并促进减轻威胁的服务。
调查和响应——提取日志数据的服务，以便您评估可疑活动并做出响应。

显示Azure中端到端安全服务的图表。

安全控制和基线

Microsoft云安全基准包括一系列高影响力的安全建议，可用于帮助保护您在Azure中使用的服务：

安全控制-这些建议通常适用于您的Azure租户和Azure服务。每项建议都确定了通常参与基准规划、批准或实施的利益相关者名单。
服务基线-这些将控制应用于单个Azure服务，以提供有关该服务安全配置的建议。

安全和保护

Service	Description
Microsoft Defender for Cloud	A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
Identity & Access Management
Microsoft Entra ID	Microsoft’s cloud-based identity and access management service.
	Conditional Access is the tool used by Microsoft Entra ID to bring identity signals together, to make decisions, and enforce organizational policies.
	Domain Services is the tool used by Microsoft Entra ID to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.
	Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization.
	Multi-factor authentication is the tool used by Microsoft Entra ID to help safeguard access to data and applications by requiring a second form of authentication.
Microsoft Entra ID Protection	A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis.
Infrastructure & Network
VPN Gateway	A virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet and to send encrypted traffic between Azure virtual networks over the Microsoft network.
Azure DDoS Protection	Provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network.
Azure Front Door	A global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
Azure Firewall	A cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall is offered in three SKUs: Standard, Premium, and Basic.
Azure Key Vault	A secure secrets store for tokens, passwords, certificates, API keys, and other secrets. Key Vault can also be used to create and control the encryption keys used to encrypt your data.
Key Vault Managed HSM	A fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
Azure Private Link	Enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure Application Gateway	An advanced web traffic load balancer that enables you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
Azure Service Bus	A fully managed enterprise message broker with message queues and publish-subscribe topics. Service Bus is used to decouple applications and services from each other.
Web Application Firewall	Provides centralized protection of your web applications from common exploits and vulnerabilities. WAF can be deployed with Azure Application Gateway and Azure Front Door.
Azure Policy	Helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Data & Application
Azure Backup	Provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud.
Azure Storage Service Encryption	Automatically encrypts data before it is stored and automatically decrypts the data when you retrieve it.
Azure Information Protection	A cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content.
API Management	A way to create consistent and modern API gateways for existing back-end services.
Azure confidential computing	Allows you to isolate your sensitive data while it's being processed in the cloud.
Azure DevOps	Your development projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies when stored in Azure DevOps.
Customer Access
Microsoft Entra External ID	With External Identities in Microsoft Entra ID, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer.
	You can share your apps and resources with external users via Microsoft Entra B2B collaboration.
	Azure AD B2C lets you support millions of users and billions of authentications per day, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks.

Detect threats

Service	Description
Microsoft Defender for Cloud	Brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. The workload protection dashboard in Defender for Cloud provides visibility and control of the cloud workload protection features for your environment.
Microsoft Sentinel	A scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Identity & Access Management
Microsoft Defender XDR	A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
	Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
	Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Entra ID Protection	Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email.
Infrastructure & Network
Azure Firewall	Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
Microsoft Defender for IoT	A unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations.
Azure Network Watcher	Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS products which includes virtual machines, virtual networks, application gateways, and load balancers.
Azure Policy	Helps to enforce organizational standards and to assess compliance at-scale. Azure Policy uses activity logs, which are automatically enabled to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Data & Application
Microsoft Defender for Containers	A cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.
Microsoft Defender for Cloud Apps	A cloud access security broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

Investigate and respond

Service	Description
Microsoft Sentinel	Powerful search and query tools to hunt for security threats across your organization's data sources.
Azure Monitor logs and metrics	Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor collects and aggregates data from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.
Identity & Access Management
Azure AD reports and monitoring	Microsoft Entra reports provide a comprehensive view of activity in your environment.
	Microsoft Entra monitoring lets you route your Microsoft Entra activity logs to different endpoints.
Microsoft Entra PIM audit history	Shows all role assignments and activations within the past 30 days for all privileged roles.
Data & Application
Microsoft Defender for Cloud Apps	Provides tools to gain a deeper understanding of what's happening in your cloud environment.