Chinese, Simplified
SEO Title
category
将Azure用于应用程序和服务的最佳原因之一是利用其广泛的安全工具和功能。这些工具和功能有助于在安全的Azure平台上创建安全的解决方案。Microsoft Azure提供客户数据的机密性、完整性和可用性,同时还实现了透明的问责制。
下图和文档向您介绍了Azure中的安全服务。这些安全服务可帮助您满足业务的安全需求,并保护云中的用户、设备、资源、数据和应用程序。
Microsoft安全服务图
安全服务映射按它们保护的资源组织服务(列)。该图还将服务分为以下类别(行):
- 安全和保护-允许您在身份、主机、网络和数据之间实施分层、深入防御策略的服务。此安全服务和功能集合提供了一种了解和改进您在Azure环境中的安全态势的方法。
- 检测威胁——识别可疑活动并促进减轻威胁的服务。
- 调查和响应——提取日志数据的服务,以便您评估可疑活动并做出响应。
显示Azure中端到端安全服务的图表。
安全控制和基线
Microsoft云安全基准包括一系列高影响力的安全建议,可用于帮助保护您在Azure中使用的服务:
- 安全控制-这些建议通常适用于您的Azure租户和Azure服务。每项建议都确定了通常参与基准规划、批准或实施的利益相关者名单。
- 服务基线-这些将控制应用于单个Azure服务,以提供有关该服务安全配置的建议。
安全和保护
Service | Description |
---|---|
Microsoft Defender for Cloud | A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. |
Identity & Access Management | |
Microsoft Entra ID | Microsoft’s cloud-based identity and access management service. |
Conditional Access is the tool used by Microsoft Entra ID to bring identity signals together, to make decisions, and enforce organizational policies. | |
Domain Services is the tool used by Microsoft Entra ID to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. | |
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. | |
Multi-factor authentication is the tool used by Microsoft Entra ID to help safeguard access to data and applications by requiring a second form of authentication. | |
Microsoft Entra ID Protection | A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis. |
Infrastructure & Network | |
VPN Gateway | A virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet and to send encrypted traffic between Azure virtual networks over the Microsoft network. |
Azure DDoS Protection | Provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. |
Azure Front Door | A global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. |
Azure Firewall | A cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall is offered in three SKUs: Standard, Premium, and Basic. |
Azure Key Vault | A secure secrets store for tokens, passwords, certificates, API keys, and other secrets. Key Vault can also be used to create and control the encryption keys used to encrypt your data. |
Key Vault Managed HSM | A fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. |
Azure Private Link | Enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. |
Azure Application Gateway | An advanced web traffic load balancer that enables you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. |
Azure Service Bus | A fully managed enterprise message broker with message queues and publish-subscribe topics. Service Bus is used to decouple applications and services from each other. |
Web Application Firewall | Provides centralized protection of your web applications from common exploits and vulnerabilities. WAF can be deployed with Azure Application Gateway and Azure Front Door. |
Azure Policy | Helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. |
Data & Application | |
Azure Backup | Provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud. |
Azure Storage Service Encryption | Automatically encrypts data before it is stored and automatically decrypts the data when you retrieve it. |
Azure Information Protection | A cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content. |
API Management | A way to create consistent and modern API gateways for existing back-end services. |
Azure confidential computing | Allows you to isolate your sensitive data while it's being processed in the cloud. |
Azure DevOps | Your development projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies when stored in Azure DevOps. |
Customer Access | |
Microsoft Entra External ID | With External Identities in Microsoft Entra ID, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. |
You can share your apps and resources with external users via Microsoft Entra B2B collaboration. | |
Azure AD B2C lets you support millions of users and billions of authentications per day, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks. |
Detect threats
Service | Description |
---|---|
Microsoft Defender for Cloud | Brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. The workload protection dashboard in Defender for Cloud provides visibility and control of the cloud workload protection features for your environment. |
Microsoft Sentinel | A scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. |
Identity & Access Management | |
Microsoft Defender XDR | A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. | |
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. | |
Microsoft Entra ID Protection | Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email. |
Infrastructure & Network | |
Azure Firewall | Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. |
Microsoft Defender for IoT | A unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations. |
Azure Network Watcher | Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS products which includes virtual machines, virtual networks, application gateways, and load balancers. |
Azure Policy | Helps to enforce organizational standards and to assess compliance at-scale. Azure Policy uses activity logs, which are automatically enabled to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. |
Data & Application | |
Microsoft Defender for Containers | A cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. |
Microsoft Defender for Cloud Apps | A cloud access security broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. |
Investigate and respond
Service | Description |
---|---|
Microsoft Sentinel | Powerful search and query tools to hunt for security threats across your organization's data sources. |
Azure Monitor logs and metrics | Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor collects and aggregates data from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. |
Identity & Access Management | |
Azure AD reports and monitoring | Microsoft Entra reports provide a comprehensive view of activity in your environment. |
Microsoft Entra monitoring lets you route your Microsoft Entra activity logs to different endpoints. | |
Microsoft Entra PIM audit history | Shows all role assignments and activations within the past 30 days for all privileged roles. |
Data & Application | |
Microsoft Defender for Cloud Apps | Provides tools to gain a deeper understanding of what's happening in your cloud environment. |
Next steps
-
Understand your shared responsibility in the cloud.
-
Understand the isolation choices in the Azure cloud against both malicious and non-malicious users.
- 登录 发表评论
- 5 次浏览
发布日期
星期五, 七月 26, 2024 - 19:16
最后修改
星期五, 七月 26, 2024 - 19:16
Article
最新内容
- 1 day 8 hours ago
- 1 day 11 hours ago
- 1 day 11 hours ago
- 4 days ago
- 4 days 10 hours ago
- 4 days 11 hours ago
- 4 days 11 hours ago
- 4 days 11 hours ago
- 1 week 1 day ago
- 1 week 1 day ago