您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

部署加速示例策略语句Deployment Acceleration sample policy statements

各个云策略语句是解决在风险评估过程中确定的特定风险的指导原则。Individual cloud policy statements are guidelines for addressing specific risks identified during your risk assessment process. 这些语句应提供简要的风险摘要,以及应对它们的计划。These statements should provide a concise summary of risks and plans to deal with them. 每个语句定义应包括以下这些信息:Each statement definition should include these pieces of information:

  • 技术风险: 此策略将解决的风险摘要。Technical risk: A summary of the risk this policy will address.
  • 策略声明: 策略要求的清晰摘要说明。Policy statement: A clear summary explanation of the policy requirements.
  • 设计选项: IT 团队和开发人员在实施策略时可以使用的可操作建议、规范或其他指导。Design options: Actionable recommendations, specifications, or other guidance that IT teams and developers can use when implementing the policy.

下面的示例策略语句解决了与配置相关的常见业务风险。The following sample policy statements address common configuration-related business risks. 这些语句是在起草策略声明以满足组织需求时可以参考的示例。These statements are examples you can reference when drafting policy statements to address your organization's needs. 这些示例不是 proscriptive,并且可能有多个策略选项处理每个标识的风险。These examples are not meant to be proscriptive, and there are potentially several policy options for dealing with each identified risk. 与业务和 IT 团队密切合作,确定你的独特风险集的最佳策略。Work closely with business and IT teams to identify the best policies for your unique set of risks.

依靠手动部署或系统配置Reliance on manual deployment or configuration of systems

技术风险: 在部署或配置期间依赖于人工干预增加了人为错误的可能性,并减少了系统部署和配置的可重复性和可预测性。Technical risk: Relying on human intervention during deployment or configuration increases the likelihood of human error and reduces the repeatability and predictability of system deployments and configuration. 它通常也会导致系统资源部署较慢。It also typically leads to slower deployment of system resources.

策略声明: 部署到云的所有资产应尽可能使用模板或自动化脚本进行部署。Policy statement: All assets deployed to the cloud should be deployed using templates or automation scripts whenever possible.

潜在的设计选项: Azure 资源管理器模板 允许使用基础结构作为代码将资源部署到 Azure。Potential design options: Azure Resource Manager templates enable using infrastructure as code to deploy your resources to Azure. 你还可以使用 Terraform 作为一致的本地和基于云的部署工具。You could also use Terraform as a consistent on-premises and cloud-based deployment tool.

缺少系统问题的可见性Lack of visibility into system issues

技术风险: 对于业务系统而言,监视和诊断不足会阻止操作人员在发生系统中断之前识别并修正问题,并可能会显著增加正常解决中断所需的时间。Technical risk: Insufficient monitoring and diagnostics for business systems prevent operations personnel from identifying and remediating issues before a system outage occurs, and can significantly increase the time needed to properly resolve an outage.

策略声明: 将实现以下策略:Policy statement: The following policies will be implemented:

  • 将为所有生产系统标识关键指标和诊断度量值,并且将对这些系统应用监视和诊断工具,由操作人员定期监视。Key metrics and diagnostics measures will be identified for all production systems and components, and monitoring and diagnostic tools will be applied to these systems and monitored regularly by operations personnel.
  • 操作将考虑在非生产环境(例如过渡和 QA)中使用监视和诊断工具来确定系统问题,然后在生产环境中出现这些问题。Operations will consider using monitoring and diagnostic tools in nonproduction environments such as staging and QA to identify system issues before they occur in the production environment.

潜在的设计选项: Azure Monitor(包括 Log Analytics 和 Application Insights)提供了收集和分析遥测的工具,帮助你了解应用程序的执行方式,并主动识别影响它们的问题及其依赖的资源。Potential design options: Azure Monitor, including Log Analytics and Application Insights, provides tools for collecting and analyzing telemetry to help you understand how your applications are performing and proactively identify issues affecting them and the resources they depend on. 此外, Azure 活动日志 将报告在平台级别进行的所有更改,并且应对不符合要求的更改进行监视和审核。Additionally, Azure activity log reports all changes that are being made at the platform level and should be monitored and audited for noncompliant changes.

配置安全评审Configuration security reviews

技术风险: 随着时间的推移,新的安全威胁或问题可能会增加对安全资源的未授权访问的风险。Technical risk: Over time, new security threats or concerns can increase the risks of unauthorized access to secure resources.

策略声明: 云监管流程必须包含配置管理团队的每月审查,以确定应由云资产配置阻止的恶意执行组件或使用模式。Policy statement: Cloud governance processes must include monthly review with configuration management teams to identify malicious actors or usage patterns that should be prevented by cloud asset configuration.

潜在的设计选项: 建立每月安全评审会议,其中包括负责配置云应用程序和资源的管辖团队成员和 IT 人员。Potential design options: Establish a monthly security review meeting that includes both governance team members and IT staff responsible for configuration cloud applications and resources. 查看现有的安全数据和度量值,以在当前的部署加速策略和工具中建立缺口,并更新策略来修正任何新的风险。Review existing security data and metrics to establish gaps in current Deployment Acceleration policy and tooling, and update policy to remediate any new risks.

后续步骤Next steps

使用本文中所述的示例作为起点,来制定解决特定业务风险并与云采用计划保持一致的策略。Use the samples mentioned in this article as a starting point to develop policies that address specific business risks that align with your cloud adoption plans.

若要开始开发您自己的自定义标识基准策略语句,请下载 " 标识基线训练模板"。To begin developing your own custom Identity Baseline policy statements, download the Identity Baseline discipline template.

若要加快此层面的采用,请选择最符合您的环境的可 操作调控指南To accelerate adoption of this discipline, choose the actionable governance guide that most closely aligns with your environment. 随后修改设计以整合特定公司策略决策。Then modify the design to incorporate your specific corporate policy decisions.

在风险和容忍度基础上,建立治理和沟通部署加速策略遵循的流程。Building on risks and tolerance, establish a process for governing and communicating Deployment Acceleration policy adherence.