您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

标识基线规范中的动机和业务风险Motivations and business risks in the Identity Baseline discipline

本文讨论客户通常在云治理策略中采用标识基线规则的原因。This article discusses the reasons that customers typically adopt an Identity Baseline discipline within a cloud governance strategy. 此外,它还提供了驱动策略声明的业务风险的几个示例。It also provides a few examples of business risks that drive policy statements.

相关性Relevance

传统的本地目录旨在允许企业严格控制其内部网络和数据中心内的用户、组和角色的权限和策略。Traditional on-premises directories are designed to allow businesses to strictly control permissions and policies for users, groups, and roles within their internal networks and datacenters. 这些目录通常支持单租户实现,仅适用于本地环境中的服务。These directories typically support single-tenant implementations, with services applicable only within the on-premises environment.

云标识服务将组织的身份验证和访问控制功能扩展到 internet。Cloud identity services expand an organization's authentication and access control capabilities to the internet. 它们支持多租户,并可用于跨云应用程序和部署管理用户和访问策略。They support multitenancy and can be used to manage users and access policy across cloud applications and deployments. 公有云平台具有支持管理和部署任务的云本机标识服务,并且能够与现有的本地标识解决方案进行 不同级别的集成Public cloud platforms have cloud-native identity services supporting management and deployment tasks and are capable of varying levels of integration with your existing on-premises identity solutions. 所有这些功能都可能导致云标识策略比传统的本地解决方案的要求更复杂。All of these features can result in cloud identity policy being more complicated than your traditional on-premises solutions require.

标识基线规则对于云部署的重要程度取决于团队大小,并且将基于云的标识解决方案与已有本地标识服务集成的需求。The importance of the Identity Baseline discipline to your cloud deployment will depend on the size of your team and need to integrate your cloud-based identity solution with an existing on-premises identity service. 初始测试部署可能不需要太多的用户组织或管理,但随着云资产的完善,可能会需要支持更为复杂的组织集成和集中管理。Initial test deployments may not require much in the way of user organization or management, but as your cloud estate matures, you will likely need to support more complicated organizational integration and centralized management.

业务风险Business risk

标识基线规则可尝试解决与标识服务和访问控制相关的核心业务风险。The Identity Baseline discipline attempts to address core business risks related to identity services and access control. 与企业合作来确定这些风险,并在规划和实现云部署时监视每个风险的相关性。Work with your business to identify these risks and monitor each of them for relevance as you plan for and implement your cloud deployments.

组织之间的风险将有所不同,但以下内容将充当与身份相关的常见风险,你可以将其用作云管理团队中的讨论起点:Risks will differ between organization, but the following serve as common identity-related risks that you can use as a starting point for discussions within your cloud governance team:

  • 未经授权的访问。Unauthorized access. 如果敏感数据和资源可被未经授权的用户访问,可能会导致数据泄露或服务中断,同时违反组织的安全外围,并有可能承担业务或法律责任。Sensitive data and resources that can be accessed by unauthorized users can lead to data leaks or service disruptions, violating your organization's security perimeter and risking business or legal liabilities.
  • 由于多个标识解决方案,导致效率低下。Inefficiency due to multiple identity solutions. 具有多个标识服务租户的组织可能需要多个用户帐户。Organizations with multiple identity services tenants can require multiple accounts for users. 对于需要牢记多组凭据的用户,以及跨多个系统管理帐户的 IT 人员,这可能会导致效率低下。This can lead to inefficiency for users who need to remember multiple sets of credentials and for IT in managing accounts across multiple systems. 若用户访问权限分配未随员工、团队和业务目标的更改在标识解决方案中更新,云资源可能易于遭到未经授权的访问,或者用户可能无法访问所需资源。If user access assignments are not updated across identity solutions as staff, teams, and business goals change, your cloud resources may be vulnerable to unauthorized access or users unable to access required resources.
  • 无法与外部合作伙伴共享资源。Inability to share resources with external partners. 难于将外部业务合作伙伴添加到已有标识解决方案,这可能会阻碍资源共享和业务沟通效率。Difficulty adding external business partners to your existing identity solutions can prevent efficient resource sharing and business communication.
  • 本地标识依赖项。On-premises identity dependencies. 传统的身份验证机制或第三方多重身份验证可能不适用于云,因为它们需要迁移工作负载以进行重组,或需要将其他标识服务部署到云。Legacy authentication mechanisms or third-party multi-factor authentication might not be available in the cloud, requiring either migrating workloads to be retooled, or additional identity services to be deployed to the cloud. 以上任意一项要求均有可能延迟或阻碍迁移,并增加成本。Either requirement could delay or prevent migration, and increase costs.

后续步骤Next steps

使用 标识基线规范模板 来记录可能由当前的云采用计划引入的业务风险。Use the Identity Baseline discipline template to document business risks that are likely to be introduced by the current cloud adoption plan.

确立了对实际业务风险的了解后,下一步是记录业务对风险的容忍度,以及用于监视该容忍度的指示器和关键指标。Once an understanding of realistic business risks is established, the next step is to document the business's tolerance for risk and the indicators and key metrics to monitor that tolerance.