您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

标识基线指标、指示器和风险容错Identity baseline metrics, indicators, and risk tolerance

了解量化与标识基准准则关联的业务风险容差。Learn to quantify business risk tolerance associated with the Identity Baseline discipline. 定义度量值和指示器有助于创建业务案例,以便在此层面中进行投资。Defining metrics and indicators helps to create a business case for investing in the maturity of this discipline.

指标Metrics

标识管理重点介绍如何识别、身份验证和授权个人、用户组或自动化过程,并为他们提供对云部署中资源的适当访问权限。Identity management focuses on identifying, authenticating, and authorizing individuals, groups of users, or automated processes, and providing them appropriate access to resources in your cloud deployments. 作为你的风险分析的一部分,你将需要收集与标识服务相关的数据,以确定你面临的风险,以及你的身份基线训练的重要投资对你的计划的云部署。As part of your risk analysis you'll want to gather data related to your identity services to determine how much risk you face, and how important investment in your Identity Baseline discipline is for your planned cloud deployments.

以下是一些有用的示例指标,应收集这些指标来帮助评估标识基线规则中的风险容忍度:The following are examples of useful metrics that you should gather to help evaluate risk tolerance within the Identity Baseline discipline:

  • 标识系统大小。Identity systems size. 通过标识系统管理的用户、组或其他对象的总数。Total number of users, groups, or other objects managed through your identity systems.
  • 目录服务基础结构的总体大小。Overall size of directory services infrastructure. 组织使用的目录林、域和租户数。Number of directory forests, domains, and tenants used by your organization.
  • 依赖于旧身份验证机制或本地身份验证机制。Dependency on legacy or on-premises authentication mechanisms. 依赖于旧或第三方或多重身份验证机制的工作负荷数。Number of workloads that depend on legacy or third-party or multi-factor authentication mechanisms.
  • 云部署的目录服务的范围。Extent of cloud-deployed directory services. 部署到云的目录林、域和租户数。Number of directory forests, domains, and tenants you've deployed to the cloud.
  • 云部署 Active Directory 服务器。Cloud-deployed Active Directory servers. 部署到云的 Active Directory 服务器数。Number of Active Directory servers deployed to the cloud.
  • 云部署的组织单位。Cloud-deployed organizational units. (Ou) 部署到云的 Active Directory 组织单位数。Number of Active Directory organizational units (OUs) deployed to the cloud.
  • 联合的范围。Extent of federation. 与组织的系统联合的标识管理系统的数量。Number of identity management systems federated with your organization's systems.
  • 提升的用户。Elevated users. 对资源或管理工具拥有提升的访问权限的用户帐户数。Number of user accounts with elevated access to resources or management tools.
  • 使用 Azure 基于角色的访问控制。Use of Azure role-based access control. 不是通过 Azure 基于角色的访问控制来管理的订阅、资源组或单个资源的数目 (Azure RBAC) via 组。Number of subscriptions, resource groups, or individual resources not managed through Azure role-based access control (Azure RBAC) via groups.
  • 身份验证声明。Authentication claims. 成功和失败的用户身份验证尝试次数。Number of successful and failed user authentication attempts.
  • 授权声明。Authorization claims. 用户访问资源的成功和失败尝试次数。Number of successful and failed attempts by users to access resources.
  • 泄露的帐户。Compromised accounts. 遭到入侵的用户帐户数。Number of user accounts that have been compromised.

风险容忍度指示器Risk tolerance indicators

与标识基线相关的风险在很大程度上与组织的标识基础结构的复杂性相关。Risks related to identity baseline are largely related to the complexity of your organization's identity infrastructure. 如果你的所有用户和组都是使用单个目录或云本机标识提供者(使用与其他服务的最小集成)来管理的,则你的风险级别可能会很小。If all your users and groups are managed using a single directory or cloud-native identity provider using minimal integration with other services, your risk level will likely be small. 随着业务需求的增长,标识管理系统可能需要支持更复杂的方案,例如多个目录以支持内部组织或与外部标识提供者的联合。As your business needs grow, your identity management systems may need to support more complicated scenarios, such as multiple directories to support your internal organization or federation with external identity providers. 随着这些系统变得更加复杂,风险会增加。As these systems become more complex, risk increases.

在云采用的早期阶段,与 IT 安全团队和业务利益干系人合作确定与标识相关的业务风险,然后确定标识风险容忍度的可接受基线。In the early stages of cloud adoption, work with your IT security team and business stakeholders to identify business risks related to identity, then determine an acceptable baseline for identity risk tolerance. 云采用框架的此部分提供了示例,但你的公司或部署的详细风险和基线可能不同。This section of the Cloud Adoption Framework provides examples, but the detailed risks and baselines for your company or deployments may be different.

有了基线后,就可以建立表示所确定的不可接受的风险增加的最小基准。Once you have a baseline, establish minimum benchmarks representing an unacceptable increase in your identified risks. 当你需要采取措施解决这些风险时,这些基准会充当的触发器。These benchmarks act as triggers for when you need to take action to address these risks. 下面是一些有关标识相关指标(如上文所述)如何证明在标识基线规则中增加投资的合理性的示例。The following are a few examples of how identity related metrics, such as those discussed above, can justify an increased investment in the Identity Baseline discipline.

  • 用户帐号触发器。User account number trigger. 如果公司 的用户、 组或其他对象在你的标识系统中进行管理,则可能会受益于在标识系统中的投资,以确保对大量帐户的有效管理。A company with more than x users, groups, or other objects managed in your identity systems could benefit from investment in the Identity Baseline discipline to ensure efficient governance over a large number of accounts.
  • 本地标识依赖项触发器。On-premises identity dependency trigger. 如果公司计划将工作负荷迁移到需要旧身份验证功能或第三方多重身份验证的云,则应投资标识基线规范,以减少与重构或其他云基础结构部署相关的风险。A company planning to migrate workloads to the cloud that require legacy authentication capabilities or third-party multi-factor authentication should invest in the Identity Baseline discipline to reduce risks related to refactoring or additional cloud infrastructure deployment.
  • 目录服务复杂性触发器。Directory services complexity trigger. 维护超过 x 个单个林、域或目录租户的公司应投资于 "标识基准" 训练科目,以减少与帐户管理相关的风险,以及在多个系统间分散的多个用户凭据相关的效率问题。A company maintaining more than x individual forests, domains, or directory tenants should invest in the Identity Baseline discipline to reduce risks related with account management and the efficiency issues related to multiple user credentials spread across multiple systems.
  • 云托管的目录服务触发器。Cloud-hosted directory services trigger. 托管在云中托管 x Active Directory server 虚拟机的公司 (vm) ,或者具有在这些基于云的服务器上) 管理的 x 组织单位 (Ou,可以从标识基线规范的投资中获益,以优化与任何本地或其他外部标识服务的集成。A company hosting x Active Directory server virtual machines (VMs) hosted in the cloud, or having x organizational units (OUs) managed on these cloud-based servers, can benefit from investment in the Identity Baseline discipline to optimize integration with any on-premises or other external identity services.
  • 联合触发器。Federation trigger. 实施具有 x 外部标识管理系统的联合身份验证的公司可以从在 "标识基准" 层面投资中获益,以确保联合成员之间的组织策略一致。A company implementing identity federation with x external identity management systems can benefit from investing in the Identity Baseline discipline to ensure consistent organizational policy across federation members.
  • 提升的访问触发器。Elevated access trigger. 如果某个公司的用户的管理工具和资源的提升权限超过了 x% ,则应该考虑投资 "标识基准" 层面,以最大程度地降低无意中过度预配用户访问权限的风险。A company with more than x% of users with elevated permissions to management tools and resources should consider investing in the Identity Baseline discipline to minimize the risk of inadvertent overprovisioning of access to users.
  • Azure RBAC 触发器。Azure RBAC trigger. 使用 Azure 基于角色的访问控制方法的资源少于 x% 的公司应该考虑投资于标识基线层面,以确定为用户分配对资源的访问权限的优化方法。A company with less than x% of resources using Azure role-based access control methods should consider investing in the Identity Baseline discipline to identify optimized ways to assign user access to resources.
  • 身份验证失败触发器。Authentication failure trigger. 如果身份验证失败的公司的尝试次数超过 x% ,则应投资标识基线规范,以确保身份验证方法不受外部攻击,并且用户可以正确进行身份验证。A company where authentication failures represent more than x% of attempts should invest in the Identity Baseline discipline to ensure that authentication methods are not under external attack, and that users can authenticate properly.
  • 授权失败触发器。Authorization failure trigger. 拒绝访问尝试超过 x% 的公司应该投入标识基线规范来改进访问控制的应用程序和更新,并识别潜在的恶意访问尝试。A company where access attempts are rejected more than x% of the time should invest in the Identity Baseline discipline to improve the application and updating of access controls, and identify potentially malicious access attempts.
  • 泄露帐户触发器。Compromised account trigger. 具有超过1个泄露帐户的公司应投入标识基线规范,以提高身份验证机制的强度和安全性,并改进用于修正与受攻击帐户相关的风险的机制。A company with more than 1 compromised account should invest in the Identity Baseline discipline to improve the strength and security of authentication mechanisms and improve mechanisms to remediate risks related to compromised accounts.

用于衡量风险容差的确切指标和触发器将特定于你的组织,但上述示例应作为你的云调控团队中讨论的有用基础。The exact metrics and triggers you use to gauge risk tolerance and the level of investment in the Identity Baseline discipline will be specific to your organization, but the examples above should serve as a useful base for discussion within your cloud governance team.

后续步骤Next steps

使用 标识基线规范模板 来记录与当前的云采用计划一致的指标和容差指标。Use the Identity Baseline discipline template to document metrics and tolerance indicators that align to the current cloud adoption plan.

查看示例标识基准策略作为开发自己的策略的起点,以解决与云采用计划相一致的特定业务风险。Review sample Identity Baseline policies as a starting point to develop your own policies to address specific business risks aligned with your cloud adoption plans.