部署加速範例原則聲明Deployment Acceleration sample policy statements

個別雲端原則聲明是解決在風險評估流程中識別出的特定風險方針。Individual cloud policy statements are guidelines for addressing specific risks identified during your risk assessment process. 這些聲明應該會提供風險的簡明摘要,以及如何處理這些風險的方案。These statements should provide a concise summary of risks and plans to deal with them. 每個聲明定義都應該包含下列資訊:Each statement definition should include these pieces of information:

  • 技術風險: 此原則將解決的風險摘要。Technical risk: A summary of the risk this policy will address.
  • 原則聲明: 原則需求的清楚摘要說明。Policy statement: A clear summary explanation of the policy requirements.
  • 設計選項: 可操作的建議、規格或其他指引,可供 IT 小組和開發人員在執行原則時使用。Design options: Actionable recommendations, specifications, or other guidance that IT teams and developers can use when implementing the policy.

下列範例原則聲明會解決常見的設定相關商務風險。The following sample policy statements address common configuration-related business risks. 這些語句是在草擬原則聲明以解決組織需求時可參考的範例。These statements are examples you can reference when drafting policy statements to address your organization's needs. 這些範例並非禁止使用,而且可能會有數個原則選項可處理每個已識別的風險。These examples are not meant to be proscriptive, and there are potentially several policy options for dealing with each identified risk. 與商務和 IT 小組密切合作,為您的唯一風險組合找出最佳原則。Work closely with business and IT teams to identify the best policies for your unique set of risks.

依賴手動部署或設定系統Reliance on manual deployment or configuration of systems

技術風險: 在部署或設定期間依賴人為介入,會提高人為錯誤的可能性,並減少系統部署和設定的重複性和可預測性。Technical risk: Relying on human intervention during deployment or configuration increases the likelihood of human error and reduces the repeatability and predictability of system deployments and configuration. 它通常也會導致系統資源的部署變慢。It also typically leads to slower deployment of system resources.

原則聲明: 所有部署至雲端的資產都應盡可能使用範本或自動化腳本進行部署。Policy statement: All assets deployed to the cloud should be deployed using templates or automation scripts whenever possible.

可能的設計選項: Azure Resource Manager 範本 可讓您使用基礎結構即程式碼,將您的資源部署到 Azure。Potential design options: Azure Resource Manager templates enable using infrastructure as code to deploy your resources to Azure. 您也可以使用 Terraform 作為一致的內部部署和雲端式部署工具。You could also use Terraform as a consistent on-premises and cloud-based deployment tool.

缺少系統問題的可見性Lack of visibility into system issues

技術風險: 商務系統的監視和診斷不足,可防止作業人員在系統中斷之前找出並修復問題,而且可能會大幅增加適當解決中斷的所需時間。Technical risk: Insufficient monitoring and diagnostics for business systems prevent operations personnel from identifying and remediating issues before a system outage occurs, and can significantly increase the time needed to properly resolve an outage.

原則聲明: 將會執行下列原則:Policy statement: The following policies will be implemented:

  • 系統將針對所有生產系統和元件找出關鍵計量和診斷量值,而且會將監視與診斷工具套用至這些系統,並由操作人員定期監控。Key metrics and diagnostics measures will be identified for all production systems and components, and monitoring and diagnostic tools will be applied to these systems and monitored regularly by operations personnel.
  • 作業會考慮使用非生產環境中的監視和診斷工具(例如預備和 QA)來識別系統問題,然後才在生產環境中進行。Operations will consider using monitoring and diagnostic tools in nonproduction environments such as staging and QA to identify system issues before they occur in the production environment.

潛在的設計選項: Azure 監視器(包括 Log Analytics 和 application Insights)提供收集和分析遙測資料的工具,可協助您瞭解應用程式的執行情況,並主動識別影響它們的問題以及它們所依賴的資源。Potential design options: Azure Monitor, including Log Analytics and Application Insights, provides tools for collecting and analyzing telemetry to help you understand how your applications are performing and proactively identify issues affecting them and the resources they depend on. 此外, Azure 活動記錄 會報告在平台層級進行的所有變更,並應針對不符合規範的變更進行監視和審核。Additionally, Azure activity log reports all changes that are being made at the platform level and should be monitored and audited for noncompliant changes.

設定安全性檢閱Configuration security reviews

技術風險: 經過一段時間後,新的安全性威脅或考慮可能會增加未經授權存取安全資源的風險。Technical risk: Over time, new security threats or concerns can increase the risks of unauthorized access to secure resources.

原則聲明: 雲端治理程式必須包含設定管理小組的每月審查,以找出雲端資產設定應該避免的惡意執行者或使用模式。Policy statement: Cloud governance processes must include monthly review with configuration management teams to identify malicious actors or usage patterns that should be prevented by cloud asset configuration.

可能的設計選項: 建立每月安全性審核會議,其中包括治理小組成員,以及負責設定雲端應用程式和資源的 IT 人員。Potential design options: Establish a monthly security review meeting that includes both governance team members and IT staff responsible for configuration cloud applications and resources. 請檢查現有的安全性資料和計量,以在目前的部署加速原則和工具之間建立差距,並更新原則來補救任何新風險。Review existing security data and metrics to establish gaps in current Deployment Acceleration policy and tooling, and update policy to remediate any new risks.

下一步Next steps

使用本文提及的範例作為起點,以開發與您雲端採用方案保持一致的原則來解決特定業務風險。Use the samples mentioned in this article as a starting point to develop policies that address specific business risks that align with your cloud adoption plans.

若要開始開發您自己的自訂身分識別基準原則聲明,請下載身分 識別基準專業版範本To begin developing your own custom Identity Baseline policy statements, download the Identity Baseline discipline template.

若要加速採用此專業領域,請選擇最符合您環境的可 操作治理指南To accelerate adoption of this discipline, choose the actionable governance guide that most closely aligns with your environment. 然後修改設計,以納入您特定的公司原則決策。Then modify the design to incorporate your specific corporate policy decisions.

根據風險和承受度建立流程來治理和傳達部署加速原則的遵循情況。Building on risks and tolerance, establish a process for governing and communicating Deployment Acceleration policy adherence.