適用于複雜企業的治理指南:改善資源一致性專業領域Governance guide for complex enterprises: Improve the Resource Consistency discipline

本文藉由將資源一致性控制項新增至治理 MVP,以支援任務關鍵性應用程式,來提升敘述的進展。This article advances the narrative by adding resource consistency controls to the governance MVP to support mission-critical applications.

前進敘述Advancing the narrative

雲端採用小組已滿足移動受保護資料必須達成的所有需求。The cloud adoption teams have met all requirements to move protected data. 有了這些應用程式,就能對企業提出 SLA 承諾,並需要 IT 營運的支援。With those applications come SLA commitments to the business and need for support from IT operations. 在遷移這兩個資料中心的團隊背後,有多個應用程式開發和 BI 小組準備好開始在生產環境中推出新的解決方案。Right behind the team migrating the two datacenters, multiple application development and BI teams are ready to begin launching new solutions into production. IT 作業是雲端作業的新功能,且需要快速整合現有的操作程式。IT operations is new to cloud operations and needs to quickly integrate existing operational processes.

處於目前狀態的變更Changes in the current state

  • IT 正在積極將包含受保護資料的生產工作負載轉移到 Azure 中。IT is actively moving production workloads with protected data into Azure. 某些低優先順序的工作負載正在提供生產流量。Some low-priority workloads are serving production traffic. 當 IT 作業在準備就緒以支援工作負載時,您就可以更輕鬆地將它剪下。More can be cut over as soon as IT operations signs off on readiness to support the workloads.
  • 應用程式開發小組已準備好使用生產環境流量。The application development teams are ready for production traffic.
  • BI 小組已準備將預測和見解整合到為三個業務單位運作的系統中。The BI team is ready to integrate predictions and insights into the systems that run operations for the three business units.

以累加方式改進未來的狀態Incrementally improve the future state

  • IT 作業是雲端作業的新功能,且需要快速整合現有的操作程式。IT operations is new to cloud operations and needs to quickly integrate existing operational processes.
  • 目前和未來狀態的變更會產生新風險,因此需要新的原則聲明。The changes to current and future state expose new risks that will require new policy statements.

有形風險的變更Changes in tangible risks

商務中斷: 任何新平臺都會造成關鍵性商務程式中斷的固有風險。Business interruption: There is an inherent risk of any new platform causing interruptions to mission-critical business processes. IT 營運小組和在不同雲端採用上執行的團隊,對雲端營運來說相當缺乏經驗。The IT operations team and the teams executing on various cloud adoptions are relatively inexperienced with cloud operations. 這會增加中斷的風險,且必須加以補救及控管。This increases the risk of interruption and must be remediated and governed.

此商務風險可能會延伸出一些技術風險:This business risk can be expanded into several technical risks:

  1. 未對齊的作業進程可能會導致無法快速偵測或緩和的中斷。Misaligned operational processes might lead to outages that can't be detected or mitigated quickly.
  2. 外部入侵或拒絕服務攻擊可能會導致業務中斷。External intrusion or denial of service attacks might cause a business interruption.
  3. 無法正確探索到任務關鍵性的資產,因此無法正確運作。Mission-critical assets might not be properly discovered and therefore not properly operated.
  4. 現有的作業管理程序可能不支援未探索到或標記錯誤的資產。Undiscovered or mislabeled assets might not be supported by existing operational management processes.
  5. 已部署資產的設定可能不符合效能預期。Configuration of deployed assets might not meet performance expectations.
  6. 記錄可能無法正確記載並集中,因此無法補救效能問題。Logging might not be properly recorded and centralized to allow for remediation of performance issues.
  7. 復原原則可能會失敗,或是執行時間超出預期。Recovery policies may fail or take longer than expected.
  8. 不一致的部署流程可能導致安全性落差,因而造成資料外洩或中斷。Inconsistent deployment processes might result in security gaps that could lead to data leaks or interruptions.
  9. 設定漂移或遺失修補程式可能導致非預期的安全性落差,因而造成資料外洩或中斷。Configuration drift or missed patches might result in unintended security gaps that could lead to data leaks or interruptions.
  10. 設定可能不會強制執行所定義的 SLA 需求或已認可的復原需求。Configuration might not enforce the requirements of defined SLAs or committed recovery requirements.
  11. 已部署的作業系統或應用程式可能無法符合作業系統和應用程式強化需求。Deployed operating systems or applications might not meet OS and application hardening requirements.
  12. 有多個小組在雲端中工作時,會有不一致的風險。There is a risk of inconsistency due to multiple teams working in the cloud.

原則語句的累加式改進Incremental improvement of the policy statements

下列原則變更將有助於補救新的風險和指南的實施。The following changes to policy will help remediate the new risks and guide implementation. 清單看起來很長,但採用這些原則可能比看起來的簡單。The list looks long, but the adoption of these policies may be easier than it would appear.

  1. 所有已部署的資產都必須依據嚴重性和資料分類來分類。All deployed assets must be categorized by criticality and data classification. 分類會由雲端治理小組和應用程式擁有者審查,再部署至雲端。Classifications are to be reviewed by the cloud governance team and the application owner before deployment to the cloud.
  2. 包含任務關鍵性應用程式的子網路必須受到防火牆解決方案的保護,以偵測入侵及回應攻擊。Subnets containing mission-critical applications must be protected by a firewall solution capable of detecting intrusions and responding to attacks.
  3. 治理工具必須先審核並強制執行安全性基準小組所定義的網路設定需求。Governance tooling must audit and enforce network configuration requirements defined by the security baseline team.
  4. 治理工具必須確認所有與任務關鍵性應用程式或受保護資料相關的資產都會受到監視,以了解資源損耗與最佳化的情形。Governance tooling must validate that all assets related to mission-critical applications or protected data are included in monitoring for resource depletion and optimization.
  5. 治理工具必須確認會針對所有任務關鍵性應用程式或受保護的資料,收集適當層級的記錄資料。Governance tooling must validate that the appropriate level of logging data is being collected for all mission-critical applications or protected data.
  6. 治理程序必須確認任務關鍵性應用程式和受保護資料的備份、復原和 SLA 遵循皆正確實作。Governance process must validate that backup, recovery, and SLA adherence are properly implemented for mission-critical applications and protected data.
  7. 治理工具必須限制只對已核准的映像進行虛擬機器部署。Governance tooling must limit virtual machine deployment to approved images only.
  8. 治理工具必須強制在所有支援任務關鍵性應用程式的已部署資產上, 防止 自動更新。Governance tooling must enforce that automatic updates are prevented on all deployed assets that support mission-critical applications. 必須與作業管理小組一起檢閱違規事件,並根據作業原則來進行修復。Violations must be reviewed with operational management teams and remediated in accordance with operations policies. 未自動更新的資產必須包含在 IT 作業所擁有的處理常式中,以快速且有效地更新這些伺服器。Assets that are not automatically updated must be included in processes owned by IT operations to quickly and effectively update those servers.
  9. 治理工具必須確認與成本、重要性、SLA、應用程式及資料類別相關的標記。Governance tooling must validate tagging related to cost, criticality, SLA, application, and data classification. 所有值都必須符合雲端治理小組所管理的預先定義值。All values must align to predefined values managed by the cloud governance team.
  10. 治理流程必須包含部署期間和一般週期的稽核,以確保所有資產之間的一致性。Governance processes must include audits at the point of deployment and at regular cycles to ensure consistency across all assets.
  11. 安全性小組應定期檢查可能影響雲端部署的趨勢和入侵,以提供雲端中所使用之安全性基準工具的更新。Trends and exploits that could affect cloud deployments should be reviewed regularly by the security team to provide updates to Security Baseline tools used in the cloud.
  12. 在發行至生產環境之前,必須將所有任務關鍵性應用程式和受保護的資料新增至指定的作業監視解決方案。Before release into production, all mission-critical applications and protected data must be added to the designated operational monitoring solution. 如果所選取的 IT 作業工具找不到某些資產,則這些資產就無法發行為生產用的資產。Assets that cannot be discovered by the chosen IT operations tooling cannot be released for production use. 為了讓資產變為可搜尋所做的變更,也必須對相關部署程序執行,如此才能確保在未來的部署中能探索到該資產。Any changes required to make the assets discoverable must be made to the relevant deployment processes to ensure assets will be discoverable in future deployments.
  13. 探索到的資產調整大小是由作業管理小組進行驗證,以驗證資產是否符合效能需求。When discovered, asset sizing is to be validated by operational management teams to validate that the asset meets performance requirements.
  14. 部署工具必須由雲端治理小組核准,以確保持續治理已部署的資產。Deployment tooling must be approved by the cloud governance team to ensure ongoing governance of deployed assets.
  15. 部署腳本必須在可供雲端治理小組存取的中央存放庫中進行維護,以進行定期審核和審核。Deployment scripts must be maintained in central repository accessible by the cloud governance team for periodic review and auditing.
  16. 治理檢閱程序必須確認部署的資產已根據 SLA 及復原需求進行正確設定。Governance review processes must validate that deployed assets are properly configured in alignment with SLA and recovery requirements.

最佳做法的累加式改進Incremental improvement of best practices

本文的這一節將改進治理 MVP 設計,以包含新的 Azure 原則和 Azure 成本管理 + 計費的實施。This section of the article will improve the governance MVP design to include new Azure policies and an implementation of Azure Cost Management + Billing. 這兩個設計變更將共同實現新的公司原則聲明。Together, these two design changes will fulfill the new corporate policy statements.

在此虛構範例的體驗下,假設已發生受保護的資料變更。Following the experience of this fictional example, it's assumed that the protected data changes have already occurred. 在這個最佳做法的基礎上,下列內容將新增作業監控需求,為任務關鍵型應用程式準備訂用帳戶。Building on that best practice, the following will add operational monitoring requirements, readying a subscription for mission-critical applications.

公司 IT 訂 用帳戶:將下列各項新增至公司 IT 訂用帳戶,作為中樞。Corporate IT subscription: Add the following to the corporate IT subscription, which acts as a hub.

  1. 作為外部相依性,雲端營運團隊將需要定義營運監視工具、商務持續性和嚴重損壞修復 (BCDR) 工具和自動化補救工具。As an external dependency, the cloud operations team will need to define operational monitoring tooling, business continuity and disaster recovery (BCDR) tooling, and automated remediation tooling. 然後,雲端治理小組就可以支援必要的探索流程。The cloud governance team can then support necessary discovery processes.
    1. 在此使用案例中,雲端作業小組選擇 Azure 監視器作為監視要徑任務應用程式的主要工具。In this use case, the cloud operations team chose Azure Monitor as the primary tool for monitoring mission-critical applications.
    2. 該小組也選擇 Azure Site Recovery 作為主要的 BCDR 工具。The team also chose Azure Site Recovery as the primary BCDR tooling.
  2. Azure Site Recovery 的執行。Azure Site Recovery implementation.
    1. 定義及部署用於備份和復原程式的 Azure Site Recovery 保存庫。Define and deploy Azure Site Recovery vault for backup and recovery processes.
    2. 建立 Azure 資源管理範本,以在每個訂用帳戶中建立保存庫。Create an Azure resource management template for creation of a vault in each subscription.
  3. Azure 監視器的執行。Azure Monitor implementation.
    1. 一旦識別出關鍵性的訂用帳戶之後,就可以建立 Log Analytics 工作區。Once a mission-critical subscription is identified, a Log Analytics workspace can be created.

個別雲端採用訂 用帳戶:下列各項可確保監視解決方案可探索每個訂用帳戶,並準備好納入 BCDR 實務中。Individual cloud adoption subscription: The following will ensure that each subscription is discoverable by the monitoring solution and ready to be included in BCDR practices.

  1. 適用于任務關鍵性節點的 Azure 原則:Azure Policy for mission-critical nodes:
    1. 僅稽核和強制使用標準角色。Audit and enforce use of standard roles only.
    2. 稽核和強制執行所有儲存體帳戶的加密。Audit and enforce application of encryption for all storage accounts.
    3. 針對每個網路介面,審核和強制使用已核准的網路子網和虛擬網路。Audit and enforce use of approved network subnet and virtual network per network interface.
    4. 稽核並強制執行使用者定義的路由表限制。Audit and enforce the limitation of user-defined routing tables.
    5. 稽核和強制 Windows 和 Linux 虛擬機器的 Log Analytics 代理程式部署。Audit and enforce the deployment of Log Analytics agents for Windows and Linux virtual machines.
  2. Azure 藍圖:Azure Blueprints:
    1. 建立名為 mission-critical-workloads-and-protected-data 的藍圖。Create a blueprint named mission-critical-workloads-and-protected-data. 除了受保護的資料藍圖之外,此藍圖也將運用資產。This blueprint will apply assets in addition to the protected data blueprint.
    2. 將新的 Azure 原則新增到藍圖中。Add the new Azure policies to the blueprint.
    3. 將藍圖運用於預期裝載任務關鍵型應用程式的任何訂用帳戶。Apply the blueprint to any subscription that is expected to host a mission-critical application.

結論Conclusion

將這些流程和變更新增至治理 MVP,有助於補救與資源治理相關聯的許多風險。Adding these processes and changes to the governance MVP helps remediate many of the risks associated with resource governance. 同時還會新增可加強雲端感知作業的復原、大小調整及監視的必要控制項。Together, they add the recovery, sizing, and monitoring controls necessary to empower cloud-aware operations.

下一步Next steps

隨著雲端採用成長並提供額外的商業價值,風險和雲端治理需求也會改變。As cloud adoption grows and delivers additional business value, the risks and cloud governance needs will also change. 針對本指南中的虛構公司,下一個觸發程式是當部署規模超過1000個資產到雲端,或每月支出超過每個月 $10000 美元時。For the fictional company in this guide, the next trigger is when the scale of deployment exceeds 1,000 assets to the cloud or monthly spending exceeds $10,000 USD per month. 此時,雲端治理小組會新增成本管理控制項。At this point, the cloud governance team adds cost management controls.