標準企業治理指南:改善資源一致性專業領域Standard enterprise governance guide: Improve the Resource Consistency discipline

本文將新增資源一致性控制項以支援任務關鍵性應用程式,以提升敘述的進展。This article advances the narrative by adding resource consistency controls to support mission-critical applications.

前進敘述Advancing the narrative

新的客戶體驗、新的預測工具和已移轉的基礎結構會繼續進行。New customer experiences, new prediction tools, and migrated infrastructure continue to progress. 企業現在已準備開始在產能上使用這些資產。The business is now ready to begin using those assets in a production capacity.

處於目前狀態的變更Changes in the current state

在此敘述的上一個階段中,應用程式開發和 BI 小組幾乎已準備好將客戶和財務資料整合到生產工作負載。In the previous phase of this narrative, the application development and BI teams were nearly ready to integrate customer and financial data into production workloads. IT 小組已經開始淘汰 DR 資料中心。The IT team was in the process of retiring the DR datacenter.

從那時起,某些將會影響治理的事項已經改變:Since then, some things have changed that will affect governance:

  • IT 已 100% 淘汰 DR 資料中心,且進度超前。IT has retired 100% of the DR datacenter, ahead of schedule. 在此程式中,生產資料中心內的一組資產被視為雲端遷移候選。In the process, a set of assets in the production datacenter were identified as cloud migration candidates.
  • 應用程式開發小組現在已準備好使用生產環境流量。The application development teams are now ready for production traffic.
  • BI 小組已準備好將預測和深入解析送回生產資料中心內的作業系統。The BI team is ready to feed predictions and insights back into operation systems in the production datacenter.

以累加方式改進未來的狀態Incrementally improve the future state

在生產業務程序中使用 Azure 部署之前,必須有成熟的雲端作業。Before using Azure deployments in production business processes, cloud operations must mature. 此外,還需要進行其他治理變更,以確保資產可以正常運作。In conjunction, additional governance changes is required to ensure assets can be operated properly.

目前和未來狀態的變更會產生新風險,因此需要新的原則聲明。The changes to current and future state expose new risks that will require new policy statements.

有形風險的變更Changes in tangible risks

商務中斷: 任何新平臺都會造成關鍵性商務程式中斷的固有風險。Business interruption: There is an inherent risk of any new platform causing interruptions to mission-critical business processes. IT 營運小組和在不同雲端採用上執行的團隊,對雲端營運來說相當缺乏經驗。The IT operations team and the teams executing on various cloud adoptions are relatively inexperienced with cloud operations. 這會增加中斷的風險,且必須加以補救及控管。This increases the risk of interruption and must be remediated and governed.

此商務風險可能會延伸出一些技術風險:This business risk can be expanded into several technical risks:

  1. 外部入侵或拒絕服務攻擊可能會導致業務中斷。External intrusion or denial of service attacks might cause a business interruption.
  2. 可能無法正確地探索任務關鍵性資產,因此可能無法正常運作。Mission-critical assets may not be properly discovered, and therefore might not be properly operated.
  3. 現有的作業管理程序可能不支援未探索到或標記錯誤的資產。Undiscovered or mislabeled assets might not be supported by existing operational management processes.
  4. 已部署資產的設定可能不符合效能預期。The configuration of deployed assets may not meet performance expectations.
  5. 記錄可能無法正確記載並集中,因此無法補救效能問題。Logging might not be properly recorded and centralized to allow for remediation of performance issues.
  6. 復原原則可能會失敗,或是執行時間超出預期。Recovery policies may fail or take longer than expected.
  7. 不一致的部署流程可能導致安全性落差,因而造成資料外洩或中斷。Inconsistent deployment processes might result in security gaps that could lead to data leaks or interruptions.
  8. 設定漂移或遺失修補程式可能導致非預期的安全性落差,因而造成資料外洩或中斷。Configuration drift or missed patches might result in unintended security gaps that could lead to data leaks or interruptions.
  9. 設定可能不會強制執行所定義的 SLA 需求或已認可的復原需求。Configuration might not enforce the requirements of defined SLAs or committed recovery requirements.
  10. 部署的作業系統或應用程式可能無法符合強化需求。Deployed operating systems or applications might fail to meet hardening requirements.
  11. 有很多小組在雲端中工作時,會有不一致的風險。With so many teams working in the cloud, there is a risk of inconsistency.

原則語句的累加式改進Incremental improvement of the policy statements

下列原則變更將有助於補救新的風險和指南的實施。The following changes to policy will help remediate the new risks and guide implementation. 清單看起來很長,但採用這些原則可能比看起來的簡單。The list looks long, but adopting these policies may be easier than it appears.

  1. 所有已部署的資產都必須依據嚴重性和資料分類來分類。All deployed assets must be categorized by criticality and data classification. 分類會由雲端治理小組和應用程式擁有者審查,再部署至雲端。Classifications are to be reviewed by the cloud governance team and the application owner before deployment to the cloud.
  2. 包含任務關鍵性應用程式的子網路必須受到防火牆解決方案的保護,以偵測入侵及回應攻擊。Subnets containing mission-critical applications must be protected by a firewall solution capable of detecting intrusions and responding to attacks.
  3. 治理工具必須稽核並強制執行安全性管理小組所定義的網路設定需求。Governance tooling must audit and enforce network configuration requirements defined by the security management team.
  4. 治理工具必須確認所有與任務關鍵性應用程式或受保護資料相關的資產都會受到監視,以了解資源損耗與最佳化的情形。Governance tooling must validate that all assets related to mission-critical applications or protected data are included in monitoring for resource depletion and optimization.
  5. 治理工具必須確認會針對所有任務關鍵性應用程式或受保護的資料,收集適當層級的記錄資料。Governance tooling must validate that the appropriate level of logging data is being collected for all mission-critical applications or protected data.
  6. 治理程序必須確認任務關鍵性應用程式和受保護資料的備份、復原和 SLA 遵循皆正確實作。Governance process must validate that backup, recovery, and SLA adherence are properly implemented for mission-critical applications and protected data.
  7. 治理工具必須限制只對已核准的映像進行虛擬機器部署。Governance tooling must limit virtual machine deployments to approved images only.
  8. 治理工具必須強制避免在支援任務關鍵性應用程式的所有已部署資產上進行自動更新。Governance tooling must enforce that automatic updates are prevented on all deployed assets that support mission-critical applications. 必須與作業管理小組一起檢閱違規事件,並根據作業原則來進行修復。Violations must be reviewed with operational management teams and remediated in accordance with operations policies. 不會自動更新之資產必須包含在 IT 部門所負責的處理程序中。Assets that are not automatically updated must be included in processes owned by IT operations.
  9. 治理工具必須確認與成本、重要性、SLA、應用程式及資料類別相關的標記。Governance tooling must validate tagging related to cost, criticality, SLA, application, and data classification. 所有值必須符合由治理小組管理的預先定義值。All values must align to predefined values managed by the governance team.
  10. 治理流程必須包含部署期間和一般週期的稽核,以確保所有資產之間的一致性。Governance processes must include audits at the point of deployment and at regular cycles to ensure consistency across all assets.
  11. 安全性小組應定期檢閱可能影響雲端部署的趨勢與攻擊,以更新雲端中使用的安全性管理工具。Trends and exploits that could affect cloud deployments should be reviewed regularly by the security team to provide updates to security management tooling used in the cloud.
  12. 在發行至生產環境之前,必須將所有任務關鍵性應用程式和受保護的資料新增至指定的作業監視解決方案。Before release into production, all mission-critical applications and protected data must be added to the designated operational monitoring solution. 如果所選取的 IT 作業工具找不到某些資產,則這些資產就無法發行為生產用的資產。Assets that cannot be discovered by the chosen IT operations tooling, cannot be released for production use. 為了讓資產變為可搜尋所做的變更,也必須對相關部署程序執行,如此才能確保在未來的部署中能探索到該資產。Any changes required to make the assets discoverable must be made to the relevant deployment processes to ensure assets will be discoverable in future deployments.
  13. 當探索到時,營運管理小組會調整資產大小,以確保資產符合效能需求。When discovered, operational management teams will size assets, to ensure that assets meet performance requirements.
  14. 部署工具必須由雲端治理小組核准,以確保持續治理已部署的資產。Deployment tooling must be approved by the cloud governance team to ensure ongoing governance of deployed assets.
  15. 部署腳本必須在雲端治理小組可存取的中央存放庫中進行維護,以進行定期審核和審核。Deployment scripts must be maintained in a central repository accessible by the cloud governance team for periodic review and auditing.
  16. 治理檢閱程序必須確認部署的資產已根據 SLA 及復原需求進行正確設定。Governance review processes must validate that deployed assets are properly configured in alignment with SLA and recovery requirements.

治理做法的累加式改進Incremental improvement of governance practices

本文的這一節將會變更治理 MVP 設計,以包含新的 Azure 原則以及 Azure 成本管理 + 計費的實施。This section of the article will change the governance MVP design to include new Azure policies and an implementation of Azure Cost Management + Billing. 這兩個設計變更將共同實現新的公司原則聲明。Together, these two design changes will fulfill the new corporate policy statements.

  1. 雲端營運團隊將會定義營運監視工具和自動化補救工具。The cloud operations team will define operational monitoring tooling and automated remediation tooling. 雲端治理小組將會支援這些探索流程。The cloud governance team will support those discovery processes. 在此使用案例中,雲端作業小組選擇 Azure 監視器作為監視要徑任務應用程式的主要工具。In this use case, the cloud operations team chose Azure Monitor as the primary tool for monitoring mission-critical applications.
  2. 在 Azure DevOps 中建立存放庫來存放所有相關的 Resource Manager 範本和指令碼式的組態,並為這些項目設定版本。Create a repository in Azure DevOps to store and version all relevant Resource Manager templates and scripted configurations.
  3. Azure 復原服務保存庫的執行:Azure Recovery Services vault implementation:
    1. 定義及部署用於備份和復原程式的 Azure 復原服務保存庫。Define and deploy an Azure Recovery Services vault for backup and recovery processes.
    2. 建立 Resource Manager 範本以在每個訂用帳戶中建立保存庫。Create a Resource Manager template for creation of a vault in each subscription.
  4. 更新所有訂用帳戶的 Azure 原則:Update Azure Policy for all subscriptions:
    1. 在所有訂用帳戶上稽核並強制執行重要性和資料分類,以識別任何具有任務關鍵性資產的訂用帳戶。Audit and enforce criticality and data classification across all subscriptions to identify any subscriptions with mission-critical assets.
    2. 僅稽核並強制使用已核准的映像。Audit and enforce the use of approved images only.
  5. Azure 監視器實作:Azure Monitor implementation:
    1. 一旦識別出任務關鍵性的工作負載,請建立 Azure 監視器 Log Analytics 工作區。Once a mission-critical workload is identified, create an Azure Monitor Log Analytics workspace.
    2. 在部署測試期間,雲端作業小組會部署必要的代理程式和測試探索。During deployment testing, the cloud operations team deploys the necessary agents and tests discovery.
  6. 針對包含任務關鍵性應用程式的所有訂用帳戶更新 Azure 原則。Update Azure Policy for all subscriptions that contain mission-critical applications.
    1. 稽核並強制執行使用 NSG 連到所有 NIC 和子網路的應用程式。Audit and enforce the application of an NSG to all NICs and subnets. 網路和 IT 安全性定義了 NSG。Networking and IT security define the NSG.
    2. 針對每個網路介面,審核並強制使用已核准的網路子網和虛擬網路。Audit and enforce the use of approved network subnets and virtual networks for each network interface.
    3. 稽核並強制執行使用者定義的路由表限制。Audit and enforce the limitation of user-defined routing tables.
    4. 稽核並強制對所有虛擬機器部署 Azure 監視器代理程式。Audit and enforce deployment of Azure Monitor agents for all virtual machines.
    5. 審核並強制執行訂用帳戶中的 Azure 復原服務保存庫。Audit and enforce that Azure Recovery Services vaults exist in the subscription.
  7. 防火牆組態:Firewall configuration:
    1. 識別符合安全性需求的 Azure 防火牆設定。Identify a configuration of Azure Firewall that meets security requirements. 或者,識別與 Azure 相容的第三方應用裝置。Alternatively, identify a third-party appliance that is compatible with Azure.
    2. 建立 Resource Manager 範本來部署具有必要設定的防火牆。Create a Resource Manager template to deploy the firewall with required configurations.
  8. Azure 藍圖:Azure blueprint:
    1. 建立名為 protected-data 的新 Azure 藍圖。Create a new Azure blueprint named protected-data.
    2. 將防火牆和 Azure 復原服務保存庫範本新增至藍圖。Add the firewall and Azure Recovery Services vault templates to the blueprint.
    3. 為受保護資料的訂用帳戶新增原則。Add the new policies for protected data subscriptions.
    4. 將藍圖發佈到任何將裝載任務關鍵性應用程式的管理群組。Publish the blueprint to any management group that will host mission-critical applications.
    5. 對每個受影響的訂用帳戶及現有藍圖套用新的藍圖。Apply the new blueprint to each affected subscription as well as existing blueprints.


這些額外的流程和治理 MVP 的變更,有助於補救與資源治理相關聯的許多風險。These additional processes and changes to the governance MVP help remediate many of the risks associated with resource governance. 同時還會新增可加強雲端感知作業的復原、大小調整及監視控制項。Together they add recovery, sizing, and monitoring controls that empower cloud-aware operations.

後續步驟Next steps

隨著雲端採用持續提供額外的商業價值,風險和雲端治理需求也會改變。As cloud adoption continues and delivers additional business value, risks and cloud governance needs will also change. 針對本指南中的虛構公司,下一個觸發程式是當部署規模超過100個資產到雲端,或每月支出超過每月 $1000。For the fictional company in this guide, the next trigger is when the scale of deployment exceeds 100 assets to the cloud or monthly spending exceeds $1,000 per month. 此時,雲端治理小組會新增成本管理控制項。At this point, the cloud governance team adds cost management controls.