身分識別基準專業領域中的動機和業務風險Motivations and business risks in the Identity Baseline discipline

本文討論客戶通常會在雲端治理策略中採用身分識別基準專業領域的原因。This article discusses the reasons that customers typically adopt an Identity Baseline discipline within a cloud governance strategy. 它也提供數個衍生原則聲明的業務風險範例。It also provides a few examples of business risks that drive policy statements.

相關性Relevance

傳統內部部署目錄的設計目的是讓企業能夠嚴格控制其內部網路和資料中心內使用者、群組及角色的權限和原則。Traditional on-premises directories are designed to allow businesses to strictly control permissions and policies for users, groups, and roles within their internal networks and datacenters. 這些目錄通常支援單一租使用者的實作為服務,僅適用于內部部署環境。These directories typically support single-tenant implementations, with services applicable only within the on-premises environment.

雲端身分識別服務會將組織的驗證和存取控制功能擴充至網際網路。Cloud identity services expand an organization's authentication and access control capabilities to the internet. 它們支援多組織使用者共用,而且可以用來管理跨雲端應用程式和部署的使用者和存取原則。They support multitenancy and can be used to manage users and access policy across cloud applications and deployments. 公用雲端平臺具有支援管理和部署工作的雲端原生身分識別服務,而且能夠與您現有的內部部署身分識別解決方案進行 不同的整合層級Public cloud platforms have cloud-native identity services supporting management and deployment tasks and are capable of varying levels of integration with your existing on-premises identity solutions. 這些功能都可能會導致雲端身分識別原則比傳統內部部署解決方案所需的更加複雜。All of these features can result in cloud identity policy being more complicated than your traditional on-premises solutions require.

身分識別基準專業領域對於您的雲端部署的重要性取決於您的小組大小,並且需要整合您的雲端型身分識別解決方案與現有內部部署身分識別服務。The importance of the Identity Baseline discipline to your cloud deployment will depend on the size of your team and need to integrate your cloud-based identity solution with an existing on-premises identity service. 初始測試部署可能不需要太多的使用者組織或管理,但隨著您的雲端資產成熟,您可能必須支援更複雜的組織整合和集中化管理。Initial test deployments may not require much in the way of user organization or management, but as your cloud estate matures, you will likely need to support more complicated organizational integration and centralized management.

業務風險Business risk

身分識別基準專業領域會嘗試解決與身分識別服務和存取控制相關的核心業務風險。The Identity Baseline discipline attempts to address core business risks related to identity services and access control. 在您規劃和實作雲端部署時,與您的企業一起識別這些風險,並監視它們的關聯性。Work with your business to identify these risks and monitor each of them for relevance as you plan for and implement your cloud deployments.

組織之間的風險會有所不同,但下列內容可作為常見的身分識別相關風險,供您在雲端治理小組內討論時作為起點:Risks will differ between organization, but the following serve as common identity-related risks that you can use as a starting point for discussions within your cloud governance team:

  • 未經授權的存取。Unauthorized access. 可由未經授權使用者存取的敏感性資料和資源,會導致資料外洩或服務中斷,違反貴組織的安全性周邊,並且讓業務或法律責任處於風險中。Sensitive data and resources that can be accessed by unauthorized users can lead to data leaks or service disruptions, violating your organization's security perimeter and risking business or legal liabilities.
  • 因為多個身分識別解決方案而產生的效率不好。Inefficiency due to multiple identity solutions. 具有多個身分識別服務租用戶的組織需要多個使用者的帳戶。Organizations with multiple identity services tenants can require multiple accounts for users. 這可能會導致使用者的效率低落,因為使用者必須記住多組認證,IT 也必須跨多個系統管理帳戶。This can lead to inefficiency for users who need to remember multiple sets of credentials and for IT in managing accounts across multiple systems. 如果使用者存取指派在身分識別解決方案之間未隨著人員、小組和業務目標變更進行更新,您的雲端資源可能會遭到未獲授權存取的攻擊,或者使用者無法存取必要的資源。If user access assignments are not updated across identity solutions as staff, teams, and business goals change, your cloud resources may be vulnerable to unauthorized access or users unable to access required resources.
  • 無法與外部合作夥伴共用資源。Inability to share resources with external partners. 無法將外部業務合作夥伴新增至您現有的身分識別解決方案,阻止有效率的資源共用和業務通訊。Difficulty adding external business partners to your existing identity solutions can prevent efficient resource sharing and business communication.
  • 內部部署身分識別相依性。On-premises identity dependencies. 舊的驗證機制或第三方多重要素驗證可能無法在雲端使用,需要移轉工作負載以便改良,或者需要額外身分識別服務部署到雲端。Legacy authentication mechanisms or third-party multi-factor authentication might not be available in the cloud, requiring either migrating workloads to be retooled, or additional identity services to be deployed to the cloud. 任一要求都可能會延遲或防止移轉並增加成本。Either requirement could delay or prevent migration, and increase costs.

後續步驟Next steps

使用「身分 識別基準專業領域」範本 ,記錄可能由目前雲端採用方案引進的商務風險。Use the Identity Baseline discipline template to document business risks that are likely to be introduced by the current cloud adoption plan.

一旦建立對於實際商務風險的了解,下一步是記錄風險的業務承受度與用來監視承受度的指標和關鍵計量。Once an understanding of realistic business risks is established, the next step is to document the business's tolerance for risk and the indicators and key metrics to monitor that tolerance.