準備公司的雲端 IT 原則Prepare corporate IT policy for the cloud

雲端治理是在一段時間內持續進行採用工作的成果,因為轉換不會在一夕之間發生。Cloud governance is the product of an ongoing adoption effort over time, as a true lasting transformation doesn't happen overnight. 使用快速積極的方法,嘗試在解決關鍵公司原則變更之前提供完整雲端治理,這樣很少會產生想要的結果。Attempting to deliver complete cloud governance before addressing key corporate policy changes using a fast aggressive method seldom produces the desired results. 相反地,我們建議漸進的方法。Instead we recommend an incremental approach.

雲端採用架構的不同之處在於購買週期,以及該週期如何產生有效的轉換。What is different about our Cloud Adoption Framework is the purchasing cycle and how it can enable authentic transformation. 由於沒有龐大的基本建設費用收購需求,工程師可以更快開始實驗及採用。Since there is not a big capital expenditure acquisition requirement, engineers can begin experimentation and adoption sooner. 在大部分公司文化中,消除採用的資本支出障礙可能導致回饋循環、有機成長及漸進執行變得緊迫。In most corporate cultures, elimination of the capital expense barrier to adoption can lead to tighter feedback loops, organic growth, and incremental execution.

雲端採用的移轉,需要是受治理的移轉。The shift to cloud adoption requires a shift in governance. 在許多組織中,公司原則轉換透過漸進原則變更和自動化那些變更強制執行 (與雲端服務提供者一同定義的新能力),而達到改善的治理和更高的遵守率。In many organizations, corporate policy transformation allows for improved governance and higher rates of adherence through incremental policy changes and automated enforcement of those changes, powered by newly defined capabilities that you configure with your cloud service provider.

本文概述能協助您改變您公司原則的關鍵活動,以啟用展開的治理模型。This article outlines key activities that can help you shape your corporate policies to enable an expanded governance model.

定義公司原則使雲端治理成熟Define corporate policy to mature cloud governance

在傳統治理和雲端治理中,公司原則建立作用的治理定義。In traditional governance and incremental governance, corporate policy creates the working definition of governance. 大部分的「IT 治理」動作的目的是要實作技術,以監視、強制執行、操作那些公司原則並自動化。Most IT governance actions seek to implement technology to monitor, enforce, operate, and automate those corporate policies. 雲端治理建立在類似的概念上。Cloud governance is built on similar concepts.

公司治理和治理專業領域 圖 1:公司治理和治理專業領域。Corporate governance and governance disciplines Figure 1: Corporate governance and governance disciplines.

上圖示範業務風險、原則與合規性,以及監視與強制執行之間對於建立治理策略的互動。The image above demonstrates the interactions between business risk, policy and compliance, and monitor and enforce to create a governance strategy. 其後是實現您策略的五個雲端治理專業領域。Followed by the Five Disciplines of Cloud Governance to realize your strategy.

檢閱現有原則Review existing policies

在上圖中,治理策略 (風險、原則與合規性、監視與強制執行) 是從辨識業務風險開始。In the image above, the governance strategy (risk, policy and compliance, monitor and enforce) starts with recognizing business risks. 建立長久雲端治理策略的第一步是了解業務風險在雲端中有何變更。Understanding how business risk changes in the cloud is the first step to creating a lasting cloud governance strategy. 與您的業務單位合作,取得精確的業務風險容忍量表,以協助您了解需要補救哪些層級的風險。Working with your business units to gain an accurate gauge of the business's tolerance for risk, helps you understand what level of risks need to be remediated. 您對於新風險和容忍程度的了解可記載成現有原則評論,以判斷適合您組織的必要治理層級。Your understanding of new risks and acceptable tolerance can fuel a review of existing policies, in order to determine the required level of governance that is appropriate for your organization.

提示

如果您的組織受第三方合規性治理,要考慮的一個最大業務風險為遵守法規合規性的風險。If your organization is governed by third-party compliance, one of the biggest business risks to consider may be a risk of adherence to regulatory compliance. 此風險通常無法補救,反之可能需要嚴格遵守。This risk often cannot be remediated, and instead may require a strict adherence. 開始原則檢閱之前,請務必了解您的第三方合規性需求。Be sure to understand your third-party compliance requirements before beginning a policy review.

雲端治理的漸進式方法An incremental approach to cloud governance

雲端治理的漸進方法假設無法接受超過 企業風險的承受度An incremental approach to cloud governance assumes that it's unacceptable to exceed the business's tolerance for risk. 相反地,它假設治理的角色是要加速業務變更、協助工程師了解架構指導方針,並確保定期交流及補救業務風險Instead, it assumes that the role of governance is to accelerate business change, help engineers understand architecture guidelines, and ensure that business risks are regularly communicated and remediated. 另一方面,治理的傳統角色可能會變成工程師或業務整體在採用上的障礙。Alternatively, the traditional role of governance can become a barrier to adoption by engineers or by the business as a whole.

若使用雲端治理的漸進方法,建置新解決方案的小組和為企業防範業務風險的小組之間可能會有一些自然的摩擦。With an incremental approach to cloud governance, there is sometimes a natural friction between teams building new business solutions and teams protecting the business from risks. 這兩個小組在此模型中可能變成以漸進或短期衝刺方式合作的同事。In this model, those two teams can become peers working in increments or sprints. 作為同事,雲端治理小組和雲端採用小組開始合作,以公開、評估及補救業務風險。As peers, the cloud governance team and the cloud adoption teams begin to work together to expose, evaluate, and remediate business risks. 此工作可以建立減少摩擦並在小組織之間建立合作關係的自然方法。This effort can create a natural means of reducing friction and building collaboration between teams.

原則的最簡可行產品 (MVP)Minimum viable product (MVP) for policy

您雲端治理小組和採用小組之間新合作關係的第一步是關於原則 MVP 的協議。The first step in an emerging partnership between your cloud governance and adoption teams is an agreement regarding the policy MVP. 您的雲端治理 MVP 應認可一開始有較小的業務風險,但隨著組織採用更多雲端服務,業務風險可能會增長。Your MVP for cloud governance should acknowledge that business risks are small in the beginning, but will likely grow as your organization adopts more cloud services over time.

例如,某個企業部署的 5 部 VM 全不包含高業務影響性 (HBI) 資料,則其業務風險很小。For example, the business risk is small for a business deploying five VMs that don't contain any high business impact (HBI) data. 當雲端採用流程後續的 VM 數目達到 1,000 部,而該企業開始移動 HBI 資料時,業務風險會增長。Later in the cloud adoption process, when the number reaches 1,000 VMs and the business is starting to move HBI data, the business risk grows.

原則 MVP 會嘗試定義所需原則的基礎,以部署前 x 部 VM 或前 x 個應用程式,其中的 x 代表數字不大卻有意義的裝置採用數量。Policy MVP attempts to define a required foundation for policies needed to deploy the first x VMs or the first x number of applications, where x is a small yet meaningful quantity of the units being adopted. 此原則集需要少數限制,但會包含快速增長到下一個漸進雲端採用工作所需的基礎層面。This policy set requires few constraints, but would contain the foundational aspects needed to quickly grow from one incremental cloud adoption effort to the next. 透過漸進原則發展,此治理策略會隨時間增長。Through incremental policy development, this governance strategy would grow over time. 透過緩慢細微的移轉,原則 MVP 可能會增長為原則檢閱活動結果的功能同位。Through slow subtle shifts, the policy MVP would grow into feature parity with the outputs of the policy review exercise.

漸進原則成長Incremental policy growth

漸進原則成長是隨時間增長原則和雲端治理的關鍵機制。Incremental policy growth is the key mechanism to growing policy and cloud governance over time. 這也是採用累加式模型來進行治理的關鍵需求。It's also the key requirement to adopting an incremental model to governance. 為了讓此模型正常運作,治理小組必須於每次短期衝刺致力於正在進行的時間配置,才能評估及實作變更治理專業領域。For this model to work well, the governance team must be committed to an ongoing allocation of time at each sprint, in order to evaluate and implement changing governance disciplines.

短期衝刺時間需求: 在每個反覆項目開始時,每個雲端採用小組都建立要在目前漸進階段中遷移或採用之資產的清單。Sprint time requirements: At the beginning of each iteration, each cloud adoption team creates a list of assets to be migrated or adopted in the current increment. 雲端治理小組應該要有足夠的時間可檢閱清單、驗證資產的資料分類、評估與每個資產相關聯的任何新風險、更新架構指導方針,並針對變更為小組進行教育。The cloud governance team is expected to allow sufficient time to review the list, validate data classifications for assets, evaluate any new risks associated with each asset, update architecture guidelines, and educate the team on the changes. 這些工作通常需要 10-30 小時 (每次短期衝刺)。These commitments commonly require 10-30 hours per sprint. 此參與層級也應該需要至少一個專職員工來管理大型雲端採用工作中的治理。It's also expected for this level of involvement to require at least one dedicated employee to manage governance in a large cloud adoption effort.

發行時間需求: 在每次發行開始時,雲端採用小組和雲端策略小組應優先處理要在目前反覆項目中移轉的一系列應用程式或工作負載,以及任何業務變更活動。Release time requirements: At the beginning of each release, the cloud adoption teams and the cloud strategy team should prioritize a list of applications or workloads to be migrated in the current iteration, along with any business change activities. 這些資料點可讓雲端治理小組提早了解業務風險。Those data points allow the cloud governance team to understand new business risks early. 這樣就有時間配合業務及量測業務的風險容忍。That allows time to align with the business and gauge the business's tolerance for risk.

後續步驟Next steps

有效的雲端治理策略從了解業務風險開始。Effective cloud governance strategy begins with understanding business risk.