CISO 雲端整備指南CISO cloud readiness guide

「雲端採用架構」這類 Microsoft 指引並不是為了決定或引導這份檔所支援的數千個企業的獨特安全性限制。Microsoft guidance like the Cloud Adoption Framework is not positioned to determine or guide the unique security constraints of the thousands of enterprises supported by this documentation. 移至雲端時,資訊安全資訊安全人員或資訊安全辦公室 (CISO) 的角色並不會受到雲端技術的會。When moving to the cloud, the role of the chief information security officer or chief information security office (CISO) isn't supplanted by cloud technologies. 相反地,CISO 和 CISO 的辦公室都將擔任起更加根深蒂固且整合的角色。Quite the contrary, the CISO and the office of the CISO, become more engrained and integrated. 本指南假設讀者已熟悉 CISO 流程,並正在尋求將這些程式現代化以啟用雲端轉換。This guide assumes the reader is familiar with CISO processes and is seeking to modernize those processes to enable cloud transformation.

雲端採用能提供通常不會在傳統 IT 環境中考慮使用的服務。Cloud adoption enables services that weren't often considered in traditional IT environments. 自助或自動化部署通常是由應用程式開發或其他不是傳統上與生產環境部署的 IT 小組所執行。Self-service or automated deployments are commonly executed by application development or other IT teams not traditionally aligned to production deployment. 在某些組織中,其商務組成也同樣具有類似的自助功能。In some organizations, business constituents similarly have self-service capabilities. 這可能會產生先前不存在於內部部署環境中的新安全性需求。This can trigger new security requirements that weren't needed in the on-premises world. 集中式安全性更具挑戰性,安全性通常會在企業和 IT 文化上成為共同責任。Centralized security is more challenging, security often becomes a shared responsibility across the business and IT culture. 本文可以協助 CISO 針對該作法進行準備,並開始著手於漸進式的治理。This article can help a CISO prepare for that approach and engage in incremental governance.

CISO 如何為雲端做準備?How can a CISO prepare for the cloud?

就像大部分的原則一樣,組織內的安全性和治理原則通常會成長茁壯。Like most policies, security and governance policies within an organization tend to grow organically. 發生安全性事件時,這些事件會塑造出原則來通知使用者,並降低相同事件重複發生的機會。When security incidents happen, they shape policy to inform users and reduce the likelihood of repeat occurrences. 此方式雖然自然,卻會產生原則膨脹與技術相依性。While natural, this approach creates policy bloat and technical dependencies. 雲端轉換旅程創造出將原則現代化和重設的獨特機會。Cloud transformation journeys create a unique opportunity to modernize and reset policies. 在準備任何轉換旅程時,CISO 可透過擔任原則檢閱的主要關係人,來建立立即且可測量的值。While preparing for any transformation journey, the CISO can create immediate and measurable value by serving as the primary stakeholder in a policy review.

在這類審核中,CISO 的角色是在現有原則/合規性的條件約束與雲端提供者的改進安全性狀態之間建立安全的平衡。In such a review, the role of the CISO is to create a safe balance between the constraints of existing policy/compliance and the improved security posture of cloud providers. 測量此進度可能需要許多形式,通常是以安全地卸載至雲端提供者的安全性原則數量來測量。Measuring this progress can take many forms, often it's measured in the number of security policies that can be safely offloaded to the cloud provider.

傳送安全性風險: 當服務移至基礎結構即服務 (IaaS) 裝載模型時,企業會假設硬體布建的直接風險較低。Transferring security risks: As services are moved into infrastructure as a service (IaaS) hosting models, the business assumes less direct risk regarding hardware provisioning. 風險不會被移除,而是轉移給雲端廠商。The risk isn't removed, instead it's transferred to the cloud vendor. 如果雲端廠商的硬體布建方法提供相同等級的風險降低風險,在安全的可重複程式中,就會從公司 IT 的職責區域中移除硬體布建執行的風險,並轉移至雲端提供者。Should a cloud vendor's approach to hardware provisioning provide the same level of risk mitigation, in a secure repeatable process, the risk of hardware provisioning execution is removed from corporate IT's area of responsibility and transferred to the cloud provider. 這可降低公司 IT 負責管理的整體安全性風險,不過仍應定期追蹤和審核風險本身。This reduces the overall security risk that corporate IT is responsible for managing, although the risk itself should still be tracked and reviewed periodically.

隨著解決方案進一步「向上堆疊」,以納入平臺即服務 (PaaS) 或軟體即服務 (SaaS) 模型,您可以避免或傳輸額外的風險。As solutions move further "up stack" to incorporate platform as a service (PaaS) or software as a service (SaaS) models, additional risks can be avoided or transferred. 當風險被安全地移到雲端提供者時,執行、監視及強制執行安全性原則或其他合規性原則的成本也都能安全地降低。When risk is safely moved to a cloud provider, the cost of executing, monitoring, and enforcing security policies or other compliance policies can be safely reduced as well.

成長思維: 變更可能會對商務和技術實作者有很可怕的變化。Growth mindset: Change can be scary to both the business and technical implementors. 當組織中的 CISO 能夠率先轉換為成長心態時,我們發現那些自然而來的憂慮,都會轉換成對安全性及原則合規性與日俱增的興趣。When the CISO leads a growth mindset shift in an organization, we've found that those natural fears are replaced with an increased interest in safety and policy compliance. 利用成長思維來接近 原則審核、轉型旅程或簡單的執行審核,讓小組能夠快速地移動,但不會代價是公平且可管理的風險設定檔。Approaching a policy review, a transformation journey, or simple implementation reviews with a growth mindset, allows the team to move quickly but not at the cost of a fair and manageable risk profile.

首席資訊安全長的資源Resources for the chief information security officer

對於雲端的認識,是抱持成長心態進行原則檢閱最重要的關鍵。Knowledge about the cloud is fundamental to approaching a policy review with a growth mindset. 下列資源可協助 CISO 更加了解 Microsoft Azure 平台的安全性狀態。The following resources can help the CISO better understand the security posture of Microsoft's Azure platform.

安全性平台資源:Security platform resources:

隱私權與控制:Privacy and controls:

合 規:Compliance:

透明度:Transparency:

下一步Next steps

在任何治理策略中採取動作的第一個步驟,就是 原則審核The first step to taking action in any governance strategy is a policy review. 原則和合規性在原則審核期間可能是實用的指南。Policy and compliance could be a useful guide during your policy review.