Status and Trends of the cloud on enterprise
Cloud computing, has now become like water and electricity are generally related to the national economy and national infrastructure. Cloud computing for the enterprise with unprecedented resources to deliver efficiency and improved efficiency of operation and maintenance, while also using a new technology to help companies create new business value of the track in the new network, tap new business models. More and more companies are actively or passively try to use the cloud, but those who have tasted the cloud "sweetness" of the enterprise in the cloud to accelerate the pace of innovation continues to gradually migrate business, non-core business operations, as well as on their core business cloud.
Enterprise cloud on the steps, and can be divided into "early adopters" and "cloud" of two stages.
- In the "early adopters" stage, the company initially made a cloud of, usually starting from the development and testing environment, or select enterprise innovation business, non-core businesses to try to build cloud-native applications, try cloud products, compare different cloud services and infrastructure.
- In the "cloud" of the stage, the enterprise infrastructure transformation, in the case of enterprise information security and cost control allowed to migrate to the cloud up more business, it is necessary to take into account the convenience of business development on the enterprise cloud, efficiency and speed, at the same time need to help enterprises in the cloud security management and control, cost optimization and so do the escort.
In the "cloud" of the stage, with the increase in the volume of business enterprise cloud, the cloud business to increase their level of importance, or core, for internal IT management has many years of experience in business and enterprise, the original "deep does not Lu "enterprise IT management will inevitably be pushed to the front desk management on the cloud, with the business sector, for the purchase and use of corporate resources on the cloud, the cloud service providers and other business applications or cloud IT operation and maintenance management and support. Attendant, as well as corporate finance and security compliance department, they will be in the cloud business enterprises controlled from a financial management and control and safety compliance wind angle propose different management requirements. Enterprises in the pursuit of efficiency and speed, have to consider the perspective of business management a unified management and control, security, cost control, automation, performance and other business needs.
The more common scenario is when companies in the "early adopters" stage to enjoy the benefits of the cloud, and the cloud mass to make more decisions, IT, finance, security and other departments a more gradual involvement in ensuring business users to simple, efficient use of cloud resources and cloud services while ensuring that users comply with corporate IT requirements within the enterprise in the cloud behavior, cost control, and safety regulations. At the same time, also we need to implement existing enterprise IT management and control processes, operation and maintenance personnel to effectively integrate and test standards and on the cloud business, which is not the fault management form within the same company.
Management of enterprise cloud the issue
When the company's business gradually on the cloud, increasing the number of teams participating in the cloud, the amount of resources used on the cloud has increased significantly, has brought with it increased management complexity. Among them, most corporate IT departments headaches include:
- Security risks cloud
the initial cloud of many companies, the pursuit of speed, lack the most basic security security policy. For example, all employees share their primary account username and password, all employees have administrator privileges, the lack of a unified user identity management. Employee turnover away password, user name or password leaks, the enterprise IT infrastructure is a fatal blow. - Resource management chaos
in the "early adopters" stage, the first attempt to do a small team in the cloud, weak demand for resources management and control. When the rapid increase in resources on the cloud, mixed with a lot of resources can not be distinguished, IT departments for different organizational structures, different cloud resources consumed by the project and the costs incurred can not provide enough information. The use of cloud resources in different departments can not only manage their "own" resources. Problems, allowing IT departments under pressure, companies began to think about is not a cloud not suitable for all businesses. - The cost of waste on the cloud
cost of doing business in the cloud of the major costs and costs of operation and maintenance personnel from the resource. Idle resource efficiency and low operation and maintenance costs will be wasted.
Cloud on IT governance framework
Different types, the complexity of managing businesses of all sizes in the cloud are not the same. Management usually depends on the complexity of the operation and maintenance of the number of research and development, the complexity of the organizational structure, scale cloud resources, the number of IT suppliers, and so on. In order to solve the problems faced by the cloud on IT management, Ali cloud provide the appropriate access control, resource management, treasury management, compliance management capabilities. These capabilities may be used alone or in combination.
Ali cloud IT governance capability description
Resource Management
Resource management is the core of the cloud on IT management. Application (and the corresponding application of IT resources) enterprises often divided in a manner similar organizational structure. Different departments will correspond to different applications; some enterprises in the manner product lines, product division.
And the company's organizational structure, as the organizational structure of resources is often a tree. Ali cloud resource management services to help companies map the structure of organizational relationships and applications. By resource directory, business can be defined:
- Resource clamp : tissue specific configuration corresponding to a resource folder, a different configuration may be used as the bill, the control unit.
- Resource accounts or cloud account : used to represent applications, services (a set of application), or the application of the production and test environments.
The figure below shows Ali cloud resource partitioning structure of FIG.
Ali cloud resources while providing management services to manage accounts within the resource group. The owner of the account can be of cloud resources within the account further subdivided to meet the needs of privilege separation, many people work together to improve efficiency. The packet resource module can generally be applied, such as Web front end, back-end services, networks and the like.
In the simple control model, or you can use the account directly to the cloud for the department, and the use of the resource group to divide the application.
Access control
And resource management is the management of parallel identities. Organizational structure of the enterprise division usually represents the company for functions, business, geographical, showing a tree structure. For enterprise organizations, commonly used existing identity management system for centralized management, such as an employee's entry, departure, password, reporting relationships, and so on. In the process of using the cloud using the cloud need to have the corresponding identity in the cloud, and was awarded the appropriate permissions to access the environment on the cloud.
Ali cloud for identity management product called access control privileges. Identity Management Access Control provides two ways: no local personnel management system of enterprises, can directly use Ali cloud users, user groups to manage the identity of the persons; there is a local enterprise personnel management system, you can use access control SSO ( single sign-on) function, link local identity and Ali cloud identity.
We serve large enterprises in the process, found that many companies have used identity authentication system, such as Microsoft Active Directory, Azure Active Directory, Okta, etc., and hope executives are still in the original identity authentication system. Ali Cloud SSO provides two ways:
- 角色SSO:IT管理员预先在阿里云上创建管理角色,如“管理员”,“运维”,“监控”,并为角色分配对应的权限。在企业身份认证系统中,不同的用户会映射到不同的角色。阿里云上无需进行用户同步。
- 用户SSO:IT管理员同步本地人员登陆信息到阿里云,并在阿里云上创建用户组以及管理权限。
以下示例为使用角色SSO登陆阿里云:
资源、人员的问题解决后,IT管理员可以对人员权限作出规划。【访问控制】中的权限策略提供了常用的系统策略,同时支持用户自定义权限策略。权限策略定义了用户可以执行操作,以及执行的条件。
阿里云【访问控制】支持三种级别的授权:账号级别,资源组级别,资源级别。
权限控制中需要注意的问题是:
- 控制Root账号。Root账号具有所有的权限,因此也带来更大的安全隐患。通常情况下,您无需使用Root账号。
- 授权策略遵守最小够用原则。
- 在较高的层次授权来减少管理的复杂性。尽可能使用账号或资源组级别的授权。
审计与合规
虽然有了授权机制让使用者没有权限做不符合企业规定的事情,但在权限范围内使用者依然有可能由于多种原因作出错误的操作。因此,审计作为IT部门最后一道防线,记录所有发生的事情。一旦发生不符合预期的事情,IT部门有可以调出历史记录,追溯事故发生的原因。另一方面,为了避免事故发生,企业根据业界标准和企业过往的最佳实践,制定出内部IT规定,例如密码策略规定,公网访问规定等。 这些规定需要系统化的方式被监控,确保企业时刻处于“合规“的状态。 阿里云在审计和合规方面提供丰富的能力。
操作审计
操作审计(ActionTrail)会记录您的云账户资源操作,提供操作记录查询,并可以将审计事件保存到您指定的日志服务Logstore或者OSS存储空间。通过ActionTrail保存的所有操作记录,您可以实现安全分析、资源变更追踪以及合规性审计。
ActionTrail收集云服务的API调用记录(包括用户通过控制台触发的API调用记录),规格化处理后将操作记录以日志的形式保存到指定的日志服务Logstore中,或者以文件形式保存到指定的OSS存储空间。用户可以使用存储产品丰富的管理功能来管理这些审计数据,比如授权、开启生命周期管理、归档管理、检索、分析、报警等。
配置审计(Cloud Config)
配置审计是本次云栖大会发布公测的重量级产品。它为您提供您在阿里云上的资源列表、当前配置快照、历史配置快照等信息,帮助您了解资源配置的历史变更详情。同时它还支持您配置合规审计规则,来监控资源部署和资源配置的合规性。当您的资源配置发生变更时,Config会将变更快照以文件的形式保存到您指定的OSS中。当出现“不合规”情况时,Config将按照您的订阅设置向您发送告警。帮助您在面对大量资源时,轻松的实现基础设施的自主监管,持续保证合规性。
财资管理
企业作为一个整体通常在财务方面有统一的管理。常见的两种场景是:
- 统一支付:绝大多数的企业用户和云厂商已企业维度进行结算。对应的阿里云提供资源目录下的财资托管,让企业可以对于名下的多个账号进行统一结算和支付。
- 成本分析和Chargeback:对于云上成本重视的企业,通常会按照不同维度进行成本分析,例如按照项目、负责人、组织结构等。更进一步,有的企业会根据每个部门产生的成本做内部结算。在阿里云,用户可以通过资源组、标签等方式来标识资源,并最终在账单中得到体现。企业通过账单API获取账单详细信息,并根据这些标识来进行分账。未来阿里云也会提供更优质的账单、成本方面的体验。
写在结尾的话
The cloud at different stages of enterprises in IT governance will encounter different challenges. Early on the cloud business to understand IT governance framework, enterprises can prepare for the future scale of the cloud. Mature business on the cloud, Ali goes on to understand IT governance best practices can make more with less efficiency.
September 26 in Hangzhou Yunqi General Assembly to take you to learn more, "Ali cloud intelligent technology summit" the whole Secret, hard-core technology, Pratt & Whitney AI. Ali cloud cover comprehensive understanding of cloud services, the full intellectual capacity of AI development platform, algorithm, the AI industry.
https://yunqi.aliyun.com/2019/hangzhou/schedule