,Azure云平台的隐私与环境治理方案,技术创新，变革未来,Agenda,云端治理的意义 & 持续云端治理的过程 Azure云端治理的框架 云端治理之安全&身份管理 云端治理之部署加速 云端治理之资源一致性 云端治理之花费管理,云端治理的意义 & 持续云端治理的过程,治理的定义,Governance is all of the processes of governing, whether undertaken by a government, market or network, whether over a family, tribe, formal or informal organization or territory and whether through the laws, norms, power or language of an organized society. It relates to the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions. In lay terms, it could be described as the political processes that exist in between formal institutions.,https:/en.wikipedia.org/wiki/Governance,云端治理需求,优秀的人才,恰当的资源,合理的配置,持续化治理,1.规划,执行 改进,规划,执行,改进,Azure云端治理的框架,Azure 资源组织框架,Azure Scaffold,Core/Core Network,Azure 资源管理框架,CRUD,Azure Resource Manager (ARM),Query,规范化控制 ：通过规则引擎实施监测& 审核环境中资源的规范性 资源可见性: 清晰的查看海量的云端资源,1. 环境标准化：通过统一的 部署&更新云端资源,Access,Definitions,规则引擎 Azure Policy,Security,Azure Security Center Guest Config baselines Key Vault certificate NSG rules AKS & AKS Engine RBAC role assignment,Regulatory Compliance,NIST SP 800-53 R4 ISO 27001:2013 CIS PCI v3.2.1:2018 FedRAMP Moderate Canada Federal PBMM SWIFT CSP-CSCF v2020 UK Official and UK NHS IRS 1075,Tags,Resource standardization,Cost,Require specified tag Add or replace a tag Inherit a tag from the RG Append a tag,Allowed/ not allowed RP Allowed locations Naming convention Back up VMs Allowed images for AKS,Allowed VM SKUs Allowed Storage SKUs,云端治理之安全&身份管理,安全是云端管理的第一要务,Microsoft Antimalware for Azure,Azure Log Analytics,Azure Security Center,VNET, VPN, NSG,Application Gateway (WAF), Azure Firewall,DDoS Protection Standard,ExpressRoute,Encryption (Disks, Storage, SQL),Azure Key Vault,Confidential Computing,Azure Active Directory,Multi-Factor Authentication,Role Based Access Control,Azure Active Directory (Identity Protection),+ Partner Solutions,Data protection,Network security,Threat protection,Identity & access management,Security management,网络架构的设计,On Premises Network(s),Public IP,Public IP,数据保护,KEY MANAGEMENT INTERFACES,SQL SERVER (VM), AZURE SQL DATABASE & AZURE SQL DATA WAREHOUSE,AZURE DISK ENCRYPTION - PARTNER VOLUME ENCRYPTION - ,VIRTUAL MACHINES WINDOWS & LINUX,APPLICATION LEVEL ENCRYPTION AZURE STORAGE SERVICE ENCRYPTION (Blobs,STOCKAGE AZURE,TDE (TRANSPARENT DATA ENCRYPTION) - CLE (CELL LEVEL ENCRYPTION) - SQL SERVER ENCRYPTED BACKUPS ALWAYS ENCRYPTEDSQL ServerAzure SQL Database AZURE COSMOS DB,AZURE BACKUP SERVICE - ,AZURE BACKUP SERVICE,AZURE DATA LAKE,AZURE DATA LAKE,AZURE HDINSIGHT,AZURE KEY VAULT AUTHENTICATION TO KEY VAULT ,合理的身份管理是云端所必须,Resource Role Permissions,Segment Model Variations,云端治理之部署加速,Azure Blueprints,ARM Templates,Policy Definitions,Role-based access controls,Custom Scripts* Coming in June 2019,Blueprint,Cloud Engineer,+,ISO 27001,FedRAMP,NIST,Cloud Architect,Resource Groups,Azure DevOps,云端治理之资源一致性,资源一致性的三个方面,采取合适的架构设计 确保应用的稳定,Azure Backup,Availability Sets, Zones and Region Pairs,Azure Site Recovery,Azure中的高可用选择,VM SLA 99.9%,VM SLA 99.95%,VM SLA 99.99%,Regions 54,Disaster recovery,Single VM Protection with Premium Storage,Availability sets Protection against failures within datacenters,Availability zones Protection from entire datacenter failures,Site Recovery & Region pairs Protection from disaster with Data Residency compliance,AZs available across US, Europe and Asia more regions coming soon,Industry-only,High availability SLA,Azure 监控中心,平台健康中心 Azure Service Health,云端资源的可见性 Azure Resource Graph,云端资源可优化性 Azure Advisor,针对云端资源提供持续的优化建 议，例如：虚拟机的CPU利用率， 建议购买RI，或建议更改的型号等,云端治理之花费管理,持续的云端费用优化,追踪,计算,优化,明确云端花费管理的职责，包括费用明 细、权限管理及资源的合理标记 Management te