Cloud computing has improved the efficiency of resource delivery and daily operations like never before. It has become a trend for enterprises to migrate to the cloud. After verifying information security and cost control, enterprises will migrate applications and entire data centers to the cloud to optimize business models and technical processes. As more departments and employees start to work on the cloud, enterprises are paying attention to cost optimization and IT governance. Enterprise IT governance is the rational planning and allocation of enterprise IT resources. The Alibaba Cloud Enterprise IT Governance solution provides a set of management capabilities to help enterprises of all sizes smoothly migrate to the cloud and maximize the value of IT resources.
The Challenges and Solutions of Enterprise IT Governance
Identity Management and Access Control
Multi-Account Management System
Audit and Compliance
Identity Management and Access Control
Enterprises need to manage users on the cloud through operations, including user creation, authentication, grouping, and granular policy authorization based on each user's responsibilities on the cloud to ensure isolation and legitimate access to cloud services and resources. Alibaba Cloud provides user group functions. You can divide users into roles, such as operation and maintenance, development, finance, and other roles according to the execution tasks they undertake. Then, you can add users to specific user groups to obtain the corresponding permissions through shadowing operation permissions. You can also use the Alibaba Cloud resource group function to group cloud resources for management and grant permissions to the users or user groups based on their resource groups.
Multi-Account Management System
For a single account, customers need group management for cloud services and resources. When a single account does not meet the demand, enterprises manage multiple accounts based on the organizational structure to ensure independent management and resource sharing among accounts. You can create enterprise management accounts and up to five levels of organizational units according to your management needs to organize accounts in your enterprise. Based on this organizational structure, you can achieve enterprise-level permission control, bill aggregation and statistics, and audit compliance.
Audit and Compliance
Enterprises need to manage all user operations on cloud resources and services and perform compliance checks and audits on operations. They also need to monitor changes and evaluate compliance for cloud resources and services configurations. Alibaba Cloud provides complete auditing capabilities, including operation auditing and configuration auditing, to help you continuously supervise the compliance of user action and action results on the cloud. Operation auditing helps you collect all of the operation logs on the cloud and perform aggregation and audit analysis. Configuration auditing helps you predefine audit rules and record and monitor the configuration changes to automatically trigger audit rule execution and user notifications.
Alibaba Cloud Landing Zone
As your enterprise develops and builds your business on Alibaba Cloud, enhancing the security of Alibaba Cloud accounts, isolating the network, managing accounts for team members, and building a maintainable cloud environment are key to starting an enterprise's journey to the cloud.
The Alibaba Cloud landing zone provides your enterprise with a complete set of best practices for the initialization of migration to the cloud that includes the easiest Alibaba Cloud account initialization solution and optimized paths to build a minimal cloud-ready environment. After you sign up for an Alibaba Cloud enterprise account, you can perform minimal configuration for the lightest enterprise security and benefit from and easy operation and maintenance. The process consists of eight steps: Building the Structure, Planning Identities and Permissions, Defining Compliance Auditing, Managing Costs, Planning Network, Setting Security, Monitoring Network, and Creating New Accounts.
Land on Alibaba Cloud with Eight Steps
Step 1: Building the Structure of Cloud Resources
The first step for your enterprise to migrate to the cloud is to build the infrastructure of resources on the cloud with multiple accounts so you can carry out effective authority control, compliance audit, network planning, and financial resources hosting. Alibaba Cloud provides multiple methods to organize the resource architecture on the cloud, which is reflected in the organization and division of each business line of the enterprise, forming a resource tree and laying the foundation for the subsequent governance of several other aspects. A multi-account management system on Alibaba Cloud should have three modules: Enterprise Management Account is the root account of the multi-account system and responsible for managing the organization, Shared Services Account deploys shared security and public services, and App Accounts are for each application that follows the enterprise's uniform controls but is maintained and used by each LoB.
Step 2: Integrating Corporate Identities and Planning Permissions
Logging into Alibaba Cloud from your identity management system, such as Identity Provider (IdP), adds pressure on the management and compliance of your enterprise. Through Alibaba Cloud’s role SSO, you can easily map enterprise employee identity or user groups to Alibaba Cloud’s role with specific authority. You also need to assign different permissions policies to different roles to ensure that permissions are minimized. The landing zone solution provides a series of best practices for pre-configured roles, permission policies, and SSO automation tools to help your organization quickly configure SSO and meet the identity integration requirements on the cloud.
Step 3: Setting up Compliance Auditing Rules
Compliance auditing rules are the key to achieve efficiency and control in the process of enterprise IT governance. Compliance and auditing have become one of the core requirements for enterprise IT governance especially since compliance has become a mandatory requirement for enterprises migrating to the cloud. There are three main ways to achieve compliance auditing: Preventative Control prohibits non-compliant operations, Detective Control sets up detective rules and monitors enterprise resources and Audit Log Persistence audits operation logs.
Step 4: Managing Costs and Expenditures
Cost analysis is a requirement for enterprises to migrate to the cloud. As enterprises grow, it needs to focus on the budget and spending of each business and department. The Showback Model or Chargeback Model are adopted according to the type of enterprise. Several common measures, such as account dimensional accounting and tag dimensional accounting, are available according to the structure planning of the enterprise's cloud resources.
Step 5: Planning the Corporate Network
Network architecture is crucial for an enterprise, which is related to the operation of enterprise business, the call between applications, the expansion of business, and the security of enterprise information. Network planning includes IP address planning, network connectivity, and access control for the enterprise network. The Alibaba Cloud’s IT Governance solution includes a variety of pre-defined network models that help enterprises unify network management and planning without building a VPC or V Switch. The models focus on planning which services in the security domain are interoperable within the enterprise network, which services can access or be accessed by the public network, and how to control the east-west and north-south traffic of a VPC to secure the enterprise. The related network resources and business resources are configured with unified monitoring rules and alarm rules to enable early detection and management of business problems.
Step 6: Configuring the Security Settings
The security services provided by Alibaba Cloud include data security, host security, and network and access security aspects to protect the security of enterprise data. The solution provides these services by leveraging Cloud Security Center (SAS), Cloud Firewall, and ECS Security Group.
Step 7: Monitoring the Network
The IT Governance solution leverages cloud monitoring capabilities and products, including Cloud Monitoring Service (CMS), Log Service, and Message Service, to redefine initial alerting rules, which enables enterprises to comprehensively monitor security risks and vulnerabilities.
Step 8: Creating New Accounts
As the enterprise conducts new business through new accounts, it also needs to meet enterprise IT governance requirements. Regulations and structures designed in the previous steps are implemented in the new account, such as identity integration, network architecture initialization, security protection configuration, and network monitoring. They are combined with preventive control policies to protect the account compliance baseline and avoid risky and non-compliant operations.
Resource Access Management
Secure your cloud resources to define fine-grained access permissions for users and groups.
Implement security analytics, resource change tracking, and compliance audits.
Application Configuration Management
Centralize application configurations management and perform real time configuration push.
Sort resources that are allocated to an Alibaba Cloud account into different groups.
Security and Compliance
SOC2 Type II Report
Customer Success Stories
The access control (Resource Access Management), operation audit (ActionTrail) and configuration audit (Cloud Config) provided by Alibaba Cloud help Mondelēz International build a secure, controlled and easy-to-manage cloud environment, providing a solid foundation for full digital transformation.
Back in 2015, Mondelēz International signed a strategic partnership with Alibaba to migrate the traditional IDC to Alibaba Cloud's public cloud platform, build a mid-end system, and construct dozens of business support systems, such as sales systems and order systems. With the development of the business, dozens of application ISVs and cloud MSPs have cooperated. Mondelēz International needed to achieve cloud resource isolation and access control for different IT providers and unified monitoring of cloud resource configuration compliance.
"Based on the OpenAPI and governance capabilities of Alibaba Cloud's open platform, we have built a hybrid cloud management platform. This makes our operations and maintenance more automated and the delivery of services to business teams more agile, standardized and secure."
-- Yadan Liu, Head of Infrastructure, huya.com
With Alibaba Cloud's development platform, huya.com built a hybrid cloud management platform to achieve unified operation and management to respond to the needs of the business team. Huya.com implemented an enterprise-level CMDB based on OpenAPI to unify the management and analysis of the self-built private cloud. Alibaba Public Cloud realized the full lifecycle management of users and used RAM's powerful authorization capabilities to avoid security risks and create an automated delivery process. The Business Team gained resource delivery experience with a 10x increase in overall efficiency.
Enabling Operation and Configuration Auditing on Alibaba Cloud
Achieve proactive governance based on effective auditing and automatic monitoring and alerting on all your cloud resources.
Managing Your Resources on Alibaba Cloud
Manage resources and organize accounts through the Resource Directory.
Learn from Alibaba Cloud experts about Resource Management product information, API, purchasing guide, quickstart and FAQs.
Learn from Alibaba Cloud experts about Cloud Config product information, API, purchasing guide, quickstart and FAQs.
Learn from Alibaba Cloud experts about ActionTrail product information, API, purchasing guide, quickstart and FAQs.
Resource Access Management
Learn from Alibaba Cloud experts about Resource Access Management product information, API, purchasing guide, quickstart and FAQs.
Start with Alibaba Cloud Solutions
Learn and experience the power of Alibaba Cloud with a free trial.Contact Sales