B-A BA of Azure
Compliance and Governance
Author: Donatien MBADI OUM, Oracle |
AWS | Azure
1.
What is Azure, Azure management group and Azure subscriptions
Azure is a Cloud platform with more than 200 products and services designed
to help you bring new solutions to solve today’s challenges and create the
future. (Source: https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure)
An Azure subscription is a logical container used to provision related
business or technical resources in Azure. Azure subscription is linked to an
Azure account.
-
It is a unit that aggregates all costs
of the underlying resources
-
It contains resource groups and their
associated resources
-
It’s a scoping level for governance
and security
Your organization can have many Azure subscriptions. To efficiently manage
access, policies and compliance for those subscriptions, you may use Management groups. You organize
subscriptions into management groups and then, the governance conditions you
apply cascade by inheritance to all associated subscriptions.
-
You can also have other Management
group under a Management group. Root management group is the top-level
-
Management groups and subscription can
have a single parent
-
Management group supports six levels
of hierarchy
-
Root management group access is not
given by default
-
Root management group cannot be moved
or deleted
2.
Subscription naming and types
Subscription are named on:
-
Whether they are production,
development or staging environments (E.g PROD001, DEV5420 etc)
-
The department or team the
subscription is intended for so that billing can be easily associated with a
given business unit (E.g. Marketing01, Engenering85 etc)
-
The region of the business that used
the subscription (Montreal-West01, Seattle52 etc)
Microsoft offers different types of subscriptions.
-
Free: Can be created with an email account
and a credit card that offers 200$ credit for the first 30 days and free
limited access for 12 months when converted to a pay-as-you-go subscription.
-
Pay-As-You-Go: Generates
monthly charge depending on the amount of Cloud resources used.
-
Enterprise: needs a single Enterprise agreement
for bulk purchases of subscription, with discounts for new licenses and software’s
assurance.
-
Student: Includes 100$ for 12 months and can
be activated without a credit card; however, student verification is required.
Note: There are others offers including
Azure Pass-Sponsorship, Visual Studio Enterprise Subscription etc.
3.
Azure Role-Based Access Control (RBAC)
RBAC is a mechanism that help you manage who can access your Azure
resources. RBAC lets you determine what operations specific users can do on
specific resources and control what areas of a resource each user can access.
Example:
-
Allow an application to access all
resources in a resource group
-
Allow one user to manage VMs in a
subscription, allow another user to manage virtual networks
-
Allow a database administrator group
to manage SQL databases in s subscription
-
Allow a user to manage all resources
in a resource groups, such as VMs, Websites and Subnets.
To implement RBAC you may:
-
Create a role definition: It’s a set
of permissions that are defines in a JSON file.
-
Create a role assignment: It’s a
process of scoping a role definition to limit permissions for a requestor, such
as a user, group, service principal or managed identity.
4.
Azure Policy
Policies are used to enforce rules on your resources to meet corporate
compliance standards en service level agreements. Azure policy is a service
used to create, assign and manage policies. You can use policies to:
-
Prohibit resources (Control costs,
Restrict service access etc.)
-
Allowed locations (Geographical
compliance etc.)
To use Azure policy you may:
-
Define the evaluation criteria for
compliance, and define the actions that take place. Either audit or deny should
be something outside of compliance; this is Policy Definition.
-
Define the scope at which you will
assign the policy. The scope should be a management group, subscription,
resource group or resource; this is Policy
Assignment.
-
Define a collection of policies that
are tailored to achieving a singular high-level goal together; this is Initiative Definition.
Note: There are more than a hundred of
built-in policies that you can use directly.
Note: You can check your policy Compliance
via the Compliance Dashboard.
5.
Tagging Resource and Locks
Tags are key-value metadata elements that you apply to your Azure resources.
Tags help to identify resources based on settings that are relevant to your
organization. For example, if you want to track the deployment environment for
your resources, add a tag key named Environment.
To identify the resources deployed to production, give the tag value Production. In this example, the
key-value pair is Environment =
Production.
-
Tags are not inherited : Resources
don.t inherit tags you apply to a resource group or a subscription
-
You can use tags to group your billing
data: If you are running multiple VMs for different organizations, use the tags
to group usage by cost center.
-
Not all resources types support tags
-
Each resource, resource group and
subscription can have a maximum of 50 tag key-value pairs.
-
The tag name or key has a limit of 512
characters and the tag value has a limit of 256 characters
Locks are a mechanism that allow you to override permissions to resources. You
can lock subscriptions, resource group or resources. Lock types are:
-
ReadOnly: Allows authorized users to
read a resource, but they cannot delete or update the resource
-
CanNotDelete: Allows authorized users
to read and modify a resource, but they cannot delete the resource
Note: Locks are inherited from the parent
scope.
6.
Building a Cloud Governance Strategy
You may plan you Cloud Governance Strategy by:
-
Defining the cloud governance needs of
the organization
-
Planning which tools will be used to
implement governance
-
Understanding how those tools will be
used to implement governance
-
Implementing governance for the
organization using a cloud strategy
Governance Services are:
-
Management Groups and Subscriptions:
Organize subscriptions into hierarchical structures
-
Azure RBAC: Provide access to
resources at varying scopes
-
Policies: Implement policies to
enforce standards
-
Locks and Tagging: Lock resources to
prevent deletion. And tag resources to categorize.
