B-A BA of Azure Compliance and Governance

 

B-A BA of Azure Compliance and Governance

Author: Donatien MBADI OUM, Oracle | AWS | Azure

 

 

1.     What is Azure, Azure management group and Azure subscriptions

Azure is a Cloud platform with more than 200 products and services designed to help you bring new solutions to solve today’s challenges and create the future. (Source: https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure)

An Azure subscription is a logical container used to provision related business or technical resources in Azure. Azure subscription is linked to an Azure account.

-          It is a unit that aggregates all costs of the underlying resources

-          It contains resource groups and their associated resources

-          It’s a scoping level for governance and security

 

Your organization can have many Azure subscriptions. To efficiently manage access, policies and compliance for those subscriptions, you may use Management groups. You organize subscriptions into management groups and then, the governance conditions you apply cascade by inheritance to all associated subscriptions.

-          You can also have other Management group under a Management group. Root management group is the top-level

-          Management groups and subscription can have a single parent

-          Management group supports six levels of hierarchy

 

-          Root management group access is not given by default

-          Root management group cannot be moved or deleted

 

 

2.    Subscription naming and types

Subscription are named on:

-          Whether they are production, development or staging environments (E.g PROD001, DEV5420 etc)

-          The department or team the subscription is intended for so that billing can be easily associated with a given business unit (E.g. Marketing01, Engenering85 etc)

-          The region of the business that used the subscription (Montreal-West01, Seattle52 etc)

Microsoft offers different types of subscriptions.

-          Free: Can be created with an email account and a credit card that offers 200$ credit for the first 30 days and free limited access for 12 months when converted to a pay-as-you-go subscription.

-          Pay-As-You-Go: Generates monthly charge depending on the amount of Cloud resources used.

-          Enterprise: needs a single Enterprise agreement for bulk purchases of subscription, with discounts for new licenses and software’s assurance.

-          Student: Includes 100$ for 12 months and can be activated without a credit card; however, student verification is required.

Note: There are others offers including Azure Pass-Sponsorship, Visual Studio Enterprise Subscription etc.

 

 

3.     Azure Role-Based Access Control (RBAC)

 

RBAC is a mechanism that help you manage who can access your Azure resources. RBAC lets you determine what operations specific users can do on specific resources and control what areas of a resource each user can access.

Example:

-          Allow an application to access all resources in a resource group

-          Allow one user to manage VMs in a subscription, allow another user to manage virtual networks

-          Allow a database administrator group to manage SQL databases in s subscription

-          Allow a user to manage all resources in a resource groups, such as VMs, Websites and Subnets.

To implement RBAC you may:

-          Create a role definition: It’s a set of permissions that are defines in a JSON file.

-          Create a role assignment: It’s a process of scoping a role definition to limit permissions for a requestor, such as a user, group, service principal or managed identity.

 

4.    Azure Policy

 

Policies are used to enforce rules on your resources to meet corporate compliance standards en service level agreements. Azure policy is a service used to create, assign and manage policies. You can use policies to:

-          Prohibit resources (Control costs, Restrict service access etc.)

-          Allowed locations (Geographical compliance etc.)

 

To use Azure policy you may:

-          Define the evaluation criteria for compliance, and define the actions that take place. Either audit or deny should be something outside of compliance; this is Policy Definition.

-          Define the scope at which you will assign the policy. The scope should be a management group, subscription, resource group or resource; this is Policy Assignment.

-          Define a collection of policies that are tailored to achieving a singular high-level goal together; this is Initiative Definition.

 

Note: There are more than a hundred of built-in policies that you can use directly.

 

 

 

 

Note: You can check your policy Compliance via the Compliance Dashboard.

 

 

5.     Tagging Resource and Locks

 

Tags are key-value metadata elements that you apply to your Azure resources. Tags help to identify resources based on settings that are relevant to your organization. For example, if you want to track the deployment environment for your resources, add a tag key named Environment. To identify the resources deployed to production, give the tag value Production. In this example, the key-value pair is Environment = Production.

-          Tags are not inherited : Resources don.t inherit tags you apply to a resource group or a subscription

-          You can use tags to group your billing data: If you are running multiple VMs for different organizations, use the tags to group usage by cost center.

-          Not all resources types support tags

-          Each resource, resource group and subscription can have a maximum of 50 tag key-value pairs.

-          The tag name or key has a limit of 512 characters and the tag value has a limit of 256 characters

Locks are a mechanism that allow you to override permissions to resources. You can lock subscriptions, resource group or resources. Lock types are:

-          ReadOnly: Allows authorized users to read a resource, but they cannot delete or update the resource

-          CanNotDelete: Allows authorized users to read and modify a resource, but they cannot delete the resource

Note: Locks are inherited from the parent scope.

 

6.    Building a Cloud Governance Strategy

 

You may plan you Cloud Governance Strategy by:

-          Defining the cloud governance needs of the organization

-          Planning which tools will be used to implement governance

-          Understanding how those tools will be used to implement governance

-          Implementing governance for the organization using a cloud strategy

 

Governance Services are:

-          Management Groups and Subscriptions: Organize subscriptions into hierarchical structures

-          Azure RBAC: Provide access to resources at varying scopes

-          Policies: Implement policies to enforce standards

-          Locks and Tagging: Lock resources to prevent deletion. And tag resources to categorize.