GABC2019: Azure Governance - Why should I care? By Mischa Faden

Transcript

1. Michael Faden Cloud Solution Architect Manager - Switzerland Azure Governance

   Why should I care?

2. Agenda • Learnings from the past • Azure Governance today

   • Management Groups • Azure Policies • How to get started

3. Learnings from our enterprise customers • Public cloud usage starts

   at most customers somewhere in business • At the early stage procurement doesn’t care • Neither does internal IT • Until cloud adaption starts to be successful and usage is increasing • At this point everybody wants to get involved • Try to apply already existing governance frameworks • Outcome: All projects get blocked until cloud governance is put in place

4. • How do I know what every resource is supporting

   so I can account for it and bill it back accurately? • Is there a way Azure can recommend to optimize my resources • Is there a way to see any Risk / Compliance issue on my existing cloud resources • How do I meet our legal requirements for data sovereignty in certain countries? • How do I ensure that someone does not inadvertently change a critical system? • How do I setup my subscriptions? • How do I group my applications? • How do I create DEV/UAT/Staging and Production environment? • How do I create sandbox / disconnected Azure Subscriptions? • How do I get alert when someone create new resources in my subscription?

5. What does it mean to govern in the cloud? Right

   People Right Resources Right Configurations

6. Block Dev/Ops from directly accessing the cloud (portal/API/cli) to attain

   control Developers Operations Cloud Custodian / Engineers responsible for Cloud environment Traditional approach © Microsoft Corporation Azure

7. Cloud Custodian Team Cloud-native governance -> removing barriers to compliance

   and enabling velocity Developers Operations Management Groups Templates RBAC Blueprints Policies Policy Cloud speed and control © Microsoft Corporation Azure

8. Azure is designed for effective governance © Microsoft Corporation Azure

   Ensure compliance 1 Empower DevOps 2 Manage costs 3

9. The broadest governance portfolio of any cloud Governance for the

   cloud Management Group Define organizational hierarchy Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEW NEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility © Microsoft Corporation Azure

10. Azure Governance Architecture 1. Environment factory Deploy and update cloud

    environments in a repeatable manner using composable artifacts 2. Policy-based control Real-time enforcement, compliance assessment and remediation at scale 3. Resource visibility Query, explore & analyze cloud resources at scale Resource Provider Network Virtual Machine Storage Azure Portal CLI 3rd party CRUD Azure Resource Manager (ARM) Policy Engine Azure Resource Graph Query Role-based Access Policy Definitions ARM Templates Subscriptions Azure Blueprints © Microsoft Corporation Azure Providing control over the cloud environment, without sacrificing developer agility

11. Management Groups

12. Introducing Management Groups © Microsoft Corporation Azure Leverage Azure Resource

    Manager (ARM) objects that integrate with other Azure services Azure services: Azure Policy RBAC Azure Cost Management Azure Security Center Apply controls at scale Group subscriptions into logical groups Inherit properties that apply to all subscriptions View aggregated information above the subscription level Simplify subscription management Create a flexible hierarchy that can be updated quickly Mirror the hierarchy to the organizational model that works for you Scale up or down depending on the organizational needs Fit your organization Ensure compliance 1 Manage costs 3 Empower DevOps 2

13. What are Azure management groups? • Management groups are hierarchy

    resources that exist above the subscription level within Azure • They are not tied to or modeled from a customer’s EA hierarchy; there are no relationships between the two • Available to all offer types and are channel agnostic (EA, Direct, CSP) • Groups can be created, moved, updated, and deleted by admins to build a hierarchy for their needs © Microsoft Corporation Azure

14. What are the benefits? • Launch scenarios include the use

    of Azure RBAC and Azure Policy assignment • Access and policy can be assigned on any node of a hierarchy and the access will inherit to its children • You can structure your environments and manage it all at large scale • Management groups are available through the APIs and Azure portal • Other Azure services will extend management groups to include their features to deliver a consistent experience © Microsoft Corporation Azure

15. Access and auditing Management groups support Azure Role-Based Access Control

    (RBAC) for all resource accesses and role definitions • These permissions are inherited to child resources that exist in the hierarchy • Any built-in RBAC role can be assigned to a management group that will inherit down the hierarchy to the resources Management groups are supported within Azure Activity Log • You can query all events that happen to a management group in the same central location as other Azure resources © Microsoft Corporation Azure

16. © Microsoft Corporation Management Group best practices • Define your

    hierarchy based on organization and environment type (prod, non-prod, etc.) • The root MG is for global configuration • Be careful with MG level assignments as they will cascade through large chunks of your hierarchy • Try not to repeat yourself. Assign common policies and rbac higher up in your hierarchy • Built-in RBAC roles for MGs (MG contributor, MG reader) • Need subscription owner access to move to another MG

17. Recommended Azure subscription modeling strategy App A Non-Prod Microsoft Recommended

    App B Non-Prod Shared services (Non-Prod) App C Non-Prod App A Prod App B Prod Shared services (Prod) App C Prod Prod RBAC + Policy Non-Prod RBAC + Policy Subscription Management Group Org Management Group © Microsoft Corporation Azure

18. Azure Policies

19. Introducing Policy © Microsoft Corporation Azure Ensure compliance 1 Manage

    costs 3 Empower DevOps 2 Remediate existing resources at scale (NEW) Automatic remediation resources at deployment time Trigger alerts when a resource is out of compliance Remediate & automate Turn on built-in policies or build custom ones for all resource types Real-time policy evaluation and enforcement Periodic & on-demand compliance evaluation VM In-Guest Policy (NEW) Enforcement & compliance Apply policies to a Management Group with control across your entire organization Apply multiple policies and & aggregate policy states with policy initiatives Exclusion Scope Apply policies at scale Active control and governance at scale for your Azure resources

20. Demo Azure policy

21. © Microsoft Corporation Policy key information • Real time Policy

    enforcement​ and at-scale compliance assessment • Policy evaluates all Azure resources & in-guest VM • Policy generate compliance events that can be used for alerting​ • Aggregated and raw compliance data are available through API, PowerShell & CLI​ • Can be used to automatically remediate problems in your environment​

22. © Microsoft Corporation • Start with Audit Policies, which is

    a safe way of understanding what a policy will do without affecting user activity • rollout Deny policies in stages to understand impact • Rollout remediation in stages Policy best practices

23. How to get started

24. Microsoft approach in the past Pre-Sales Assess Fit / POC

    Commit Choose Solution Architecture Adoption Platform Deploy Operate Evolve Pre-Sales Inventory, Assess Cost Business Justification Commit Choose Solution Architecture Adoption Plan Deploy Adopt Optimize

25. Microsoft Cloud Adoption Framework (CAF) Customer success Transformative Thought Leadership

    Today’s conversation focuses on one section of CAF, Governance

26. CAF Governance Model

27. Assess current state and future state to establish a vision

    for applying the framework Assess 2 Establish a Minimally Viable Product (MVP) to serve as a foundation for governance MVP 3 How do I get started? Frame the conversation to mitigate tangible business risks through consistent governance Framework 1 Mature with each release to align Cloud Adoption and existing IT functions Evolve 4

28. © Microsoft Corporation Step by Step 1. Read - Cloud

    Adoption Framework https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/journeys/overview 2. Define guardrail requirements leverage built-ins like ISO 27001 blueprint & policy initiative 3. Design Hierarchy & Subscription Modeling 4. Apply top-level guardrails: Policy Initiatives + permissions/RBAC 5. Stamp out standardized cloud environment with Blueprints 6. Periodically audit the overall compliance of your environment

29. Resources around Azure Governance http://aka.ms/governancedocs Governance Docs (Policy, Resource Graph,

    Blueprints) Cloud Adaption Framework https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/journeys/overview Governance YouTube Channel http://aka.ms/governancevideos Policy examples https://github.com/Azure/azure-policy/tree/master/samples https://docs.microsoft.com/en-us/azure/governance/policy/samples/index

30. Thanks to our sponsors!