GABC2019: Azure Governance - Why should I care? By Mischa Faden

GABC2019: Azure Governance - Why should I care? By Mischa Faden

Azure Governance sounds like a boring topic, right? However after helping in the last 5 years our largest Swiss customer to get started with Azure, this is absolutely key. If you don't take attention to this topic your journey to the cloud will fail. 
I will share guidance based on good and bad examples and how you can be successful in your journey to the cloud. I will give also some insights on guides and tools, which are available to implement a Governance model around Azure.

0754d30f3acc99a940aebdcd49d5af97?s=128

Azure Zurich User Group

April 27, 2019
Tweet

Transcript

  1. Michael Faden Cloud Solution Architect Manager - Switzerland Azure Governance

    Why should I care?
  2. Agenda • Learnings from the past • Azure Governance today

    • Management Groups • Azure Policies • How to get started
  3. Learnings from our enterprise customers • Public cloud usage starts

    at most customers somewhere in business • At the early stage procurement doesn’t care • Neither does internal IT • Until cloud adaption starts to be successful and usage is increasing • At this point everybody wants to get involved • Try to apply already existing governance frameworks • Outcome: All projects get blocked until cloud governance is put in place
  4. • How do I know what every resource is supporting

    so I can account for it and bill it back accurately? • Is there a way Azure can recommend to optimize my resources • Is there a way to see any Risk / Compliance issue on my existing cloud resources • How do I meet our legal requirements for data sovereignty in certain countries? • How do I ensure that someone does not inadvertently change a critical system? • How do I setup my subscriptions? • How do I group my applications? • How do I create DEV/UAT/Staging and Production environment? • How do I create sandbox / disconnected Azure Subscriptions? • How do I get alert when someone create new resources in my subscription?
  5. What does it mean to govern in the cloud? Right

    People Right Resources Right Configurations
  6. Block Dev/Ops from directly accessing the cloud (portal/API/cli) to attain

    control Developers Operations Cloud Custodian / Engineers responsible for Cloud environment Traditional approach © Microsoft Corporation Azure
  7. Cloud Custodian Team Cloud-native governance -> removing barriers to compliance

    and enabling velocity Developers Operations Management Groups Templates RBAC Blueprints Policies Policy Cloud speed and control © Microsoft Corporation Azure
  8. Azure is designed for effective governance © Microsoft Corporation Azure

    Ensure compliance 1 Empower DevOps 2 Manage costs 3
  9. The broadest governance portfolio of any cloud Governance for the

    cloud Management Group Define organizational hierarchy Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEW NEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility © Microsoft Corporation Azure
  10. Azure Governance Architecture 1. Environment factory Deploy and update cloud

    environments in a repeatable manner using composable artifacts 2. Policy-based control Real-time enforcement, compliance assessment and remediation at scale 3. Resource visibility Query, explore & analyze cloud resources at scale Resource Provider Network Virtual Machine Storage Azure Portal CLI 3rd party CRUD Azure Resource Manager (ARM) Policy Engine Azure Resource Graph Query Role-based Access Policy Definitions ARM Templates Subscriptions Azure Blueprints © Microsoft Corporation Azure Providing control over the cloud environment, without sacrificing developer agility
  11. Management Groups

  12. Introducing Management Groups © Microsoft Corporation Azure Leverage Azure Resource

    Manager (ARM) objects that integrate with other Azure services Azure services: Azure Policy RBAC Azure Cost Management Azure Security Center Apply controls at scale Group subscriptions into logical groups Inherit properties that apply to all subscriptions View aggregated information above the subscription level Simplify subscription management Create a flexible hierarchy that can be updated quickly Mirror the hierarchy to the organizational model that works for you Scale up or down depending on the organizational needs Fit your organization Ensure compliance 1 Manage costs 3 Empower DevOps 2
  13. What are Azure management groups? • Management groups are hierarchy

    resources that exist above the subscription level within Azure • They are not tied to or modeled from a customer’s EA hierarchy; there are no relationships between the two • Available to all offer types and are channel agnostic (EA, Direct, CSP) • Groups can be created, moved, updated, and deleted by admins to build a hierarchy for their needs © Microsoft Corporation Azure
  14. What are the benefits? • Launch scenarios include the use

    of Azure RBAC and Azure Policy assignment • Access and policy can be assigned on any node of a hierarchy and the access will inherit to its children • You can structure your environments and manage it all at large scale • Management groups are available through the APIs and Azure portal • Other Azure services will extend management groups to include their features to deliver a consistent experience © Microsoft Corporation Azure
  15. Access and auditing Management groups support Azure Role-Based Access Control

    (RBAC) for all resource accesses and role definitions • These permissions are inherited to child resources that exist in the hierarchy • Any built-in RBAC role can be assigned to a management group that will inherit down the hierarchy to the resources Management groups are supported within Azure Activity Log • You can query all events that happen to a management group in the same central location as other Azure resources © Microsoft Corporation Azure
  16. © Microsoft Corporation Management Group best practices • Define your

    hierarchy based on organization and environment type (prod, non-prod, etc.) • The root MG is for global configuration • Be careful with MG level assignments as they will cascade through large chunks of your hierarchy • Try not to repeat yourself. Assign common policies and rbac higher up in your hierarchy • Built-in RBAC roles for MGs (MG contributor, MG reader) • Need subscription owner access to move to another MG
  17. Recommended Azure subscription modeling strategy App A Non-Prod Microsoft Recommended

    App B Non-Prod Shared services (Non-Prod) App C Non-Prod App A Prod App B Prod Shared services (Prod) App C Prod Prod RBAC + Policy Non-Prod RBAC + Policy Subscription Management Group Org Management Group © Microsoft Corporation Azure
  18. Azure Policies

  19. Introducing Policy © Microsoft Corporation Azure Ensure compliance 1 Manage

    costs 3 Empower DevOps 2 Remediate existing resources at scale (NEW) Automatic remediation resources at deployment time Trigger alerts when a resource is out of compliance Remediate & automate Turn on built-in policies or build custom ones for all resource types Real-time policy evaluation and enforcement Periodic & on-demand compliance evaluation VM In-Guest Policy (NEW) Enforcement & compliance Apply policies to a Management Group with control across your entire organization Apply multiple policies and & aggregate policy states with policy initiatives Exclusion Scope Apply policies at scale Active control and governance at scale for your Azure resources
  20. Demo Azure policy

  21. © Microsoft Corporation Policy key information • Real time Policy

    enforcement​ and at-scale compliance assessment • Policy evaluates all Azure resources & in-guest VM • Policy generate compliance events that can be used for alerting​ • Aggregated and raw compliance data are available through API, PowerShell & CLI​ • Can be used to automatically remediate problems in your environment​
  22. © Microsoft Corporation • Start with Audit Policies, which is

    a safe way of understanding what a policy will do without affecting user activity • rollout Deny policies in stages to understand impact • Rollout remediation in stages Policy best practices
  23. How to get started

  24. Microsoft approach in the past Pre-Sales Assess Fit / POC

    Commit Choose Solution Architecture Adoption Platform Deploy Operate Evolve Pre-Sales Inventory, Assess Cost Business Justification Commit Choose Solution Architecture Adoption Plan Deploy Adopt Optimize
  25. Microsoft Cloud Adoption Framework (CAF) Customer success Transformative Thought Leadership

    Today’s conversation focuses on one section of CAF, Governance
  26. CAF Governance Model

  27. Assess current state and future state to establish a vision

    for applying the framework Assess 2 Establish a Minimally Viable Product (MVP) to serve as a foundation for governance MVP 3 How do I get started? Frame the conversation to mitigate tangible business risks through consistent governance Framework 1 Mature with each release to align Cloud Adoption and existing IT functions Evolve 4
  28. © Microsoft Corporation Step by Step 1. Read - Cloud

    Adoption Framework https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/journeys/overview 2. Define guardrail requirements leverage built-ins like ISO 27001 blueprint & policy initiative 3. Design Hierarchy & Subscription Modeling 4. Apply top-level guardrails: Policy Initiatives + permissions/RBAC 5. Stamp out standardized cloud environment with Blueprints 6. Periodically audit the overall compliance of your environment
  29. Resources around Azure Governance http://aka.ms/governancedocs Governance Docs (Policy, Resource Graph,

    Blueprints) Cloud Adaption Framework https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/journeys/overview Governance YouTube Channel http://aka.ms/governancevideos Policy examples https://github.com/Azure/azure-policy/tree/master/samples https://docs.microsoft.com/en-us/azure/governance/policy/samples/index
  30. Thanks to our sponsors!