For years organizations have been using IT governance frameworks to align IT processes to a company’s business goals. Today, with the rise of cloud computing and remote data centers, there are new questions as physical resources are no longer always owned by users and can be widely accessible over the internet. Even the biggest cloud skeptics are realizing that the cloud is here to stay, and they are not only starting to think about the technical aspects of cloud solutions but also about risk and compliance. And they need to align these measures to both current policies, primarily ones defined by the organization itself, as well as to standards defined by national and/or global authorities. This post deals with how to use policies in Azure to achieve better control and clarity over your cloud resources.
Microsoft is positioning Azure as an enterprise-grade cloud, and its recently introduced feature, Azure Policy, is confirming that companies that want to extend current compliance policies to Azure will have Microsoft’s full support to do so. Azure Policy gives you the ability to create, assign, and monitor a set of rules to keep company standards and service level agreements at the desired level.
To define a policy, you need to think at which scale you want to deploy it, which type of resources you want to cover, and, most importantly, what actions are required from Azure’s side if and when resources are not in compliance. You can choose to deny deployment if policy requirements are not met, only show a warning message and audit a deployment, append an additional set of fields automatically if they are required by the policy, and audit or even deploy resources if they don’t exist.
It is recommended to create policy definitions as generic as possible in order to reuse them easily by defining policy parameters rather than hard coding them into the definition itself—similar to when deploying ARM templates. A company can choose from Microsoft’s prebuilt definitions or define its own. That is, an organization can define its own allowed Azure locations or resource types, require a certain version of SQL Server, approve custom VM images, or even enforce a naming convention.
After you define policy, you need to assign it to specific resource groups or to an entire subscription. All resources in the defined scope will apply the policy, but you are free to exclude certain child resources if needed. So, for instance, you may apply policy to deny the creation of VMs with unmanaged disks across the whole subscription except for a resource group used for the testing environment. By grouping together related policy definitions with a similar goal, you get an initiative definition that should additionally simplify policy management. And as with policies, you can define parameters and assignments for an initiative as well.
Azure Policies should not be confused with Role Based Access Control (RBAC). While RBAC is introduced with Azure Resource Manager and used to manage user permissions over Azure resources, Azure Policy pertains to actual properties of resources during and after deployment. Of course, to manage policies, you need to have proper RBAC permissions assigned. Like all other resources in Azure, you are free to choose how to create and manage policies: through the Azure portal, REST API, or by using the well-known command-line tools PowerShell and Azure CLI.
Last but not least, Microsoft will not charge you for utilizing Azure Policy, meaning a company can benefit from this feature for free. A company can also further benefit financially by defining policies. So, for instance, it can eliminate the possibility of an admin scaling up resources to run a feature, such as Azure VM or Azure Web App, that would result in increased costs and a higher monthly bill.
Azure Policy and Compliance
Azure Policy is a useful feature for organizations in need of IT governance for the cloud. For those already familiar with Azure tools in general, it will be easy to create, manage, and monitor policies because they rely on the same principles as other Azure resources. Start small, audit resources initially instead of denying them, analyze reports, and, over time, a company will realize what it needs to do next and how to align Azure resources with its business policies. Also, Microsoft is sure to add new functionalities to this feature, so stay tuned to the Azure blog for updates to continuously improve and ensure your cloud compliance.
Need more tools to ensure compliance for Azure? Learn more about what CloudCheckr can do for you.