Last time, I told you WHAT is cloud governance, and WHY you need it at your organization. Today, I will show you HOW to implement it.
This post has originally been published on Apr 11, 2019. It has since been split into 2 parts and updated for better readability. You can find part 1 here.
In the previous article, we talked about the basics of a cloud governance framework. To recap: it is a way to help you manage your cloud more quickly, consistently, in a controlled way. It has to cover the business aspect of your operations, include the right people, and relevant technology.
Some of the final aspect we’ll cover today, as we finally arrive at the How part of our model. But before jumping to the tools, a few words of caution.
Do not aim to address all the aspects and concerns in one big shot (OBS for the acronym game). This is not going to work. When you start this journey, you might not even know what you are going to deploy.
Start with the Minimal Viable Product (or Policies, MVP) in place. First, set up a governance framework for a single type of your subscription (e.g. development environments) with a minimal set of policies.
Once that’s in place, then you can build around it.
After building and deploying your MVP, set up a process for incremental growth. Review and iterate your governance model in sprints. Base it on the following:
Set up triggers for your policy updates. For example: every time your cloud consumption grows by 20%, you need to review our policies on cost management. Or every time you deploy a new service, you need to review security and auditing controls applied within your framework.
Monitor those triggers! In the beginning, it might be a manual process. For instance, your Cloud Strategy Team needs to review every prepared deployment. They need to identify if it includes new types of resources, and that all deployments are prepared in the right way.
Friendly advice: Automation is cool and needed. Still, don’t aim to automate everything right from the start. Most certainly, don’t delay your first iterations of cloud governance just because you need to automate them!
Would you rather work with a document? Scroll down to find the complete guide available for download!
Now, let’s take a look at the practical solutions. They include plenty of tools to help you set up governance for your Azure services.
First of all, accept the fact that you will have multiple subscriptions and environments.
Arrange your subscriptions using Management Groups. This is how you can group them within a single management unit.
As a design strategy, create Management Groups for your environments such as development and/or production.
Within Management Groups, arrange subscriptions based on your organizational approach. These may include the following:
Some organizations use this to simplify billing: one subscription per billing unit.
Within subscriptions, create resource groups per app or workload.
Define your business goals, risk model, and constraints. Put them all in writing as policies.
Your objective here is to set a foundation for clear and faster adoption of the cloud. Since this might be an early stage of your journey, some things might go wrong (become risks). These may include:
Based on those goals and risks, you can identify policies for your environment, e.g.:
This is only the initial set. The next iteration needs to be more in-depth and detailed.
Those policies will be mapped to specific Azure tools. Their implementation will then be based on particular categories. You may also onboard third-party tools and external services. They may help you apply the policies in the environment.
Azure offers several tools to help you implement your policies during the deployment stage. You can use Azure Resources Model (ARM) for all deployments. This way you will not allow manual deployments at all.
Azure Resources Graph extends the ARM Model. It lets you identify resources and check their compliance with your policies.
To enforce your policies and resource compliance, you have another powerful service: Azure Policies. You can apply policies to identity compliant or non-compliant resources. Or, verify compliance at the time of creation and verify specific VMs and services settings.
The best way to ensure that things are configured correctly is to utilize templates in the form of Azure Blueprints. They enable and orchestrate the deployment of:
and through this many other services and elements.
You can find a quick introduction to Azure Blueprints in the video below.
An overview of Azure Blueprints – Microsoft Channel 9 Video
More on the entire stack of tools for deployment toolkit in Azure stack and where to apply them is here.
Here you will find a quick comparison for decision support and information.
Still, there are a few important notes to add:
Security is essential. It is among the first concerns raised when a company adopts the cloud. Because of this, it is also well described and addressed through the platform.
Remember: cloud is not magic! It doesn’t work on its own. Even if the controls are there – you need to put them in place!
Set the basic requirements for your core elements on Azure:
There are around 20 security-related whitepapers with guidance for those elements. Use them to educate yourself one topic at a time.
Familiarize yourself with tools you have on the platform and apply them as security controls.
Azure Security Center is a one-stop shop for monitoring your security strategy. It provides a real-time view into compliance with regulatory requirements for your resources. Make sure to check this as it provides actionable items to improve in this area. Plan your resource coverage with Azure Security Center. It also has a free plan.
Azure Sentinel is a service that provides SIEM capabilities in the cloud and for cloud resources. It gives insight and monitoring across many data sources. You can currently try it for free. Make sure to check if this can be your tool of choice for security and threats monitoring. We can also help you with managing it – see more here.
Watch the video to find out more about Azure Sentinel
Educate yourself on and set up your policies. This is a requirement for the use of platform features and services like the following:
A list of fundamental security tools in your toolkit with a quick comparison can be found here.
This is always an essential factor in cloud deployments. To implement it efficiently you need three elements:
One thing to check for sure is how your subscription payment model supports those solutions. There might be slight differences between EA, CSP or other ways in which you purchase your Azure.
And that’s the end of our guide to implementing Azure governance. I hope you found it helpful. If you prefer this information is video form, you’ll find a summary here:
A summary of subscription management in Azure
In my upcoming articles, you will find more details and tips on how to look after your services with cloud governance. In the meantime, feel free to contact us with any questions!
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...