This is part four in a four-part series on Enterprise Governance in Microsoft Azure.
In part one, we discussed the four levels of management in the Azure Enterprise Portal: the Enterprise Agreement, departments, accounts, and subscriptions. In part two, we talked about the guiding principles behind dividing resources into resource groups and/or subscriptions. Then in part three, we explored how Azure Active Directory, role-based access control, and ARM policies work together to enforce organizational standards throughout your Azure environment. Finally, in this article we will examine many supporting features such as Resource Locks, Azure Automation and Azure Security Center. We will also review a few best practice recommendations based on our experience working with enterprise Azure deployments.
Protecting Resources With Resource Locks
When we discussed the centralized resource group model in part two, one of the primary benefits was that shared infrastructure resources like Virtual Networks would be segregated into resource groups controlled by centralized IT engineering teams. Resource Locks represent another layer of protection to critical resources that could cause significant business disruption if modified or deleted. For example, an organization may want to prevent their ExpressRoute Gateway from being removed when their critical apps rely on hybrid network connectivity or prevent the deletion of a storage account that hosts critical data. Two types of locks are available in Azure Resource Manager, CanNotDelete and ReadOnly. They can be implemented in the Resource Manager portal, with PowerShell using the New-AzureRmResourceLock cmdlet, or via ARM templates. Locks can be applied at the subscription, resource group, or individual resource level, and are typically created by users with the Owner or User Access Administrator roles. Once they are added, they apply to all resources or policies within that scope for all users within the organization.
Azure Automation
Another standardization tool targeted toward operations is Azure Automation. Rather than performing common, repetitive tasks individually through the Azure Portal or PowerShell, you can use Azure Automation Runbooks to automate resource management and processes, reducing implementation time and the possibility of error. In addition, PowerShell Desired State Configuration (DSC) is available to help automate configuration management, ensuring standardized and enforced settings in deployed nodes.
Runbooks can take the form of text-based PowerShell or PowerShell Workflow, as well as graphical versions of each of those. A convenient way to get started with runbooks is with the Runbook Gallery. From there, you can take runbooks for common tasks such as shutting down or deploying VMs and customize them to your specific needs. While those are simple examples, runbooks are also scalable up to complex workflows requiring multiple steps.
Azure Security Center
Azure Security Center represents a combination of best practice analysis and security policy management for all resources within an Azure subscription. This powerful and easy to use tool allows security teams and risk officers to prevent, detect, and respond to security threats as it automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like anti-malware programs and firewalls. Azure Security Center applies advanced analytics, including machine learning and behavioral analysis while leveraging global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds. Security governance can be applied broadly at the subscription level or narrowed down to specific, granular requirements applied to individual resources through policy definition. Azure Security Center analyzes resource security health based on those policies and uses this to provide insightful dashboards and alerting for events such as malware detection or malicious IP connection attempts. It can also tie in alerts to centralized logging systems such as Microsoft’s own Log Analytics service within the Operations Management Suite (OMS), which enables collection and correlation of events from on-premises and multiple cloud (e.g., Azure, AWS, etc.) sources.
Azure Advisor
One final governance tool is Azure Advisor, an automated consulting resource that can examine current configurations and make practical recommendations in the following areas:
High availability (HA)
Security
Performance
Cost
Even though many of these are based on common best practices, like placing virtual machines in availability sets for HA, security recommendations originate from Azure Security Center. While actual billing data is restricted to the Azure Enterprise Portal, Azure Advisor can look at usage and identify points of potential cost savings, such as underutilized VMs. Together, these provide a straightforward way to evaluate adherence to many governance principles within an Azure subscription.
Recommendations
Based on our experience with a diverse range of Azure enterprise clients, we have several best practice recommendations to offer. This is not exhaustive but should serve as a starting point to developing a sound governance approach aligned with the standards of your organization.
Define your organizational hierarchy and map this to a pattern for the Azure Enterprise Portal such that billing, subscription management, and resource group design are aligned with this logical hierarchy.
When establishing an Azure governance model, input from business leaders, security and risk management, and IT should all be considered.
Use consistent, standardized naming conventions throughout the Azure Enterprise Portal and Azure resources, using ARM policies to enforce these standards within subscriptions (see Recommended Naming Conventions for Azure Resources).
Sign up for Azure and assign access using Azure AD organizational accounts (i.e., work or school accounts) whenever possible.
If you have on-premises Active Directory, we recommend synchronizing this to Azure AD using Azure AD Connect.
If you have an Office 365 subscription, this includes an Azure AD tenant that we recommend using to sign up for Azure.
Use centralized resource group design to minimize risk, protect critical core infrastructure, and ease management of cross-premises hybrid connectivity, while enabling application teams the access they need to achieve business objectives quickly.
Leverage Azure Active Directory, Role-Based Access Control, and ARM policies within the Azure hierarchy to facilitate sound security practices such as segregation of duties and least privilege and enforce organizational standards across all cloud resources.
Automate common tasks and virtual machine configuration whenever possible to ensure consistent baselines and reduce the possibility of error.
Tag resources appropriately to facilitate access control, resource identification, and billing consolidation.
Need Help?
Are you interested in exploring Microsoft Azure but concerned about governance and how to make public cloud fit within your IT model? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at sales@credera.com.
Contact Us
Ready to achieve your vision? We're here to help.
We'd love to start a conversation. Fill out the form and we'll connect you with the right person.
Searching for a new career?
View job openings
