Governance

• If you give developers and Azure users too much freedom, it can quickly end in resources that are incorrect, configured, not aligned with the business, or just cost too much.
• The solution to this is Azure governance.
• If all developers and system administrators just did what they thought best at the time, you could end up with a real mess of way more resources used than needed, the wrong VMs created, and so on.
• What is needed is the governance of the process.
• Governance on Azure is a set of rules, policies, and roles to define the acceptable use of Azure resources.
• On Azure, it would restrict users from creating certain resources, what action they could do with existing resources and any permissions for the Azure account in general. As you can tell from that, governance is crucial.
• Azure has several tools and services to help you implement adequate governance of your Azure resources.

Azure Policy

• Azure Policy is used to create policies in Azure.
• Governance validates that your organization can achieve its goals through effective and efficient use of it. In other words, use Azure Policy to make sure users don't make a mess of it.
• A policy is a set of rules.
• Rules to make sure that standards and agreements within your corporation are followed and that resources are compliant with these policies.
• If you have a bunch of Azure resources, you then also have a bunch of Azure policies defined for those resources.
• Azure Policy, the service, is what ensures that the resources are complying with the policies.
• Azure Policy is your enforcer.

Role-Based Access Control (RBAC)

• Role-based access control, often called RBAC, is a critical component in the governance of users and their access to Azure resources.
• Role-based access control lets you define
  • Which users have access to specific Azure resources
  • What they can do with those resources
  • What areas do they have access to?
• One of the best practices for any computer infrastructure is to give users the minimum access they need.
  • If a user doesn't have to access a database, well, then don't even give them access to it.
• You can target specific use cases for assigning access.
  • For example, allow application access to only the resources it needs or allow a user access to all resources in a specific resource group.

Role-Based Access Control (RBAC) – Role Assignments

• RBAC works through assigning roles to users, and a role assignment has three elements.
• A security principle:
  • Which is an object that represents what type of entity can get access to the Azure resource.
  • This could be a user or group of users, for example.
• A role definition:
  • It is a collection of permissions.
  • A role definition lists the operations that can be performed, such as read, write, and delete.
• Scope:
  • This is the set of resources that the access applies to.
  • This is useful if, for example, you want a specific role assignment to have only access to a specific resource group.

Locks

• A simple and efficient tool to manage changes and the removal of resources are locks.
• You might want to ensure that a specific resource will not be changed or deleted, which is what locks are for.
• A lock can be assigned to a subscription, resource group, or resource level.
• A lock can be of type delete or read-only.
  • Delete means you can't delete the resource,
  • Read-only means you cannot make any changes to that resource.
• Once a lock is assigned to a resource, resource group, or subscription, the lock must be removed completely before the actions are possible again for that resource.

Azure Blueprints

• Blueprints are templates for creating Azure resources.
• It is a blueprint for everything you need to deploy for a standard cloud environment on Azure.
• If you had to create a brand-new Azure environment for a new product, and you had to meet certain governance rules and regulations, how would you do that manually?
• Instead, Azure Blueprints pack everything you need, including templates for which resources to create user permissions using RBAC and any necessary policies. All in one package.
• There are even built-in samples available for the most common scenarios, including samples for scenarios with specific government regulations and guidelines.

Cloud Adoption Framework

• Targeted at the organization that is considering moving to the cloud, is the Cloud Adoption Framework.
• This is a collection of documents that takes you through every step of the journey towards the cloud.
• You get guidance on
  • How to define strategies for the adoption of cloud
  • Planning the move to the cloud
  • What it means to be ready for the cloud
  • Reasons for adopting the cloud
  • Improving your governance
  • Establishing practices around it

Azure Advisor for Security Assistance

• Definition: This is an Azure service that scans your Azure configurations and recommends changes in order to optimize deployments, increase security and save your money.
• Using Azure Advisor service, you can:
  • Get personalize and actionable best practice recommendations
  • Improve the performance, security, and reliability of the Azure resources.
• The recommendations are divided into 5 categories.
  • Reliability: To ensure and improve business-critical applications availability and continuity.
  • Security: To detect threats and vulnerabilities that might lead to security issues.
  • Performance: To improve the speed of your applications.
  • Cost: To reduce your overall expenditure on Azure services.
  • Operational Excellence: To help you achieve process and workflow efficiency, resource management, and deployment best practices.