Last time, we told you WHAT is cloud governance, and WHY you need it at your organization. Today, we will show you HOW to implement it.In the previous article, we talked about the basics of a cloud governance framework. To recap: it is a way to help you manage your cloud more quickly, consistently, in a controlled way. It has to cover the business aspect of your operations, include the right people, and relevant technology.Some of the final aspect we'll cover today, as we finally arrive at the How part of our model. But before jumping to the tools, a few words of caution.
Preparation is everything
Do not aim to address all the aspects and concerns in one big shot (OBS for the acronym game). This is not going to work. When you start this journey, you might not even know what you are going to deploy.Start with the Minimal Viable Product (or Policies, MVP) in place. First, set up a governance framework for a single type of your subscription (e.g. development environments) with a minimal set of policies.For instance:
- All assets must be grouped and tagged
- All assets deployed must use the same deployment model
- Each resource needs to be allocated to a cost center.
Once that's in place, then you can build around it.
Iterations
After building and deploying your MVP, set up a process for incremental growth. Review and iterate your governance model in sprints. Base it on the following:
- New resource types being added/deployed
- The growth of your environment/cloud usage
- New policy elements defined based on your business objectives.
Set up triggers for your policy updates. For example: every time your cloud consumption grows by 20%, you need to review our policies on cost management. Or every time you deploy a new service, you need to review security and auditing controls applied within your framework. Monitor those triggers! In the beginning, it might be a manual process. For instance, your Cloud Strategy Team needs to review every prepared deployment. They need to identify if it includes new types of resources, and that all deployments are prepared in the right way. Friendly advice: Automation is cool and needed. Still, don't aim to automate everything right from the start. Most certainly, don't delay your first iterations of cloud governance just because you need to automate them!
Setting up Azure governance
Now, let’s take a look at the practical solutions. They include plenty of tools to help you set up governance for your Azure services.
Subscriptions
First of all, accept the fact that you will have multiple subscriptions and environments. Arrange your subscriptions using Management Groups. This is how you can group them within a single management unit.As a design strategy, create Management Groups for your environments such as development and/or production .Within Management Groups, arrange subscriptions based on your organisational approach. These may include the following:
- Departments
- Cost centres
- Application categorisation (e.g. critical, non-critical, vendor-managed).
Some organisations use this to simplify billing: one subscription per billing unit.Within subscriptions, create resource groups per app or workload. Important: Early in the cycle adopt and apply a consistent terminology and naming convention for resources. Make it part of your cloud governance MVP! You need to have a clear nomenclature for all elements (subs, resource units etc.).
Policies
Define your business goals, risk model, and constraints. Put them all in writing as policies. Your objective here is to set a foundation for clear and faster adoption of the cloud. Since this might be an early stage of your journey, some things might go wrong (become risks). These may include:
- Team awareness of the cloud and development skills
- You don't know the exact cost structure of resource usage
- The security model is new to you. You don't know if it will be applied consistently across all resources and deployments
- Many people and teams will share the environment. They might apply conflicting standards and ways of doing things
- Wrong use of identities might lead to security risks and leakage of data
- Data deployed to the cloud might be against your compliance policies.
Important: Before going further with your governance model, identify early business goals and risks. Don't try to nail it down on the first try. You can always iterate! Based on those goals and risks, you can identify policies for your environment, e.g.:
Deployment
- All resources need to be deployed with the appropriate tagging and within a resource structure
- All resources must follow a defined deployment model.
Identity
- Only organisational accounts from Azure AD and partners through B2B mechanisms are allowed within the environment
- RBAC model to apply across all resources with specific roles (like a company-wide auditor). All elevated privileges are assigned and mapped to groups only.
Security
- Connectivity between the cloud and the on-prem network goes through a dedicated subscription and its networking setup
- All data needs to be encrypted with the available encryption for services
- Usage of credentials is limited with Managed Service Identity. Additionally, all credentials are stored within the Key Vault.
Cost management
- All resources need to be placed within the management structure
- All resources need to be tagged for the cost centre assignment.
This is only the initial set. The next iteration needs to be more in-depth and detailed.Those policies will be mapped to specific Azure tools. Their implementation will then be based on particular categories. You may also onboard third-party tools and external services. They may help you apply the policies in the environment.
Deployment toolkit
Azure offers several tools to help you implement your policies during the deployment stage. You can use Azure Resources Model (ARM) for all deployments. This way you will not allow manual deployments at all. Azure Resources Graph extends the ARM Model. It lets you identify resources and check their compliance with your policies.To enforce your policies and resource compliance, you have another powerful service: Azure Policies. You can apply policies to identity compliant or non-compliant resources. Or, verify compliance at the time of creation and verify specific VMs and services settings.The best way to ensure that things are configured correctly is to utilise templates in the form of Azure Blueprints. They enable and orchestrate the deployment of:
- Role assignments and RBAC model
- ARM template deployments
- Resource groups
and through this many other services and elements.Important: If you want to make sure that new subscriptions are defined exactly as you want them – put them in the form of Blueprints. In general, avoid manual deployments. Instead, automate from day 1.You can find a quick introduction to Azure Blueprints in the video below.An overview of Azure Blueprints - Microsoft Channel 9 VideoMore on the entire stack of tools for deployment toolkit in Azure stack and where to apply them is here.
Identity toolkit
We covered this extensively on our blog and elsewhere. Establish your co-existence between on-premises and cloud environments and the choice of authentication methods.Here you will find a quick comparison for decision support and information.Still, there are a few important notes to add:
- Use MFA wherever possible and make sure that your admin accounts all use them. When it is available (it is currently in public preview) deploy FIDO compliant devices to your administrators.
- If possible, use Privileged Identity Management to implement the strictest possible permission model for your administrators and other team members.
- Remember about Emergency Access Accounts for your environment. Please remember to protect them. There might be a time when you need them.
Security toolkit
Security is essential. It is among the first concerns raised when a company adopts the cloud. Because of this, it is also well described and addressed through the platform. Remember: cloud is not magic! It doesn't work on its own. Even if the controls are there – you need to put them in place!
The basics
Set the basic requirements for your core elements on Azure:
- RBAC model and permissions management
- Encryption of disks and data storage both in storage accounts but also within services
- Networking protection with VNets, network security groups, firewall, and other networking elements.
There are around 20 security-related whitepapers with guidance for those elements. Use them to educate yourself one topic at a time.
Security controls
Familiarise yourself with tools you have on the platform and apply them as security controls. Azure Security Center is a one-stop shop for monitoring your security strategy. It provides a real-time view into compliance with regulatory requirements for your resources. Make sure to check this as it provides actionable items to improve in this area. Plan your resource coverage with Azure Security Center. It also has a free plan. Azure Sentinel is a service that provides SIEM capabilities in the cloud and for cloud resources. It gives insight and monitoring across many data sources. You can currently try it for free. Make sure to check if this can be your tool of choice for security and threats monitoring.Educate yourself on and set up your policies. This is a requirement for the use of platform features and services like the following:
- Azure AD and its security model for resources and access across the platform
- Azure Key Vault for securing sensitive materials, credentials, and keys.
A list of fundamental security tools in your toolkit with a quick comparison can be found here.
Cost management
This is always an essential factor in cloud deployments. To implement it efficiently you need three elements:
- A consistent way of deploying resources within your management structure
- A set of Azure Policies as the first level of control of resources creation and spending
- Actual cost control tools.
The Azure platform provides a tool called Azure Cost Management. There is also an option of using a separate service owned by Microsoft, Cloudyn. One thing to check for sure is how your subscription payment model supports those solutions. There might be slight differences between EA, CSP or other ways in which you purchase your Azure.You can also use community and third-party solutions like Azure enterprise usage reports (AER). Or, go straight to Azure with Power BI and create dashboards crafted for you.