Building an Enterprise-Grade Azure Governance Model
4 likes•1,678 views
This document summarizes Karl Ots's presentation on building an enterprise-grade Azure governance model. The presentation covers key decisions for an Azure governance model including subscription structure, organization-wide controls, user access management, and the Azure provisioning process. It also discusses the roles of governance and cloud strategy. Specific technical implementations of governance controls like Azure Policy, role-based access control, and shared networking services are described.
Building an Enterprise-Grade Azure Governance Model
- 1. @fincooper Building an Enterprise-Grade Azure Governance Model Karl Ots, Zure Ltd 13.12.2019
- 2. @fincooper
- 3. @fincooper Karl Ots Chief Consulting Officer [email protected] • Cloud & cybersecurity expert from Finland • Community leader, speaker, author & patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • zure.ly/karl
- 4. @fincooper What to expect in this session • The technical fundamentals of building a comprehensive Azure Governance model. • After this session, you should have a better understanding of Azure governance best practices and in-house team roles & responsibilities. • You should also have an overview of the technical implementation of governance controls.
- 5. @fincooper Why cloud Governance? • When proper cloud governance model is followed, you can ensure your teams are operating in a secure and compliant Azure environment during design, development and operations. • Cloud governance complements your cloud strategy. • Cloud strategy provides a decision framework to determine how you will use cloud technologies.
- 6. @fincooper The role of Governance • Cloud Strategy • New apps predominantly from SaaS, custom apps on top of PaaS? • What to do with existing apps in onprem? EOL, IaaS or as-is? • Governance model • Policies • Security policies • Development policies • Guidelines • Implementation guideline • Reference architecture
- 7. @fincooper
- 8. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 9. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 10. @fincooper Subscription setup Subscription Account Department Enterprise Enrolment Organization Department Account Sandbox (MSDN) Shared Services Production Test Dev
- 11. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 12. @fincooper Organization-wide governance • Baseline governance controls that are common across the whole organization. • These controls might include: • Geopolicy (allowed Azure regions) • Mandatory tagging • Central user accounts • Shared services, such as network, integrations, data lake and monitoring
- 13. @fincooper Azure Policy • Policies are used for maintaining consistency and enforcing the governance model. • Policies are a core governance capability and provide ability create defined organizational controls on Azure resources which restrict, enforce or audit certain actions. Policy types are: • Deny • Audit • DeployIfNotExists • AuditIfNotExists
- 14. @fincooper Geopolicy controls • Explicitly control geographic placement of your Azure Resources according to your sovereignty, security, compliance or latency policies
- 15. @fincooper RBAC and policies Role Based Access Control (RBAC) Controls what actions a user may take on Azure resources Azure Policies Controls what actions may be taken at a given scope
- 16. @fincooper Azure Policy CRUD Azure Resource Manager Query Role-based Access Policy Definitions Resource Manager Templates Management Groups Subscriptions Resource Groups
- 17. @fincooper
- 18. @fincooper Shared services - networking • Virtual networks enable connectivity across Azure, the internet and the on- premises network. Each VNET is isolated from other VNETs by default. • VNETs can be peered to each other, enabling resources in VNETs to communicate with each other.
- 19. @fincooper Hub virtual network Gateway subnet ER / S2S NSG Management subnet NSG NVA DMZ subnet vnet peering On-premises network Gateway Workload subnet Spoke 1 virtual network vnet peering NSG Workload subnet Spoke 2 virtual network NSG
- 20. @fincooper Shared services - networking • How will developers get access to shared VNET? Time to market Control and responsibilities RBAC in the subnet (child resource) scope Fast Developer Pre-provisioned NICs Medium Centralized cloud operations Process outside native Azure capabilities Slow Centralized operations
- 21. @fincooper Hub virtual network Gateway subnet ER / S2S NSG Management subnet NSG NVA DMZ subnet vnet peering On-premises network Gateway Workload subnet Spoke 1 virtual network vnet peering NSG Workload subnet Spoke 2 virtual network NSG Hub RG Spoke 1 Vnet RG Spoke 2 Vnet RG
- 22. @fincooper
- 23. @fincooper Shared services – API Management • How will you manage access to publish new APIs and versions? • How will you split costs? • How about networking & integrations?
- 24. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 25. @fincooper Azure access in projects RBAC Role Scope Access level and risks Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users should have an account in customer’s Azure Active Directory. In case of external partners, the account should be provisioned per standard customer’s policies for external accounts. This is the highest appropriate role when developing new services. Contributor Resource Group Access to create new resources and to delete resources from the Resource Group. Users should have an account in customer’s Azure Active Directory. In case of external partners, the account should be provisioned per standard customer’s policies for external accounts. This is the appropriate partner RBAC role when developing new services. Contributor Individual Resource(s) directly Access to edit and modify resource. No access to create new resources. Appropriate partner RBAC role when partner is responsible for operating and managing the service.
- 26. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 27. @fincooper Azure environment provisioning process 1. Azure request 2. Request approval 3. Environment provisioning 4. Environment handover 5. Operational Azure usage, monitoring, billing 6. End-of-life process
- 28. @fincooper Provisioning – input needed • Information needed to complete the request to provision Azure environment • Application business owner / internal cost center • User accounts that need access • Expected annual Azure cost • Privacy / data classification
- 29. @fincooper Provisioning – key decisions • Lifecycle of RBAC assignments • Assigning access to a group or individual user • If group, is it cloud-only or synced from on-premises • Links to existing IDP process
- 32. @fincooper
- 33. @fincooper
- 34. @fincooper Provisioning – key decisions • Lifecycle of RBAC assignments • Assigning access to a group or individual user • If group, is it cloud-only or synced from on-premises • Links to existing IDP process • Enforced policies • Tagging • Service catalogue • Other application-specific policies
- 35. @fincooper Key Governance decisions • Subscription model • Organization-wide governance controls • User access management • Azure provisioning process
- 36. @fincooper48 Governance Key Takeways • Governance earlier than later • Don’t forget to implement, maintain and audit • Understand RBAC • Plan Subscription model • Plan org-wide governance, such as Locks and Policies • Understand Application lifecycle principles
- 37. @fincooper Materials Frame the conversation to mitigate tangible business risks through consistent governance Framework1 Assess current and future state to establish a vision for applying the framework Assess2 Establish a minimally viable product (MVP) to serve as a foundation for governance MVP3 Mature with each release to align cloud adoption with existing IT functions Evolve4 https://aka.ms/CAF/govern https://aka.ms/CAF/gov/Assess https://aka.ms/CAF/gov/MVP https://aka.ms/CAF/gov/journey My slides: zure.ly/karl/slides
- 38. @fincooper