At EPI-USE Labs we have a whole host of knowledge around Microsoft Azure, and we decided it was about time we shared some of our expertise, as well as some tips and tricks. This is the first in a series of blogs regarding ‘all things Azure’.
Cloud security is a big deal, and is often one of the reasons cited to prevent any move to the cloud, particularly when it comes to migrating your data to Microsoft Azure. Making sure your data is compliant and secure is quite complex. It involves connecting with the right teams internally, but also making sure you trust your third parties, and that they understand your security and governance requirements. Azure Policy is a free Azure service that allows you to create policies, assign them to resources, and receive alerts or take action in cases of non-compliance with these policies.
When we’re involved in migrations, we discuss the client’s governance requirements; do they need ISO 27001, for instance, or what about CIS Benchmarks?
It is not unusual for a client to have a stricter requirement for their public cloud deployments over on-premise, and they may require guidance on how to map these to Azure, and what the implications are.
Azure Policy is a good starting point for reporting on, and remediating, compliance requirements within an Azure deployment. You can apply single rules or groups of rules (initiatives). These can be something as simple (and helpful) as limiting resource deployment to one region, or applying resource tag inheritance to resource groups so you don’t have to apply tags on every resource deployment.
Using ‘initiatives’, you can implement standards and ensure that resources follow your corporate policies and GDPR regulations. For example, you can use Azure Policy for:
Deploying only specific resources. You can create your own policies if the built-in ones don’t meet your needs.
Allowing the deployment of resources only for authorised regions (GDPR). Are there any legislative requirements that establish where my data is stored, and where users are eligible to access it?
Ensuring that resources are properly tagged to facilitate your financial or management tasks.
Preventing excessive spending, like restricting VMs (restrict access for developers and so on, so that your team doesn’t spend too much).
Azure Policy is delivered with ‘out of the box’ policies already defined, but these always need configuration. It is very rare that new policies do not need to be configured in a particular instance.
If you want to know more about Azure Policy, or indeed you need any help or advice on Microsoft Azure, please get in touch.
Azure Policy built-ins for regulatory compliance: https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-initiatives#regulatory-compliance
Azure Policy Quickstart: https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal