This is a summary of the Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features learning path. Aside from the usual “Introduction to Azure Fundamentals” module, repeated in every learning path in this series, there are three modules covering identity, cloud governance, and compliance, respectively. If you’re a developer, this learning path is easily the most boring of the lot, but it’s also very important from a cloud administration point of view.
Identity Services
This is a summary of the Secure access to your applications by using Azure identity services module. They love using wordy headings, don’t they?
Authentication vs authorization: who you are vs what you have access to.
Azure Active Directory (Azure AD):
- Similar to Active Directory, but for the cloud
- Monitors sign-in attempts, unlike the on-premises counterpart
- Controls access to other Microsoft services such as Office 365
- Has the concept of tenants, which represent organisations
- Is an identity and access management service. It stores information about users (including passwords), and provides control over them (e.g. reset password, multifactor authentication, list of banned passwords, etc)
- Also provides device management – devices can be registered to control which devices are allowed to access services.
- Supports Single sign-on (SSO) to access multiple applications with the same credentials.
- Azure AD Connect synchronises user identities between on-premises Active Directory and Azure AD. Users can use their same credentials to access on-premises and cloud services.
Multifactor authentication provides an additional layer of security over the usual username and password by requiring two or more authentication mechanisms, typically from the following categories:
- Something the user knows (e.g. username and password)
- Something the user has (e.g. code sent to mobile device)
- Something the user is (biometric data, e.g. fingerprint)
Conditional access is a feature of Azure AD that applies multifactor authentication differently based on identity signals. This is basically a rule engine that can do things like request the second factor only if they’re in an unknown location, signing in from an unknown device, or accessing a particular application. Access could also be blocked entirely in some circumstances (e.g. signing in from a high-risk country). Conditional access is a premium feature that requires a special Azure AD licence.
Cloud Governance
This is a summary of the Build a cloud governance strategy on Azure module.
The Cloud Adoption Framework for Azure guides you towards migrating to the cloud. There are five steps:
- Define your strategy: understand what benefits you’ll gain by moving to the cloud, get everyone on board, and choose the right proof of concept project to kick it off.
- Make a plan: take stock of what you have on-premises, train up, and make a plan to migrate.
- Ready your organisation: set up your Azure subscriptions and create a landing zone, basically an environment in the cloud to get you started.
- Adopt the cloud: start migrating, review best practices, find ways to migrate more efficiently, and study ways to handle more complex migrations.
- Govern and manage your cloud environments: define processes and policies that will apply to resources in the cloud, and maintain them as they evolve throughout the migration process.
Things to consider when deciding how to organise Azure subscriptions:
- BIlling: you can create one billing report per subscription, so you can organise subscriptions by department or project.
- Access control: subscriptions provide inherent isolation (e.g. between development and production environments).
- Subscription limits: some resources are limited in the amount you can deploy per subscription, so you’ll need to allocate more subscriptions if necessary.
Role-based access control (RBAC) is used to grant or restrict access to resources. These roles are applied to a scope that could be:
- A management group
- A single subscription
- A resource group
- A single resource
Access control is inherited by child scopes, e.g. assigning a role to a single subscription means it is also applied to all resource groups and resources in that subscription.
RBAC is managed via Access control (IAM) in the Azure portal. RBAC rules are applied to any request to an Azure resource that passes through the Azure Resource Manager.
RBAC uses an allow model, so as long as you have a role that allows you to perform an action, you can do it; and if different roles give you different access (e.g. read and write), then they sum up (e.g. you get both read and write).
Resource locks are a simple setting against accidental modification or deletion. You can use either CanNotDelete (authorised users can read or write but not delete) or ReadOnly (authorised users can read a resource but can’t change or delete it). You can remove the lock to perform the restricted operation (e.g. to delete the resource).
You can use Azure Blueprints (more on this further below) to set a standard for resources across your organisation, which could include enforcement of resource locks among other things.
Resource tags are used to apply metadata to resources. They complement subscriptions and resource groups as another way to categorise and organise things. They help to:
- Manage resources and locate them easily
- Report on costs by particular tags
- Group resources based on criticality and SLAs
- Classify data security (e.g. confidential)
- Regulatory compliance (e.g. ISO27001)
- Run any kind of automation logic on resources with a particular tag
Azure Policy lets you create and enforce policies or initiatives (groups of policies) that apply to resources. To implement a policy, you:
- Create a policy definition
- Assign it to resources
- Review the evaluation results
A policy definition can be used to do things like:
- Prevent VMs from being deployed in certain regions
- Restrict which virtual machine sizes can be deployed
- Enforce MFA on accounts with write permissions
- Prevent CORS from allowing unrestricted access to web applications
- Ensure updates are installed on VMs
Azure Blueprints lets you orchestrate things like role assignments, policy assignments, ARM templates and resource groups across your organisation so that you don’t need to set them up for each subscription. Blueprints are made up of artifacts, and they deploy different elements to each subscription (e.g. Allowed locations policy, resources from an ARM template, etc).
Data Protection & Compliance
This is a summary of the Examine privacy, compliance, and data protection standards on Azure module.
Some projects require compliance with certain standards, such as ISO 27001 or government-specific regulations. Azure is compliant with a huge number of these, so it’s quite likely you can use Azure even when working in some of the more regulated sectors.
You can also check the following documents:
- Microsoft Privacy Statement: how Microsoft manages personal data
- Online Services Terms: agreement between customer and Microsoft when using services such as Azure or Office 365
- Data Protection Addendum: more specific about data protection
The Trust Center lets you find information about particular compliance offerings, such as ISO 27001, and how it applies to cloud services on Azure.
The Azure compliance documentation describes how Azure adheres to certain standards, e.g. PCI DSS.
Azure Government is a separate Azure offering for US government. It has the highest level of security, and data centres are physically isolated so they can’t be used by you and me outside the scope of the US government.
Azure China 21Vianet is the Azure offering in China. Microsoft can’t operate Azure directly in China because of local regulations, so they instead offer it via a partner, 21Vianet. Services offered are mostly the same, but they may vary a little.