During the weekend I saw the following tweet passing by …
Apparently, a hosting company (allegedly) got all their data wiped by an ex-admin. Now I can imagine people thinking that this is something that is part of the territory when it boils down to cloud. So I wanted to write a blog post entailing what you do to set up a governance structure in Azure. Here I’m aware that the above tweet is more related to the security aspect of governance, it’s a part of it nevertheless.
Let’s get started on our scope… IT Governance can cover a lot of ground. In essence, the goal is to assure that the investment in IT generates business value and the risks that are associated with IT projects are mitigated. Though I found that CIO.com has a nice definition on it ;
Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
So let’s take a look at how we can put an enterprise-grade structure around the management of Azure!
TL;DR = Azure Enterprise Scaffold
For those who want to skip the post below… When talking about governance in Azure, the best place that summarizes it the following page in our documentation ; “The Azure Enterprise Scaffold“.
Governance : A High Level Overview
Let’s start with a high level overview in regards to IT Governance in general… For this, I’ll take COBIT as guidance for this part. It’s is regarded as the world’s leading IT governance and control framework. To make it a bit more visual, I really loved the way “Info-Tech” structured COBIT into pieces (which we can use for the analysis during this post) ;
Strategy & Governance
For this part, I would like to zoom into “IT Management & Policies“… And even then, zooming in onto that piece is already a big scope. Policies can range from password policies towards policies on data governance & geo-compliancy. Though Azure provides you with the capability to set up policies. Resource policies enable you to establish conventions for resources in your organization. For example, you can specify that only certain types of virtual machines are allowed, require that all resources have a particular tag, restrict the deployment to a given (set of) region(s) or enforce that storage accounts are setup with encryption. If you want a quick glance at the capabilities here, check a blog post I made a while ago.
In regards to finances, let’s take a look at three facets ;
- Business Value
- Cost & Budget Management
- Cost Optimization
This might seem an odd duck to have during a blog post on IT governance. Though it’s often overlooked… The cloud typically comes with an outcome based service model. This means that you can deploy services that will scale (technical, AND financially) along with the growth of your business. If your new business idea isn’t taking off, you can reduce or stop the services (and thus the costs). If the business skyrockets, the cloud will scale with you!
Cost & Budget Management : procurement
Many organization’s first impression is that working with the cloud is just about handing over your credit card without any control. Azure is typically consumed by enterprise organisation through an Azure Enterprise Enrollment. This is a contract which comes with the typical enterprise billing processes. So you do not need to work with a credit card… The enterprise enrollment defines the shape and use of Azure services within a company and is the core governance structure. Within the enterprise agreement, customers are able to further subdivide the environment into departments, accounts, and finally, subscriptions. An Azure subscription is the basic unit where all resources are contained. It also defines several limits within Azure, such as number of cores, resources, etc.
Within a subscription, you then have three levels on which you can grant permissions ;
- The subscription
- A resource group
- A resource
Via a comprehensive RBAC structure (which will discuss more in detail later in this post) you can grant permissions on those levels. So you can be very specific on who has the ability to deploy resources (RBAC) and what they can deploy (policies).
Cost & Budget Management : reporting & chargeback
Azure comes with the ability to tag resources. Here you can use any key/value pair you would like to identity a given dimension to your resource. A typical use-case for tags is to add the “opco” or “cost center” to the resource.
Once the tag has been added, it will become visible in the usage / billing information. You can then leverage that information in your reporting… Here I always advice everyone to start with power-bi for this, as it integrates very nicely Azure!
Once you have (for example) the integration between Azure & PowerBI, you can also quickly identify the “big spenders”. This provides you with an easy way to see where you should focus on when looking at costs.
Next up is that the cloud offers you various ways to optimize your costs too! Azure works on a “per minute” billing. This means that if you adjust your modus operandus to “snooze” (power-down) systems when they are not needed, that you can save up significantly! Non-production systems are typically only needed during business hours. If we would say that those systems run about 10h per business day, and there are 20 business days in a month. Then you only need those systems for 200 hours, instead of 744 (full month). That’s a reduction of 63% on your operating costs!
Another aspect is “right sizing”. When you buy hardware, these are typically deprecated over a period of 5 years. As those systems are not always easily upgradeable, a “spare capacity” is typically purchased right away. With could you can “right size”, or only use the resources you need at that moment. Once you need to scale-up, you’ll only start paying for that once you actually need it. So you can avoid the cost during the period you do not need it! This also a typical cost saving for a lot of organization I’ve talked too.
People & Resources
Let’s take a look at “knowledge management“… Did you ever hear someone say ; “Whiiiii, let’s get our documentation up-to-date on our IT landscape!”. Chances are pretty low on that one I guess? For this part, I would like to redirect you to a very cool service called “Azure Dockit“;
In less than 5 minutes*, generate a complete documentation of your Microsoft Azure Subscription.
Save months of effort and get an instant up-to-date documentation with best practices warnings.
If you are using Azure, I would high recommend to try this one out!
Infrastructure & Operations
In regards to Infrastructure & Operations, let’s take a look at three facets ;
- Capacity Management
- Change/Release Management
- Configuration Management
Given the subscription limits, quotas & constraints… you can scale in any direction you want. Where “capacity management” is a capability that should be taken care of by IT, I must say that it is something that I haven’t seen implemented in many organisations. Needless to say, this is a core process of the Azure services. So you should not worry about the capacity of the platform/services you are using. Depending on the type of service you chosen (IaaS, PaaS, SaaS, …), you might still have some residue responsibilities in regards to capacity management. For instance ; the capacity of the virtual disk (read : used disk space) which is used by your virtual machine is your own responsibility. Though ensuring that there is enough capacity to allow you to spin up virtual machines & provision storage is taken care off by Azure.
When doing release management, Azure Resource Manager templates will become a key component into your flow. This is mainly due to the idempotent nature of the templates, where in combination with the ability to do incremental or complete deployments, it will be a great too for automated deployments. A lot of organizations leverage their existing “release pipeline”, or “CI/CD pipeline”, to enhance it with the templates.
In regards to change management, did you know the concept of resource locks? As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
We just discussed Azure Resource Manager templates… These can also be used to create a certain solution configuration. These can then be use from within your organizational service catalogue in order to allow your (power)users to deploy a given workload according to your best practices.
Security & Risk
In regards to Security & Risk, let’s take a look at three facets ;
- Security Management
- Compliance & Audit
- Business Continuity
First of all, let’s start this section off with stating that you should enable MFA on all accounts. At minimum, do this for the privileged accounts, though in reality my advice is to do it on all accounts. Now that we got that out-of-the-way… Accessing the management pane of Azure is heavily integrated with Azure Active Directory. Once authenticated, you can segregate duties via RBAC (role-based access control). By doing these minimum steps, you have already done the bare minimum to protect your resources.
Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don’t trust. You can address these questions using conditional access. In addition, you can also leverage Azure Active Directory Identity Protection to detect & react to suspicious activity.
Compliance & Audit
Every management action is logged in Azure… You can view these logs & export them if wanted. By doing the last, you could even integrate them into your SIEM.
Let’s kick this one-off by stating that business continuity covers a lot of grounds… On a low level, there are various implementations that assist in setting up business continuity, ranging from paired regions to availability sets. On IaaS level there is the GRS capability on storage level, or you can leverage Azure Site Recovery Services! When taking a look at the PaaS services, we see that various services come with geo-redundant capabilities out-of-the-box ; SQL, CosmosDB, … towards Traffic Manager which can global traffic routing. Anyhow, you can leverage enough services to assist you in this quest!
The event stated in the intro of this blog post was unfortunate for that given company. Though as this wasn’t a company that leveraged Azure, I hope this post showed you numerous ways how you can set up a governance structure that is enterprise-grade.
Here I’ve guided multiple organizations during their governance quest in Azure, and the sheer amount of response on those is that the capabilities Azure provides in terms of governance (more than) meets both their expectations/requirements as also their current OnPremises capabilities.