Microsoft scales up Azure's Policy-as-code in 'new approach'
The code's on GitHub for admins to play with
Enterprises using Microsoft's service for enforcing business rules within their expansive Azure cloud environments now have a less complex option for implementing policies and ensuring compliance.
Redmond is giving IT administrators another way to extend its Azure Policy tool, a service introduced in 2017 that is designed to make sure that the various resources within their cloud environment adhere to business rules set by the users.
While the goals behind the service have made sense, deploying and maintaining hasn't been easy, leading to either highly manual or overly complicated automated methods that could be incomplete and leave systems and software non-compliant.
Microsoft is aiming to simplify the process, building off an Azure Policy-as-code tool in a GitHub repository by giving administrators greater control over creating and enforcing the business rules and ensuring compliance. It's a new approach to Azure Policy-as-code that aimed at democratizing the process and expanding compliance even at a cloud-level scale.
Ensuring compliance is a key security considering in the cloud. Non-compliance with an enterprise's business rules could result in non-compliance with industry and government regulations, leading to heavy penalties and fines. It also could make cloud resources more vulnerable to attacks.
Making it easier for administrators to create business rules and ensure compliance could plug holes that would otherwise leave organizations vulnerable to regulatory penalties or breaches.
"The driver was looking at the over-engineered methods and incomplete solutions being used and trying to produce something that could easily be implemented and managed by people with little knowledge of infrastructure as code, while still being scalable and maintainable," Anthony Watherston, principal customer engineer at Microsoft, wrote in a blog post Monday. "The solution allows you to deploy policies, initiatives (set definitions), assignments and policy exemptions at scale with an easy-to-understand deployment and management structure."
Watherston admitted there is always complexity when tools are used at an enterprise level, but things can be streamlined. He noted that many organizations on its public cloud use HashiCorp's open Terraform infrastructure-as-code software in Azure but added that it's not a good option for Azure Policy.
"It does not fully implement dependency rules for updates between Policies, Initiatives and Assignments," he wrote. "It does not fully implement a desired state across entire Azure tenants."
- Security pros get ability to manually add incidents to Microsoft Sentinel
- Microsoft offers SQL Server 2022 release candidate to Linux world
- Ubuntu Linux 18.04 systemd security patch breaks DNS in Microsoft Azure
- Official: Arm-based VMs available on Microsoft Azure
So, now there are steps that can be taken to implement Policy-as-code within Azure. It starts with creating an empty GitHub repository of one's own, cloning or forking that empty repository locally on a laptop and using the included Sync-Repo.ps1 script to populate the repository.
There is also a StarterKit folder with definitions and pipelines that the user can copy to their Definitions and Pipeline folders and modify the files as needed.
Another option is to generate the definition folders by importing the definitions from Azure Landing Zone artifacts. That also requires the pipeline from the StarterKit.
Watherston walks users through the initial option process step-by-step – another blog for the alternative is coming later – touching on everything from management groups and landing zones to GitHub flows, the pipeline, folders, configurations, policies, and deployment scenarios.
This should come in handy for users that for several years have wrestled with the complexity in Policy, a tool that compares the properties of resources in Azure to business rules set by the enterprise. Those rules are described in JSON format and are called policy definitions. Microsoft incorporated some features to make the tool simpler, such as grouping business rules together to create a policy initiative.
Those policy definitions or initiatives are applied to resources supported by Azure, such as management groups, resources groups, subscriptions, or individual resources. ®