Azure Governance and Compliance

Question 1

What Types of Rules appear in contact with Governance?

Answer 1

• servers must be running software withing Microsoft Extended Support guidelines
• all servers must be backed up every 24 hours at a minimum
• Firewalls must block all inbound ports from the Internet except 443
• Only Operations Support can reboot a production server

Question 2

How can you enforce governance rules in Azure?

Answer 2

• Azure Blueprint will be retired
• Template specs replaces it (ARM templates)
• as well as Deployment Stacks
• Azure Policy (predefined and own rules)
• Resource Locks (prevents accidental changes)
• Microsoft Purview (data governance)
• RBAC

Question 3

At what level can Azure Policy rules be defined?

Answer 3

• for resources and resource groups
• all or some

Question 4

What does Azure Policy allow you to do?

Answer 4

• definition of rules for resources and resource groups
• evaluation of compliance of those rules
• enforce rules so that resources cannot violate those rules

Question 5

Name examples for Azure Policies

Answer 5

• require SQL Server 12.0
• automatically apply tagging
• not allowed resource types
• reject certain storage accounts SKUs
• limit deployment locations
• limit vm SKUs (Specs)

Question 6

When talking about scope of Azure Policies what is meant?

Answer 6

• subscriptions / management groups
• and/or resource groups
• i.e. where Azure Policies should be enforced

Question 7

How can you apply a new Azure Policy to already existing resources?

Answer 7

• via a remediation task after creation of the Azure policy

Question 8

What types of Resource Locks exist?

Answer 8

• Read Only
• Can Not Delete

Question 9

What does the Read-Only Resource Lock entail?

Answer 9

• only allows to see the resource exists and view its properties
• does not allow to make any changes to resource or delete it

Question 10

What does the Can Not Delete Resource Lock entail?

Answer 10

• only blocks deletions
• changes can be applied to the resource

Question 11

How can RBAC and Resource locks work together?

Answer 11

• RBAC can be used to restrict who can unlock (update, delete, add) locks
• access to locks is denied by default

Question 12

What is the Tool Microsoft Perview used for?

Answer 12

• Data Governance Tool
• one-stop shop, centralised dashboard

lots of features:
- auditing
- communication compliance
- Data Map and Data Catalog
- Information Protection
- Data Loss Prevention
- Data Lifecycle Management
- Insider Risk Management

Question 13

What does Communication Compliance of the Microsoft Perview tool entail?

Answer 13

• SEC compliance (tracking of messages between employees)
• FINRA (financial tracking requirements)
• sensitive or confidential information
• harassing or threatening language
• sharing of adult content

Report that shows what policy issues come up

Question 14

What does Information Protection of the Microsoft Perview tool entail?

Answer 14

• proactively finds sensitive information in your organization
• Know your data - what sensitive information is stored where
• protect your data - sensitivity labels, encryption
• prevent data loss - browser extensions, pop-up tips, block sharing

Based on labels options for dealing with data can be restricted, etc