Describe resource governance capabilities in Azure Flashcards
Azure Policy
- Enforcing standards and assessing compliance: Azure Policy is designed to help enforce standards and assess compliance across your organization’s resources in Azure and Arc enabled resources.
- Compliance dashboard: Azure Policy provides a compliance dashboard that offers an aggregated view of the overall state of your environment, allowing you to evaluate compliance at different levels of granularity.
- Drill-down capabilities: You can drill down into the compliance dashboard to assess compliance at a per-resource or per-policy level, providing detailed insights into the compliance status of individual resources.
- Remediation options: Azure Policy offers capabilities for rapid issue resolution, including bulk remediation for existing resources and automatic remediation for new resources. This ensures that non-compliant resources are brought into compliance efficiently.
- Use cases: Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost management, and overall resource management.
- Policy definitions: Azure Policy evaluates resource properties against business rules defined in JSON format, known as policy definitions. These rules describe the desired state and behaviour of resources to ensure compliance.
- Policy initiatives: Multiple policy definitions can be grouped together to form a policy initiative, allowing for simplified management and enforcement of multiple business rules.
- Assigning policies: Policy definitions or policy initiatives can be assigned to various scopes of resources, such as management groups, subscriptions, resource groups, or individual resources, providing flexibility in policy enforcement.
By leveraging Azure Policy, organizations can maintain governance, ensure compliance, and enforce desired standards and configurations across their Azure and Arc enabled resources.
Evaluation Outcomes in Azure Policy
- Triggering evaluation: Azure Policy evaluates resources based on specific events or times, including the creation, deletion, or update of a resource within the scope of a policy assignment, assigning a new policy or initiative to a scope, updating an existing policy or initiative assigned to a scope, and the regular compliance evaluation cycle.
- Compliance evaluation cycle: Azure Policy conducts a standard compliance evaluation cycle once every 24 hours to assess the compliance status of resources.
- Response to non-compliant resources: Organizations have flexibility in how they respond to non-compliant resources based on their specific needs and policies. Examples of responses include:
- Denying a change to a non-compliant resource to prevent it from being modified further.
- Logging changes made to a non-compliant resource for auditing and tracking purposes.
- Modifying a non-compliant resource either before or after the change to bring it into compliance.
- Deploying related compliant resources alongside or in response to non-compliant resources to maintain a consistent and compliant environment.
By leveraging the evaluation outcomes in Azure Policy, organizations can ensure that resources are evaluated for compliance at the appropriate times and respond effectively to non-compliance to maintain a secure and compliant Azure environment.
Difference between Azure Policy and Azure role-based access control (RBAC)
- Azure Policy: Ensures resource compliance with organizational business rules, regardless of who made the change or has permission to make changes. It evaluates the state of resources and takes action to maintain compliance.
- Azure RBAC: Manages user actions at different scopes by controlling access to Azure resources, defining permissions for what users can do with those resources, and specifying the areas they can access.
- Focus: Azure Policy focuses on resource compliance, while Azure RBAC focuses on managing user access and permissions.
- Control vs. Compliance: Azure Policy controls the state of resources to ensure compliance, even if an individual has access to complete an action that would result in a non-compliant resource. Azure RBAC controls user actions and access to resources.
- Complementary use: Azure Policy and Azure RBAC should be used together to achieve comprehensive control and compliance in Azure. They serve different purposes and work in tandem to enforce both access management and resource compliance.
Understanding the distinction between Azure Policy and Azure RBAC helps organizations effectively manage both user access and resource compliance within their Azure environment.
Azure Blueprints
- Definition of Repeatable Azure Resources: Azure Blueprints allow the definition of a repeatable set of Azure resources, ensuring consistent deployments that comply with organizational compliance requirements.
- Rapid Provisioning and Deployment: Development teams can quickly provision and run new environments aligned with compliance standards, resulting in shorter development times and faster delivery.
- Orchestration of Resource Deployment: Azure Blueprints enable the orchestration of various resource templates and artifacts such as role assignments, policy assignments, ARM templates, and resource groups.
- Multi-Subscription Deployment: Azure Blueprints support the simultaneous provisioning of Azure resources across multiple subscriptions, enhancing efficiency and scalability.
- Replication and Accessibility: Blueprint objects are replicated across multiple Azure regions, ensuring low latency, high availability, and consistent access to blueprint objects.
- Tracking and Auditing: Azure Blueprints maintain the connection between the blueprint definition and assignment, enabling improved tracking and auditing of deployments.
- Compliance Alignment: Azure Blueprints help ensure that Azure resources are deployed in a compliant manner with organizational requirements. However, continuous monitoring with tools like Azure Policy is necessary to ensure ongoing compliance.
By utilizing Azure Blueprints, organizations can streamline the deployment of Azure resources while maintaining compliance and governance standards.
Microsoft Purview
- Growing Data Challenges: Organizations face challenges in discovering, protecting, and governing sensitive data due to the constant growth and evolving data usage patterns.
- Data Consumers and Producers: Data consumers may be unaware of available data sources, while data producers struggle to document and maintain information assets, leading to complexities in data management.
- Microsoft Purview: Purview is designed to address these challenges and help organizations derive maximum value from their information assets.
- Unified Data Governance: The Microsoft Purview governance portal offers a comprehensive data governance service that covers on-premises, multicloud, and SaaS data.
- Data Landscape Mapping: Purview enables the creation of an up-to-date map of the organization’s data landscape through automated data discovery, sensitive data classification, and end-to-end data lineage.
- Data Curator Empowerment: Data curators can effectively manage and secure the data estate using Purview’s capabilities.
- Data Consumer Empowerment: Purview empowers data consumers to easily find valuable and trustworthy data within the organization.
Microsoft Purview helps organizations overcome the challenges associated with growing data volumes and ensures effective data governance, discovery, and utilization across diverse data sources.
Data Map
Microsoft Purview Data Map provides the foundation for data discovery and data governance.
By scanning registered data sources, Azure Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.
Microsoft Purview supports Azure data sources and various data source categories including databases, file storage, and applications and services from third parties.
Data Catalog
With the Microsoft Purview Data Catalog, business and technical users can quickly and easily find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels and more.
Data Estate Insights
With the Microsoft Purview Data Estate Insights, data officers and security officers can get a bird’s eye view and at a glance understand what data is actively scanned, where sensitive data is, and how it moves.
Data Sharing and Data Policy (preview)
Microsoft Purview Data Sharing enables organizations to securely share data both within your organization or cross organizations with business partners and customers.
Access policies in Microsoft Purview enable you to manage access to different data systems across your entire data estate.
For example, if a user needs read access to an Azure Storage account that has been registered in Microsoft Purview, you can grant this access directly in Microsoft Purview by creating a data access policy through the Policy management app in the Microsoft Purview governance portal.
Which tool can enable an organization’s development team to rapidly provision and run new resources, in a repeatable way that is in line with the organization’s compliance requirements?
A) Azure Policy
B) Azure Rapid Build
C) Azure Blueprints
C) Azure Blueprints
Blueprint will enable your development teams to define a repeatable set of Azure resources, and achieve shorter development times and faster delivery.
As the compliance admin for your organization, you need to ensure that Azure resources meet your organization’s business rules? Which Azure capability should you use?
A) Use Azure role-based access control (RBAC).
B) Use Azure Policy.
C) Use Azure resource locks.
B) Use Azure Policy.
Azure Policy is used to ensure that your Azure resources comply with your organization’s business rules.
Which application in the Microsoft Purview governance portal is used to capture metadata about enterprise data, to identify and classify sensitive data?
A) Data Catalog.
B) Data Map.
C) Data Estate Insights.
B) Data Map.
Microsoft Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.
