Landing zone lifecycle management tools (preview)
Important
This is a preview feature. This information relates to a prerelease feature that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
This article gives you an overview of the new landing zone lifecycle management tools and enhancements provided through Microsoft Cloud for Sovereignty on GitHub. The plan is to continually improve their efficiency, reliability, and compliance capabilities to better meet the evolving needs of customers. The landing zone lifecycle management tools are:
- Assessment: This tool performs a predeployment evaluation of Azure resources, such as their locations and Azure policy assignments, against established best practices.
- Policy Compiler: This tool streamlines the policy management process. It systematically analyzes your organization's policy initiatives by examining key components.
- Drift Analyzer: This tool monitors and compares the current state of the cloud environment with its original intended landing zone configuration. It identifies critical deviations or changes.
Assessment
The Assessment tool provides a predeployment evaluation of Azure resources, such as their locations and Azure policy assignments, against established best practices. The tool assesses various aspects of a cloud environment, such as:
- The Sovereign Landing Zone (SLZ) Baseline policy assignment.
- The usage of Custom policy initiatives usage.
- The individual policy assignments.
The tool gives you recommendations based on the severity of the findings. The recommendations are categorized as:
- Best: Assign the SLZ Baseline policy initiative.
- Better: Assign policies from the SLZ baseline in a custom initiative or another built-in initiative.
- Good: Individually assign policies that are a part of the SLZ Baseline policy initiative.
Categories
The tool evaluates each of the following categories and gives severity levels based on findings.
- Allowed locations
- Confidential Computing (if selected at time of assessment)
- Customer-managed keys
- Architecture
Severity levels
The tool groups the category evaluation findings by the following severity levels:
| Severity | Finding |
|---|---|
| High | Policy isn't found. |
| Medium | Policy is assigned individually. |
| Low | Policy is assigned as part of an initiative (not the baseline). |
| Informational | Management groups aren't being used. |
| None | No finding if the Baseline policy isn't assigned. |
Resource residency
This section shows you the essential details of all resources within the selected subscription, including the location, name, and ID. Therefore, you can have a comprehensive view of resource distribution within the environment.
Policy Compiler
In the complex landscape of regulatory compliance, organizations face the challenging task of managing overlapping and conflicting policy initiatives. The Policy Compiler tool streamlines the policy management process. It systematically analyzes your organization's policy initiatives by examining key components, such as display names, descriptions, parameters, and effects.
The tool compares these elements across different policies and detects redundancies, conflicts, and gaps. It then uses this analysis to provide a set of recommended, reconciled policy initiatives that align with customers’ specific compliance needs, making policy management more efficient and reliable.
Use case example
Imagine Policy Compiler as a dedicated assistant who meticulously reviews all your policy documents, identifies any overlaps or contradictions, and then advises you on the best course of action. Whether you need to harmonize data protection policies across different jurisdictions or align security measures with varying industry standards, Policy Compiler helps creating a cohesive and clear policy framework.
Current features of the Policy Compiler
The current prototype of the Policy Compiler tool provides you with access to all built-in and custom Azure policy initiatives at their root scope. The tool helps you to consolidate all unique policies from selected initiatives into a single custom initiative. In the process, the tool gives you a comprehensive overview and simplification of the policy landscape.
Drift Analyzer
The Landing Zone Drift Analyzer tool monitors and compares the current state of the cloud environment with its original intended configuration. It identifies any critical changes or deviations that might affect your environmental integrity and compliance. These changes might be intentional or unintentional.
Drift Analyzer access information
For access, a public preview is available for users to check drift against a standard SLZ configuration. You can access the public preview from Cloud for Sovereignty quickstarts. Additionally, you can request the private preview, using which you check the drift against a registered landing zone, from this page.
Important
The public preview of Drift Analyzer offers limited functionality compared to the private preview.
Deviation categories
You can categorize the intentional or unintentional deviations that the tool identifies as follows:
- Severity: Classifying the effect of changes by severity levels helps prioritize actions.
- Management groups: Changes to management groups might result in security and compliance risks.
- Policy initiative assignments: Modifications to policy assignments can cause operational risks.
- Policy parameters: Modifications to policy parameters can cause operational risks.
- Allowed locations: Changes to allowed locations can compromise security or compliance.
- Log retention: Changes to log retention policies risk can cause data loss or noncompliance.
- Severity changes: Changes to severity levels might lead to missed critical change notifications.
- Management Group hierarchy: Changes to management group hierarchies can increase security risks.