Enforce cloud governance policies

This article shows you how to enforce compliance with cloud governance policies. Cloud governance enforcement refers to the controls and procedures you use to align cloud use to the cloud governance policies. The cloud governance team assesses cloud risks and creates cloud governance policies to manage those risks. To ensure compliance with the cloud governance policies, the cloud governance team must delegate enforcement responsibilities. They must empower each team or individual to enforce cloud governance policies within their area of responsibility. The cloud governance team can't do it all. Prefer automated enforcement controls but enforce compliance manually where you can't automate.

Diagram showing the process to set up and maintain cloud governance. The diagram shows five sequential steps: build a cloud governance team, document cloud governance policies, enforce cloud governance policies, and monitor cloud governance. The first step you perform once. The last four steps you perform once to set up cloud governance and continuously to maintain cloud governance.

Define an approach for enforcing cloud governance policies

Establish a systematic strategy to enforce compliance with cloud governance policies. The goal is to use automated tools and manual oversight to enforce compliance efficiently. To define an enforcement approach, follow these recommendations:

  • Delegate governance responsibilities. Empower individuals and teams to enforce governance within their scope of responsibility. For example, platform teams should apply policies that the workloads inherit and workload teams should enforce governance for their workload. The cloud governance team shouldn't be responsible for applying enforcement controls.

  • Adopt an inheritance model. Apply a hierarchical governance model where specific workloads inherit governance policies from the platform. This model helps ensure that organizational standards apply to the correct environments, such as purchasing requirements for cloud services. Follow the design principles of Azure landing zones and its resource organization design area to establish a proper inheritance model.

  • Discuss enforcement specifics. Discuss where and how you apply governance policies. The goal is to find cost effective ways to enforce compliance that accelerates productivity. Without a discussion, you risk blocking the progress of specific teams. It's important to find a balance that supports the business objectives while managing risk effectively.

  • Have a monitor-first stance. Don't block actions unless you understand them first. For lower priority risk, start by monitoring compliance with cloud governance policies. After you understand the risk, you can move to more restrictive enforcement controls. A monitor-first approach gives you an opportunity to discuss the governance needs and realign the cloud governance policy and enforcement control to those needs.

  • Prefer blocklists. Prefer blocklists over allowlists. Blocklists prevent the deployment of specific services. It's better to have a small list of services that you shouldn't use than a long list of services you can use. To avoid lengthy blocklists, don't add new services to the blocklist by default.

  • Define a tagging and naming strategy. Establish systematic guidelines for naming and tagging cloud resources. It provides a structured framework for resource categorization, cost management, security, and compliance across the cloud environment. Allow teams, such as development teams, to add other tags for their unique needs.

Enforce cloud governance policies automatically

Use cloud management and governance tools to automate compliance with governance policies. These tools can help in setting up guardrails, monitoring configurations, and ensuring compliance. To set up automated enforcement, follow these recommendations:

  • Start with a small set of automated policies. Automate compliance on a small set of essential cloud governance policies. Implement and test automation to avoid operational disruptions. Expand your list of automated enforcement controls when ready.

  • Use cloud governance tools. Use the tools available in your cloud environment to enforce compliance. Azure's primary governance tool is Azure Policy. Supplement Azure Policy with Microsoft Defender for Cloud (security), Microsoft Purview (data), Microsoft Entra ID Governance (identity), Azure Monitor (operations), management groups (resource management), infrastructure as code (IaC) (resource management), and configurations within each Azure service.

  • Apply governance policies at the right scope. Use an inheritance system where policies are set at a higher level, such as management groups. Policies at higher levels automatically apply to lower levels, such as subscriptions and resource groups. Policies apply even when there are changes within the cloud environment, lowering management overhead.

  • Use policy enforcement points. Set up policy enforcement points within your cloud environments that automatically apply governance rules. Consider predeployment checks, runtime monitoring, and automated remediation actions.

  • Use policy as code. Use IaC tools to enforce governance policies through code. Policy as code enhances the automation of governance controls and ensures consistency across different environments. Consider using Enterprise Azure Policy as Code (EPAC) to manage policies aligned with recommended Azure landing zone policies.

  • Develop custom solutions as needed. For custom governance actions, consider developing custom scripts or applications. Use Azure service APIs to gather data or manage resources directly.

Azure facilitation: Enforcing cloud governance policies automatically

The following guidance can help you find the right tools to automate compliance with cloud governance policies in Azure. It provides a sample starting point for major categories of cloud governance.

Automate regulatory compliance governance

Automate security governance

Automate cost governance

  • Automate deployment restrictions. Disallow certain cloud resources to prevent the use of cost-intensive resources.

  • Automate custom restrictions. Create custom policies to define your own rules for working with Azure.

  • Automate cost allocation. Enforce tagging requirements to group and allocate costs across environments (development, test, production), departments, or projects. Use tags to identify and track resources that are part of a cost optimization effort.

Automate operations governance

  • Automate redundancy. Use built-in Azure policies to require a specified level of infrastructure redundancy, such as zone-redundant and geo-redundant instances.

  • Apply backup policies. Use backup policies to govern the backup frequency, retention period, and storage location. Align backups policies with data governance, regulatory compliance requirements, recovery time objective (RTO), and recovery point objective (RPO). Use the backup settings in individual Azure services, such as Azure SQL Database, to configure the settings you need.

  • Meet the target service-level objective. Restrict the deployment of certain services and service tiers (SKUs) that don't meet your target service-level objective. For example, use the Not allowed resource types policy definition in Azure Policy.

Automate data governance

  • Automate data governance. Automate data governance tasks, such as cataloging, mapping, securely sharing, and applying policies.

  • Automate data lifecycle management. Implement storage policies and lifecycle management for storage to ensure data is stored efficiently and compliantly.

  • Automate data security. Review and enforce data protection strategies, such as data segregation, encryption, and redundancy.

Automate resource management governance

  • Create a resource management hierarchy. Use management groups to organize your subscriptions so that you can efficiently govern policies, access, and spending. Follow Azure landing zone resource organization best practices.

  • Enforce a tagging strategy. Ensure all Azure resources are consistently tagged to improve manageability, cost tracking, and compliance. Define your tagging strategy and manage tag governance.

  • Restrict which resources you can deploy. Disallow resource types to restrict deployments of services that add unnecessary risk.

  • Restrict deployments to specific regions. Control where resources are deployed to comply with regulatory requirements, manage costs, and reduce latency. For example, use the Allowed locations policy definition in Azure Policy. Also enforce regional restrictions in your deployment pipeline.

  • Use infrastructure as code (IaC). Automate infrastructure deployments using Bicep, Terraform, or Azure Resource Manager templates (ARM templates). Store your IaC configurations in a source control system (GitHub or Azure Repos) to track changes and collaborate. Use Azure landing zone accelerators to govern the deployment of your platform and application resources and avoid configuration drift over time.

  • Govern hybrid and multicloud environments. Govern hybrid and multicloud resources. Maintain consistency in management and policy enforcement.

Automate AI governance

Enforce cloud governance policies manually

Sometimes a tool limitation or cost makes automated enforcement unpractical. In cases where you can't automate enforcement, enforce cloud governance policies manually. To manually enforce cloud governance, follow these recommendations:

  • Use checklists. Use governance checklists to make it easy for your teams to follow the cloud governance policies. For more information, see the example compliance checklists.

  • Provide regular training. Conduct frequent training sessions for all relevant team members to ensure they're aware of the governance policies.

  • Schedule regular reviews. Implement a schedule for regular reviews and audits of cloud resources and processes to ensure compliance with governance policies. These reviews are critical for identifying deviations from established policies and taking corrective actions.

  • Monitor manually. Assign dedicated personnel to monitor the cloud environment for compliance with governance policies. Consider tracking the use of resources, managing access controls, and ensuring data protection measures are in place to align with the policies. For example, define a comprehensive cost management approach to govern cloud costs.

Review policy enforcement

Regularly review and update compliance enforcement mechanisms. The goal is to keep cloud governance policy enforcement aligned with current needs, including developer, architect, workload, platform, and business requirements. To review policy enforcement, follow these recommendations:

  • Engage with stakeholders. Discuss the effectiveness of enforcement mechanisms with stakeholders. Ensure cloud governance enforcement aligns with business objectives and compliance requirements.

  • Monitor requirements. Update or remove enforcement mechanisms to align with new or updated requirements. Track changes in regulations and standards that require updates your enforcement mechanisms. For example, Azure landing zone recommended policies can change over time. You should detect those policy changes, update to the latest Azure landing zone custom policies, or migrate to built-in policies as needed.

Example cloud governance compliance checklists

Compliance checklists help teams understand the governance policies that apply to them. The example compliance checklists use the policy statement from the example cloud governance policies and contain the cloud governance policy ID for cross-referencing.

Category Compliance requirement
Regulatory compliance ☐ Microsoft Purview must be used to monitor sensitive data (RC01).
☐ Daily sensitive data compliance reports must be generated from Microsoft Purview (RC02).
Security ☐ MFA must be enabled for all users (SC01).
☐ Access reviews must be conducted monthly in ID Governance (SC02).
☐ Use the specified GitHub organization to host all application and infrastructure code (SC03).
☐ Teams that use libraries from public sources must adopt the quarantine pattern (SC04).
Operations ☐ Production workloads should have an active-passive architecture across regions (OP01).
☐ All mission-critical workloads must implement a cross-region active-active architecture (OP02).
Cost ☐ Workload teams must set budgets alerts at the resource group level (CM01).
☐ Azure Advisor cost recommendations must be reviewed (CM02).
Data ☐ Encryption in transit and at rest must be applied to all sensitive data. (DG01)
☐ Data lifecycle policies must be enabled for all sensitive data (DG02).
Resource management ☐ Bicep must be used to deploy resources (RM01).
☐ Tags must be enforced on all cloud resources using Azure Policy (RM02).
AI ☐ The AI content filtering configuration must be set to medium or higher (AI01).
☐ Customer-facing AI systems must be red-teamed monthly (AI02).

Next step