AdvancedCompliance

Compliance & Governance

Azure Policy, regulatory requirements, security best practices, and governance models. Learn how to enforce organization-wide security standards.

🧠 ELI5 Explanation

Policy = company rules ("all VMs must have antivirus, all resources must have a 'cost-center' tag"). Compliance = following industry regulations ("PCI-DSS says encrypt payment data"). Governance = ensuring everyone follows the rules. Azure Policy = automated enforcement—violations are blocked or flagged.

Technical Explanation

Azure Policy Overview

Enforces organization standards at scale:

Policy Definition: Rule (e.g., "all storage must use encryption")
Policy Assignment: Apply rule to scope (subscription, RG, resource)
Enforcement Mode: Audit (log violations) or Deny (block violations)
Compliance Report: Show what's compliant vs non-compliant

Built-in policies: Microsoft provides 100+ (e.g., "Require MFA for subscriptions")

Policy Assignments & Scope

Policies are hierarchical:

Management Group: Apply to all subscriptions
Subscription: Apply to all resource groups
Resource Group: Apply to specific RG

Example: Policy at management group level: "All VMs must have tags". Every new VM must have tags, or creation fails.

Key Regulatory Frameworks

Framework	Industry	Key Requirement
PCI-DSS	Finance (payment cards)	Encrypt payment data, isolate networks, strong access control
HIPAA	Healthcare	Encrypt patient data, audit logs, data breach notification
GDPR	Global (EU)	Data privacy, user rights (deletion, portability), consent
SOC 2	SaaS/Cloud	Security, availability, processing integrity, confidentiality
ISO 27001	Information Security	Risk management, access control, incident response

Security Best Practices in Governance

Least Privilege: Users/apps get minimum permissions needed
Defense in Depth: Multiple security layers (identity, network, data)
Monitoring & Auditing: Log all access, detect anomalies
Encryption: Data at rest and in transit
Disaster Recovery: Backups, failover, recovery plans
Incident Response: Process for security breaches (detection, containment, recovery)

Visual Representation

Policy Governance Model


      Organization Governance

      │

      ├─ Management Group "Production"

      │  │

      │  ├─ Policy: "Require tags on all resources"

      │  ├─ Policy: "Require MFA for subscriptions"

      │  │

      │  ├─ Subscription "Finance"

      │  │  ├─ RG "Payments"

      │  │  │  ├─ Resource (must comply with policies)

      │  │  │  └─ Compliance check: Pass ✓

      │  │  └─ RG "Reporting"

      │  │     └─ Compliance check: Fail (missing tags)

      │  │

      │  └─ Subscription "Operations"

      │     └─ (inherits policies from Management Group)

      │

      Compliance Report:

      Production: 78/100 resources compliant

Hands-on: Create & Enforce Policy

# List built-in policies
az policy definition list --query "[].{displayName:displayName, description:description}" --output table

# Create policy assignment: require tags
az policy assignment create \
 --name "require-tags" \
 --policy "e56962a6-4747-49cd-b67b-bf8b01975c4c" \
 --scope /subscriptions/{subscriptionId}

# Set enforcement mode to "Audit" (log violations, don't block)
az policy assignment update \
 --name "require-tags" \
 --enforcement-mode "Default"

# Check policy compliance
az policy state summarize --query "results" --output table

# List non-compliant resources
az policy state list --query "[?complianceState=='NonCompliant']" --output table

# Exempt resource from policy
az policy exemption create \
 --name "exemption-vm" \
 --policy-assignment "require-tags" \
 --scope /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vm}

Real-world Use Case

Scenario: Fintech company must comply with PCI-DSS for payment processing.

Governance Setup:
1. Management Group "PCI-Compliant"
2. Policies assigned:
• "Storage must encrypt data"
• "SQL databases must have transparent encryption"
• "NSGs must deny all inbound by default"
• "VMs must have antivirus"
• "All resources must have 'pci-tag: true'"
3. Compliance mode: "Deny" (violations blocked)
4. Quarterly audit: Generate compliance report for PCI auditors

Benefit: If developer tries to create unencrypted storage, policy blocks it automatically. No PCI violations possible.

Summary

Azure Policy: Enforces organizational standards (compliance, security, cost).
Built-in policies: Microsoft-maintained templates for common requirements.
Regulatory frameworks: PCI-DSS, HIPAA, GDPR, SOC 2, ISO 27001 define requirements.
Governance: Combines policy enforcement, monitoring, auditing, incident response.
Automation: Policies prevent violations at deployment time, not after.

Interview Questions

Q (Beginner): What is Azure Policy?
A: Service that enforces organizational standards. Policies define rules (e.g., "all VMs must have tags"), and violations are audited or blocked.

Q (Beginner): What's the difference between "Audit" and "Deny" enforcement mode?
A: Audit = log violations (resource still created). Deny = block violations (resource creation fails).

Q (Intermediate): Your company needs PCI-DSS compliance for payment processing. How would you use Azure Policy?
A: Create/assign PCI-DSS policies (encryption, access control, tagging) in Deny mode. Non-compliant resources can't be created. Quarterly compliance report provides evidence for auditors.

Q (Intermediate): Explain the policy scope hierarchy. Which has broader impact?
A: Management Group > Subscription > Resource Group > Resource. Management Group scope affects all subscriptions under it.

Q (Scenario): A developer needs to temporarily bypass a policy (e.g., create unencrypted storage for testing). How would you securely allow this?
A: Create policy exemption for that specific resource/scope, with expiration date. Document business justification. Audit exemption regularly. Remove when testing complete.