Gartner Blog Network

Get in control of your Azure environments with Policy Automation

by Richard Watson  |  December 18, 2019  |  Comments Off on Get in control of your Azure environments with Policy Automation

Self-service access to cloud computing for IaaS and PaaS services is a new superpower. For example, developers can create or destroy virtual machines (VMs) or storage accounts on demand. You want to empower your teams to innovate faster by experimenting with these new powers. In the typical on-premises environment, there is a many-eyes process to do this, which achieved maximum control but slowed things down, making innovation difficult to materialize. Maintaining a balance between the agility offered by cloud platforms and the business requirements to operate in a secure, controlled manner to meet all internal and external standards is tricky, but a vital task for cloud governance.

Gartner clients express to us their fear that lack of comprehensive, programmatic cloud governance makes them susceptible to security breaches, loss of control and overspending on cloud resources. To implement governance, you’ll need guardrails expressed by policies and enforced by tools. Building guardrails that scale for self-service cloud use requires programmatic enforcement of your policies so that they are enforced automatically and consistently. The side benefit is that implementing automated governance transforms central IT’s role from fulfilling users’ requests to empowering self-service for teams that need the agility to use cloud services with native tools.

My just-published cloud governance research, How to Implement Policy in Microsoft Azure for 3 Common Cloud Governance Use Cases (paywall), analyzes technical policy enforcement solutions made possible by Microsoft Azure’s native services. The assessment here identifies the strengths and warns about the limitations of Azure’s policy implementation by assessing the implementation of Gartner’s suggested governance policies for these three example use cases:

  1. Identity, Security and Compliance: Goals for policies in this area include protecting sensitive data and infrastructure, complying with regional or industry regulations and ensuring there are appropriate levels of RBAC, based on the principles of least privilege and separation of duty. The research details how to implement two policy examples: The first builds on the introduction of Azure RBAC above to give a specific and concrete example of managing access to a particular type of resource (VNets) using RBAC, “VNet Subnets for VM Instances Cannot Be Provisioned by Dev Users; They Must Be Provisioned by Network Administrators”. The second implements a region-locking policy that could be required for compliance with regional regulations or commitments to customers in a particular regional market: “Resources Must Be Provisioned in European Union Regions”
  2. Inventory and Classification: Goals for these policies include controlling asset sprawl, which will make the cloud environment costlier to manage and less secure. The policy example in this area explored in the research is “Resources Must Have Specific Tags to Be Provisioned”
  3. Cost Management and Resource Optimization: Goals for these policies include ensuring the organization’s money is being spent efficiently and is attributable to the source of the cost. “Prevent Users From Spending Over a Defined Budget” is the policy example assessed in the research.

The figure below illustrates an Azure financial governance workflow using Azure Cost Management and Action Groups integration for remediating the over-spend.

Configure Programmatic Budget Notifications and Automate Remediation

Configure Programmatic Budget Notifications and Automate Remediation

This document is part of a series I’ve authored covering governance implementations in leading cloud providers. See “How to Implement Policy in Google Cloud Platform for 3 Common Cloud Governance Use Cases” (paywall) for Google Cloud Platform (GCP) implementations to the same use cases as detailed here and “Implementing Governance for Public Cloud IaaS” for the overall cloud governance guidance framework into which these provider-specific implementations fit. 

To know more about this research, you can also schedule an inquiry call with me ( or talk to your Gartner representative.

Lastly, feel free to follow me on Twitter (@richwatson) or connect with me on LinkedIn for further updates on my research. Looking forward to talking to you!


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: azure  cloud  cloud-computing  risk-response-strategies  

Tags: azure  cloud  cloudgovernance  governance  

Richard Watson
Research VP
5 years at Gartner
21 years IT industry

Richard Watson is an analyst in Gartner's Technical Professionals Research Service. He advises clients on cloud computing, application architecture, and application platforms. ...Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.