AZ Lamps #5 — Policies and Initiatives
I have already made several posts about security, but today I want to look at this topic from a different angle. Many companies want to be secure but fail to become so. The primary root cause of this issue is typically an inconsistency in implementation.
In Azure, you should use security Policies. They are rules that apply to all resources. For example, the policy Storage account public access should be disallowed is self-describing — you need to disallow anonymous access explicitly. If the service does not meet the condition, Azure marks it as non-compliant.
You may combine policies into Initiatives, which is very convenient — you can view compliance statistics across the ecosystem. You can specify the Initiative yourself or choose from what Azure offers. For example, you can select the in-build GDPR or ISO9001 initiatives and see how compliant your system is. Then, Azure provides you with an action list (see picture) to become compliant.
I often use the Azure Security Benchmark initiative — it contains the most essential best practices, not overkill like the most mature certifications (e.g., FedRAMP).
