Compliance without bounds in Hybrid and Multi-cloud World - Part 2

In Part 1 of the Compliance without bounds in Hybrid and Multi-cloud world, we looked at how organisations of all sizes should look at assessing their compliance maturity and established the need for an 'Enterprise Compliance Index'.

"Without bounds" needs a solid Hybrid and Hyper-scale Intelligent network with key enabling technologies so that the Enterprise Compliance Index prescriptively establishes architectural patterns, blueprints, security baselines, process correlations and policy boundaries to reflect the overall 'compliance posture'.

In this part, let's look quickly across Identity and Policy aspects from Microsoft's point of view.

Identity and Access

Compliance journey starts with understanding 'who' is accessing systems for 'what' reason at the minimum. Ensuring that the 'right' user can access the 'right' information at the 'right' time for the 'right' reason is essential for ensuring compliance.

The figure below summarises the over arching set of use cases at an executive level for identity and access.

Identity infrastructure to work effectively, organisations need to consider how identity is federated across applications all the way to the services integrated through hybrid cloud deployments. For example, a service hosted in a private cloud authenticating and authorising seamlessly for services hosted on the edge or across multiple clouds.

The touch points across multiple types of Identities, Devices, Location constraints, Controls across networks and the plethora of apps makes the deployment of identity solutions quite complex. The figure below illustrates how we see these touch points and technologies that are related coming together.

An operational guide [ Link ] on Azure's Identity and Access management goes into deeper details of how security architects can consider checks and actions for the lifecycle of identities and access controls.

Policy Definitions and Enforcement

One of my favourite topics is Policy and how we ubiquitously deal with it across complex sub-systems.

Policies articulate the compliance posture and drive the culture in organisations to ensure that everyone knows what is acceptable and what is NOT !

We need to bring an effective programming model and a strict definition around policy in 'Enterprise Compliance Index'. It is important that organisations work towards a standard definition of the policy that is understood by integrating systems and sub-systems. As an example, a policy should be understood in the same way across front end to back end systems in a homogenous way.

Azure Policy is such an attempt to bring declarative construct built on Azure Resource Manager ( ARM ).

This enables the creation of Blueprints that can be applied to management groups that represent the organisational structure to enable policy enforcement in multi-tenant and cross regional workloads.

In this article, we discussed in deeper details of how to create custom policies to enforce compliance. [ Create and manage policies to enforce compliance ].

While on vacation last week, as I took this picture of audience (users) in the stadium - the thought that pondered my mind was, 'Can we generalise understanding of users of our systems in order to give them the best of experiences ?'

Thanks again for Diomedes, Sharmili, Ujjwal, Justin Baird, Abbas Kudrati, Manjim Sharma for some great work and insights on this topic.

Until next time ...