Azure Foundations: A Compliance and Regulations Guide

Choosing Azure to host your cloud infrastructure is the beginning. Depending on any of the following reasons, industry compliance, organizational policies, testing infrastructure compliance, etc. You may decide to implement compliance and regulation on your cloud infrastructure. However, this is easier said than done. Implementing compliance can be daunting without expert knowledge or a specific set of skills, and even so, there is no guarantee it will be successful.

In this article, we will explore implementing compliance and regulatory standards in Azure and how Azure makes this process easier without expert knowledge. We will learn how to implement regulatory standards and create custom policies.

Prerequisites

To follow this article, you will need to have an understanding/experience working with the following concepts:

• Knowledge on Azure
• Knowledge on industry Compliance and Regulatory standards
• An active Azure Subscription
• Experience working with Azure Roles
• Knowledge on writing JavaScript Object Notation (JSON)

Examples of compliance standards

Azure simplifies implementing compliance and regulatory standards by meeting key compliance standards. For example, the following are some of the standards Azure complies with:

• HIPAA/HITRUST: For healthcare organizations handling protected health information (PHI).
• FedRAMP: For U.S. federal government agencies.
• ISO 27001: For information security management systems.
• ISO 27018: For protection of personally identifiable information (PII) in the cloud.
• PCI DSS: For payment card industry data security.
• GDPR: The General Data Protection Regulation in the European Union.
• CCPA: The California Consumer Privacy Act.
• NIST 800-171: For the National Institute of Standards and Technology framework for protecting controlled unclassified information.
• MTCS: The Malaysian Technology Crime Prevention and Anti-Cybercrime Act.
• IRAP: The Information Security Evaluation and Assurance Program in Australia.
• ENS: The European Norm for Cybersecurity
• And much more.

Understanding Azure Policy

Azure Policy helps organizations maintain standards by actively checking your cloud's compliance. It offers a compliance dashboard that provides a clear view of the overall environment. It allows you to look closely at specific resources and their policies.

Azure Policy also enables bulk fixes for existing resources. And automatic corrections for new ones to ensure compliance. Azure Policies provides two options for managing policies:

• Using built-in policies (often used for regulatory standards).
• Creating custom policies (often used for organizational/personal rules).

Regardless of whether your policy is built-in or custom, azure policy uses a “JavaScript Object Notation” (JSON) format. The JSON uses a logic that checks whether a resource is compliant or not. The logic used in the JSON is referred to as a “policy definition”. Additionally, policy definitions can be synergized (governing the same resource together). This is called a “policy initiative” (sometimes called a policy set).

In this article, we’ll walk through setting up both. However, to follow this article, you will need to have at least one of the following roles:

• Owner: Users assigned the Owner role have full access to all resources and can manage policies, including creating, editing, and assigning policies.
• Contributor: Users assigned the Contributor role can create and manage all types of Azure resources, including Azure Policy definitions and assignments.
• Policy Contributor: This role is specifically designed for managing Azure Policy. Users assigned the Policy Contributor role can create, edit, and assign policies, but they cannot modify other Azure resources.
• Management Group Contributor: Users assigned the Management Group Contributor role can manage all aspects of Azure management groups, including assigning Azure Policy at the management group level.

For more information on Azure Policies, you can visit the official Azure Policy Documentation.

Azure Built-in policies

Built-in policies are by default in Azure, and ready to use anytime. We’ll walk through the process of implementing a Built-in policy. The “Payment Card Industry Data Security Standard (PCI DSS).”:

1. Create a resource group, “compliance_and_regulation_demo”.
2. Search “Policy” in the search bar. The policy page for Azure Policy is displayed.
3. Expand the “Authoring” drop-down.

Expanding the drop-down shows three sub-menus. All of these are essential for implementing policies and are the following:

• Definitions: The definitions page displays all the policies (both Built-in and custom).
• Assignments: Assignments page displays policies and the specific resources or resource groups and policies applied to them.
• Exemptions: The Exemptions page displays resources excluded from a policy assignment.

1. Click on the “Policy type: All policy types” button and select “built-in” to display this type.
2. Search “PCI DSS v4” in the definitions search bar. PCI DSS v4 ****is a policy initiative. So, many policy definitions will be displayed, just as the following:

1. Click the “Assign Initiative." The page that comes up will determine the scope (which resources it will be applied to) of the policy.
2. Click the button next to your subscription name. Select the resource group you created, "compliance_and_regulation_demo”.

1. Toggle off “Policy Enforcement." This prevents the policy from taking action (denying resources, etc.). However, compliance assessment results are still available.
2. Click “Review + Create." Afterwards, “Create”.

1. To confirm the policy assignment, visit the “Assignment” sub-menu in "Authors." Clicking on “PCI DSS V4” will open a page showing the policy, along with the resource group assigned to it.

Azure Custom policies

Unlike built-in policies, custom policies must be written manually (in JSON). For example, we will be writing a custom policy for resource locations. This policy will prevent the creation of resources outside of your region. However, unlike the “built-in policy” example, you will assign this policy to the “subscription.”

1. Search and open “Policy” in the search bar. The policy page for Azure Policy is displayed.
2. Click the “Definitions” sub-menu under "Authoring”.
3. Click “+ Policy Definition." The policy creation page is displayed.

1. Select your subscription in “Definition Location”.
2. Name the policy definition “Allowed Locations”.
3. Scroll down to “Policy Rule." Paste this JSON into the codespace. For more details on structure, refer structure of policies.

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "not": {
            "field": "location",
            "in": "[parameters('allowedLocations')]"
          }
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {
        "allowedLocations": {
          "type": "Array",
          "metadata": {
            "displayName": "Allowed locations",
            "description": "The list of allowed locations for resources.",
            "strongType": "location"
          },
          "allowedValues": [
            "eastus2",
            "westus2",
            "eastus",
            "westus"
          ]
        }
      }
    }
    

4. Toggle on “Policy Enforcement." This allows the policy to take action (denying resources, etc.).
5. Click on “Parameters” and select “All”.
6. Click, “Save.”

Note that Azure takes 5-10 minutes to implement policies. However, you can search for your policy in “Policy Definition." To test this policy, we will create a resource group in a location not listed in the policy:

1. Create resource group “demoRG”.
2. Select “UK south” in “Region”.

1. Click “Review + Create." Afterwards, “Create”.

Deploying this resource group will fail. Displaying the error message “Resource 'demoRG' was disallowed by policy. (Code: RequestDisallowedByPolicy)”. Therefore, the policy is working.

1. Delete the resource groups “demoRG”. This will prevent incurring costs.

Conclusion

Having done this, we have come to the end of this guide. Hopefully, this has given you a much deeper understanding of how Azure implements and tracks compliance and regulation in your cloud instance, along with ways you can make your own custom policies that fit your needs.