L1 BIO 11.01.01 ISO A.5.1 CIS Governance Foundation

Azure Governance Architecture Design

πŸ“… 2025-10-30
β€’
⏱️ 20 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Azure Governance architecture definieert management group hierarchy, subscription design, RBAC strategy, policy framework en cost management voor scalable, veilige en compliant Azure environments.

Aanbeveling
IMPLEMENTEER AZURE GOVERNANCE
Risico zonder
Critical
Risk Score
9/10
Implementatie
160u (tech: 80u)
Van toepassing op:
βœ“ Azure

Zonder governance: subscription sprawl (onbeheerde subscriptions), inconsistente security (per-subscription configs), no centralized policy (handmatige enforcement impossible bij scale), RBAC chaos (who heeft toegang tot what?), cost overruns (no budget controls). Governance provides: Hierarchical control (management groups), Inherited policies (consistent enforcement), Centralized RBAC (least privilege), Cost management (budgets, alerts), Compliance automation (Azure Policy).

Implementatie

Governance architecture components: (1) Management Groups: Root β†’ Production/Non-Production β†’ BU/Workloads, Policy inheritance top-down; (2) Subscriptions: Per environment (Prod/Dev/Test), per workload, per cost center; (3) RBAC: Azure ingebouwde roles (Owner, Contributor, Reader), aangepaste roles (least privilege), PIM (Privileged identiteitsbeheer); (4) Azure Policy: CIS/ISO compliance initiatives, aangepaste organizational policies, Deny/Audit/Remediate effects; (5) Naming conventions: Subscription names, Resource groups, Tags (Environment, Owner, Cost Center); (6) Cost Management: Budgets per subscription, Cost alerts, Spending limits.

Vereisten

  1. Azure EA of CSP agreement
  2. Management group hierarchy designed
  3. Subscription strategy defined
  4. RBAC model documented
  5. Tagging strategy
  6. Cost budgets per BU

Implementatie

Maak aan management groups, organize subscriptions, assign policies, Configureer RBAC, implementeren tagging, set budgets. Ongoing: policy updates, RBAC reviews, cost optimization.

Compliance en Auditing

Governance is foundation voor: CIS Azure Benchmark (all regelt require governance), BIO 11.01 (Beleid voor informatiebeveiliging), ISO 27001 A.5.1 (Policies voor information security), NIS2 Artikel 21 (Governance framework).

Monitoring

Gebruik PowerShell-script azure-governance.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script azure-governance.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Azure Governance Design .DESCRIPTION Implementation for Azure Governance Design .NOTES Filename: azure-governance.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/platform/azure-governance.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Azure Governance Design" $BIOControl = "9.01" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "azure-governance" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Critical: Zonder Azure governance = uncontrolled environment (compliance impossible, security inconsistent, costs spiral - €10K+ monthly overruns common). Resource sprawl, no visibility, audit failures. Het risico is KRITIEK - governance foundation.

Management Samenvatting

Azure Governance Framework: Management Groups (hierarchy - enterprise/prod/dev/sandbox), Subscription strategy (workload isolation), Azure RBAC (least privilege + PIM), Azure Policy (automated compliance enforcement - CIS/ISO initiatives), Resource tagging (cost tracking, ownership), Cost Management (budgets, alerts). Activatie: Design governance hierarchy β†’ Deploy Management Groups β†’ Assign policies β†’ RBAC model. Gratis (governance features included). Verplicht BIO 5.01, ISO 27001. Implementatie: 80-160 uur. ABSOLUTE PRIORITY - foundation ALL Azure security. Deploy BEFORE workloads.