AZ-900 자격증 준비 9 - Describe features and tools in Azure for governance and compliance

9.1 Describe the purpose of Microsoft Purview

Microsoft Purview is a family of data governance, risk, and compliance solutions that helps you get a single, unified view into your data. 

Microsoft Purview brings insights about your on-premises, multicloud, and SaaS data together.

With Microsoft Purview, you can stay up-to-date on your data landscape.

 

Two main solution areas comprise Microsoft Purview: risk and compliance and unified data governance

 

 

Microsoft Purview risk and compliance solutions

Microsoft Purview, by managing and monitoring your data, is able to help your organization:

- Protect sensitive data across clouds, apps, and devices

- Identify data risks and manage regulatory compliance requirements

- Get started with regulatory compliance

 

Unified data governance

Microsoft Purview has robust, unified data governance solutions that help manage your on-premises, multiclud, and software as a service data.

Micrrosoft Purview's robust data governance capabilities enable you to manage your data stored in Azure, SQL and other databases or clouds.

Microsoft Purview helps:

- Create an up-to-date map of your entire data estate that includes data classification and end-to-end lineage

- Identify where sensitive data is stored in your estate

- Create a secure environment for data consumers to find valuable data

- Generate insights about how your data is stored and used

- Manage access to the data in your estate securely and at scale.

 

 

 

9.2 Describe the purpose of Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. 

These policies enforce different rules across your resource configurations so that those configurations stay compliant with corporate standards.

 

How does Azure Policy define policies?

Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives.

Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you've created and also prevent non-compliant resources from being created.

Azure policies can be set at each level, on a specific resource, resource group, subscription and so on and they are inherited (e.g. Azure policy on a resource group, all resources affected).

 

 

9.3 Describe the purpose of resource locks

A resource lock prevents resources from being accidentally deleted.

Even with Azure role-based access control (Azure RBAC) policies in place, there's still risk that people with the right level of access could delete critical cloud resources.

Resource locks prevent resources from being deleted or updated, and they can be applied to individual resources, resource groups, or even an entire subscription.

Resource locks are inheirted.

 

Types of Resource Locks

Two types of resource locks, one that prevents users from deleting and one that prevents users from changing or deleting a resource.

1. Delete means auhorized users can still read and modify a resource, but can't delete.

2. ReadOnly means authroized users can read a resource, but they can't delete or update.

 

To delete or change a locked resource

To modify a locked resource, first remove the lock and then apply any action you have permissions to perform.

 

 

9.4 Describe the purpose of the Service Trust portal

The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other resources about Microsoft security, privacy, and compliance practices.

 

 

9.5 Module assessment

1. How can you prevent creation of non-compliant resources, without having to manually evaluate each resource?

Azure Policy

 

2. What's the best way to prevent inadvertent deletion of a resource?

Azure resource locks