One of our European energy customers was looking for future-proof cloud operations.

They adopted a ‘desired state management’ strategy early on in their cloud journey, acknowledging the need for security and control. But fast growth and acquisitions in preceding years led to a proliferation of policies and exemptions.

To uphold a high level of security, several work-arounds were put in place. Which led to an unscalable situation. 
Our solution was a redesign of the management group structure with a flat architecture, to prevent discrepancies and to implement automated compliance to guarantee a structural and scalable solution.

We applied the Azure Cloud Adoption Framework with Azure EPAC (Enterprise Policy As Code).

The main succes factor: bringing people together

Our first step was to connect with business stakeholders and engineers to understand their future needs and current issues. This gave us the insight to design a solution based on proven standards, that:

- facilitated efficient integration with on-premise infrastructure
- significantly reduced the lead time for new landing zones
- applied subscription vending
- allowed for sandboxing
- improved scalability and governance

We then completed the list with security, compliancy and manageability requirements. 
Considering all requirements and insights, we designed a solution based on the Azure Cloud Adoption Framework and included our best practices on code hygiene and migration. 
As it was not possible to clean all policies in advance, it was necessary to also migrate existing policy structures to the new solution. Therefore, to minimize the potential impact to users, we chose a canary deployment strategy and the use of EPAC to translate policies into code.
Policy cleaning then continued during the project, using EPAC. An important benefit of EPAC is that it checks for obsolete policies and exemptions. Combined with a canary deployment in which code is tested and deployed step by step, our migration strategy significantly reduced the risk of business impact.
EPAC also provides version control, makes code searchable and tracks changes in code. These features improve the manageability of the solution as the resulting transparency prevents the creation of unnecessary policies or obsolete exemptions. Which in turn speeds up the creation of new landing zones. 
The mentioned transparency, combined with the implementation of a 6-eye principle on policy changes, makes the solution easily auditable which helps the work of external auditors as well.

Fully cleaned, scalable and secure

In the end, over 25 sets were reviewed and revised, 400 policies were updated, and 1200 exemptions were reviewed and either migrated or removed. The new structure ensures compliance and eliminates unnecessary restrictions.

The flatness of the group structure, combined with automation of compliance, makes the solution transparent and trustworthy supporting the platform team to have more control over their environment. And allowing the operation manager to also have a good night’s sleep.