How to improve cloud management through a cloud resource tagging policy

Good cloud governance relies on good tag hygiene: a disciplined, well-designed approach to tagging.

In the multi-cloud environments that enterprises are embracing, implementing enterprise-grade cloud governance platforms is the key to successful management of highly complex pricing structures and evolving cloud services. Using automation to maintain good tag hygiene will support critical governance initiatives for cloud security, cloud cost reporting, and cloud cost optimisation.

Applying a consistent set of tags—specifically for governance—globally across all of your resources will add metadata specific to your organisation. This can help improve categorisation of each of your cloud resources for cost allocation, reporting, chargeback and showback, cost optimisation, compliance, and security. Once implemented, a robust tagging policy will enable your organisation to optimise costs across all cloud providers and guarantee that your company has access to all of the cloud services it requires.

Understand tagging policy

In the absence of a tagging policy, it’s all too common for individuals or teams to use variations of the same tag. When this happens, accurate reporting becomes extremely difficult. To avoid these complications, and to ensure that tags are used effectively for governance and reporting purposes, having a tagging policy is absolutely critical.

A well-defined tagging policy incorporates:

  • Global tags, including how they will be applied consistently by all applications and teams in the organisation. The first table below provides recommended global tags; use this as a starting point from which your organisation can customise with specific tags and naming conventions.
  • Each cloud provider’s tags. As each cloud provider has different limits and restrictions on tags, your tagging policy must accommodate these parameters. The second table below identifies tags for AWS, Azure, and Google Cloud (GCP).
  • Guidelines for how individual teams or applications may add additional tags for their specific needs.
  • Consistent naming conventions, including spacing, uppercase/lowercase conventions, and spacing.

Automation is key to implementing tags. For example, if you are using a cloud management platform for provisioning, all templates should be set up to attach the appropriate tags.

Implement and monitor your tagging policy

Create a staged rollout process for your tagging policy. This will help ensure effective implementation and monitoring, aided by buy-in from all relevant parties.

  • Stage 1: Define the tagging policy: Have your cloud governance team lead a process to define a global tagging policy. The team should work with key stakeholders to get feedback and buy-in. Once this team specifies the required global tags, development teams and resource owners should be responsible for adding the global tags. Central IT may assist with scripts and tools
     
  • Stage 2: Reporting: The cloud governance team creates reports that show the current state; track improvements in tag coverage; and identify the level of coverage for global tags, by team or group. Distribute these reports weekly
     
  • Stage 3: Alerting: Your cloud governance team sets up daily automated alert emails about resources that are missing the required tags. (An organisation may choose to stop at Stage 3 if it has achieved the desired adoption of global tags)
     
  • Stage 4 (optional): Alerting with automated termination or escalation: The cloud governance and central IT teams should also set up automated “tag checking” to alert on missing tags and enforce the use of tags. Alerts on untagged resources specify a defined window (e.g. 24 hours) to tag resources. Enforcement could include sending an escalation to managers or, in some cases, adding default tags or even terminating instances that aren’t tagged correctly (only for non-production workloads)

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.