A Guide to Managing Cloud Tagging Policies

Posted by Tim R on October 23, 2020


Cloud transformations depend on how well enterprises actually organize and monitor their cloud-based workloads. Companies across industries often entrust these tasks to a Cloud Center of Excellence (CCoE), a cross-functional team focused on creating visibility in the cloud and identifying the ways in which cloud resources support business. However, to better understand the business reasons behind cloud resources, CCoEs and developers alike also utilize the concept of tagging — a process that nonetheless requires clear policies to guarantee logic and consistency.

No matter which hyperscaler or combination of hyperscalers is in use (e.g., Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP)), tagging strategies and policies coupled with a solution for tracking implementation and adherence efforts is essential for answering questions like the following:

  • Who is the owner of a virtual machine (VM)? Who can be reached if something goes wrong?
  • What is the purpose of a VM? Is it hosting, for example, a business-critical customer relationship management (CRM) system or a website?
  • Who pays for the usage of this VM and which cost center especially?
  • In which environment does any given VM run (i.e., productive, development, or testing)?
  • Are business-critical applications and servers backed up properly across all hyperscalers?
  • Is a given VM processing customer data?

To help, LeanIX and IT service provider CLOUDETEER have put together recommendations and best practices on cloud tagging. This blog will cover some of these items, including the benefits of cloud tagging, how to implement policies spanning both technical (e..g, Infrastructure as Code (IaC) and organizational (e.g., guidelines for terminating untagged resources) considerations, and a five-step walkthrough on effectively managing and monitoring tag usage with LeanIX Cloud Intelligence.

[Access the white paper: “A Guide to Managing Cloud Tagging Policies”]

How to organize tagging policies

Companies regularly employ a combination of explicit (i.e., assigning metadata and key-value pairs) and implicit (i.e., imposing naming conventions) tagging. There are advantages and disadvantages to both, but as cloud footprints expand, the number of tags necessary to document decentralized IT portfolios will complicate governance tasks. Inside this white paper is a detailed list of 28 tags provided by CLOUDETEER and grouped according to Operation Management, Security, Compliance & Governance, and Workload (Service) Specific functions to streamline cloud adoption. However, if a company wishes to ensure these tags remain uniform, accurate, and current at all times, LeanIX recommends using these five tags as a basis:

  1. Application tags: A unique ID to identify cloud-based applications that doesn’t vary across teams and remains consistent with the end product. Labels can match those already in use in other organizational tools, CMDBs, or architectural repositories like those offered by LeanIX.
  2. Cost center tags: Tags to help assess which applications and teams create the highest costs and whether expenditure is proportionate to business value. By assigning cloud resources to cost center tags, users can drive IT spend accountability through showback overviews and chargeback possibilities while minimizing manual overhead for report-building.
  3. Department tags: Labels showing which departments are associated to cloud-based resources to expedite stakeholder outreach. Tagging resources by department rather than an individual — whether for purposes such as security, training, cost-tracking, management, or compliance — is more reliable given the likelihood of employee turnover.
  4. Environment tag: Values such as development, testing, and production are used to show how cloud resources affect specific environments. These tags save developers a considerable amount of time in determining where workloads can be tested — theoretically freeing up time for innovation in the process.
  5. Data classification: Practical, clear-cut guidelines on who can access which services. Thanks to data classification tags, users know exactly what’s needed to protect any asset through markings such as strictly internal, internal, classified, and public.

Each of the above tags are best managed by specific user groups under the supervision of the CCoE, a centrally-organized, cross-functional unit. For example, it’s recommended that application tags be moderated by enterprise architecture teams who are likely to already have a catalogue of applications in use. Environment tags are advised to be taken over by the DevOps organization (who manage deployments in the first place), and for data classification tags, those from the IT security department with strong familiarity on compliance/security regulations.

How to set up and manage tagging policies

A company’s organizational culture will inevitably dictate the most feasible approach for implementing cloud tagging policies. This often results in a choice between either reactive (i.e., an autonomous, employee-centric governance structure) or highly-regulative (i.e., a strict provisioning of resources contingent on tagging qualifications) controlling. But regardless of where on the tagging governance spectrum a company lands, the interests of tag owners themselves will influence enforcement protocols. Of note, mechanisms offered from hyperscalers related to identity and access management can be utilized to enable specific preferences.

Automating as much of this process as possible is key to success in cloud operations — either by way of configurable templates for developers or tools such as Env0 for non-production environments. Similarly, a self-service portal housing all materials for provisioning is useful when provisioning resources and supporting central tag management.

5 steps to implement effective tagging with LeanIX Cloud Intelligence

SaaS-based solutions for generating high-level transparency into the status of cloud tagging and governance endeavors greatly complement CCoE activities. LeanIX Cloud Intelligence, one of the three modules in the LeanIX Cloud Native Suite, lets organizations define and monitor tagging policies via shared access to a configurable inventory. Information on cloud resources is automatically discovered from hyperscalers and sorted according to relevant business values — thereby simplifying resource classification and minimizing the number of tags to maintain within hyperscalers in the process.

Here’s a five-step guide to consolidating, improving and leveraging tagging with LeanIX Cloud Intelligence.

Step 1: Get an initial overview of tag implementation

To assess cloud resources and support tagging implementation, users can rely on customizable dashboards to document policies and align governance mandates to KPI-based metrics.

Step 2: Discover untagged resources

Filters can be applied to cloud landscapes to identify untagged resources. As more resources become tagged, IT management will begin leveraging more detailed insights into cloud components to rationalize the value of cost-intensive, cloud-based services.

Step 3: Simplify tagging setups

LeanIX Cloud Intelligence helps companies reduce manual maintenance efforts with mechanisms such as:

  • Subscriptions to resources separated by user responsibilities.
  • Synchronous links to application portfolio repositories like the LeanIX Enterprise Architecture Suite (EAS).
  • Business-centric analysis on tagging conventions and cloud accounts.

Set 4: Analyze financial or business impact of tagged resources

LeanIX Cloud Intelligence features dedicated cost reports to evaluate expenses occuring due to the cloud from across all organizational domains. These reports can be filtered according to untagged resources.

Step 5: Inform business stakeholders

Stakeholders outside of the IT bubble can receive comprehensive yet focused overviews of cloud resources in relation to specific tagging needs to better understand which how cloud resources support their business function and at what cost. Updates on cloud governance can be accessed in user-defined granularity and viewed at an architectural layer via the LeanIX EAS.

If you’d like to know more about LeanIX Cloud Intelligence and how it supports effective tagging implementation, reach out at info@leanix.net or download the white paper below:

How to monitor and manage cloud tagging policies