Everything you need to know about Cloud Tagging, Benefits of having a Cloud Tagging Strategy, how to implement Cloud Tagging policies and Best Practices on which tags to start with.
In recent years, the importance of cloud tagging has increased. Considering that more and more enterprises rely on cloud services, this doesn’t come as a surprise. While the cloud offers many advantages such as cost-effectiveness, increased agility, and flexibility, it has also introduced new challenges: (Multi)-cloud environments get easily complex, and many companies struggle with getting visibility into their distributed cloud environment.
In order to overcome these obstacles, businesses are advised to implement effective cloud tagging policies. Learn why standardizing naming and cloud tagging conventions for your cloud resources are vital to your company’s successful cloud operations.
The accelerated adoption of public cloud services requires companies of all sizes to define their cloud governance requirements. Although it only takes minutes to get into the cloud, power up virtual machines (VMs), provision storage, and run applications or other workloads, companies face the problem of not being able to understand which resources are being used for which purpose and how each is connected to the business.
While promises such as economies of scale, faster time to market, and a greater focus on business value are tempting, organizations often realize how easily they can lose track of their workloads. A well-defined and properly managed cloud tagging policy is the backbone of any cloud governance setup.
In addition to improving the documentation of cloud environments, a tagging strategy that is translated into effective and properly implemented tagging policies offers many other benefits.
Consider, for example, the ability to better understand cost management plus application tiering, automatic backup generation, or reporting capabilities that can be used based on specific tags. This reduces the likelihood of errors and allows a CCoE to focus on creating business value rather than on tasks such as ensuring regular backups of virtual servers.
Companies regularly employ a combination of explicit (i.e., assigning metadata and key-value pairs) and implicit (i.e., imposing naming conventions) cloud tagging.
There are advantages and disadvantages to both, but as cloud footprints expand, the number of tags necessary to document decentralized IT portfolios will complicate governance tasks.
Major hyper scalers like AWS, Azure, and GCP support two major concepts to ensure comprehensive tagging policies are in place: explicit and implicit tagging.
Explicit tagging: Assign metadata and key-value pairs to cloud resources that allow adding specific business dimensions and context to cloud assets.
Implicit tagging: Impose naming conventions regarding the cloud account. For example, (1) all resources in account “abc-prod” support the application abc in production; (2) all resources in account “abc-dev” support the application abc in development.
At LeanIX, we often see companies combining both concepts. However, implementing proper cloud tagging policies initially comes with the challenge of manual overhead. This can be reduced by automation and including the cloud tagging policy in Infrastructure as Code (IaC) templates.
Still, even automation is prone to human error and tied to the conventions of the hyper scaler (e.g., how many characters are permitted to be in use). The setup of the account structure has other implications as well, as policies, access, and management overhead are connected to it.
When deciding what tags to implement across every hyper scaler, it’s best to start with a simple shortlist so as to ensure that your organization gets into the habit of continuously tagging resources. Of course, the more mature a cloud footprint becomes the more tags one will want to install to organize it to their needs.
If a company wishes to ensure these tags remain uniform, accurate, and current at all times, LeanIX recommends using these five tags as a basis:
The tags presented previously should be owned by a central unit such as the CCoE. This group will hence be given the responsibility of the tag values in use and will ensure alignment with the stakeholders involved with each tag group.
The initial implementation of tags can be straightforward when the company sets up the initiative, but ownership must occur at lower levels to maintain and secure accurate pictures of what a company is actually doing. We recommend that the nature of the tags be documented within a shared resource across the company alongside the agreed-upon responsibilities of owners. Having this documentation can clear any confusion as to what roles a team plays.
Application Tag: For the application tag, we regularly see its management handled by enterprise architecture (EA) teams. The EA team manages the applications used in the organization and most often already has a repository of applications in place.
Cost Center Tag: The cost center tag reflects the nomenclature of cost centers set up in the company. The CCoE should work closely with the IT Controlling department to define the specific rules.
Department Tag: The department tag will likely require the CCoE to work with different departments to collect the applicable team names.
Environment Tag: The environment tag is most likely to be driven by the DevOps organization. As DevOps teams continue to manage deployments, it is they who have an overall picture of the condition of the resource. If there’s not a DevOps culture within the organization, the CCoE should work with the operation manager to define which names to use for which situation.
Data Classification Tag: Data classification is a tag that we see being managed by a security/compliance team run by the IT security department. Given that this team already manages other company compliance policies, it is a good practice to continue aligning within the realm of the cloud.
Finally, cloud tagging policies must be thoroughly documented and should cover policies of the tagging strategy that the company employs. This documentation should mainly list which tags are being used, who is in charge of the tags, and what values each tag contains.
Also, it should be documented what the tagging policies are and what they do. The documentation should be centrally accessed and be approved by leaders.
Ideally, one has a central tool in place for providing an overview of tagging policies, their documentation, and the progress of the implementation. This central repository helps teams to ensure the completeness of a company’s tagging strategy and governance.
Once a company has decided upon a cloud tagging strategy, it must then choose how to best implement it. One option is to set up governance and monitoring controls that work fairly reactively. Or, on the other hand, it can be decided to strictly regulate and control the provisioning of resources based on tags. Figuring out which approach best suits a company’s needs is a cultural decision that comes with unique advantages and disadvantages.
For example, in case one chooses to govern tagging by monitoring the usage of tags, clear rules need to be communicated about tags to all employees and then monitor their application. However, though this approach is less intrusive to the daily work of cloud operations teams and can help foster a culture of trust and autonomy, it is also prone to human errors as there are no direct controls to prevent mistakes (e.g., typos). Further, clearly communicating tag policies is only one thing — ensuring that they are applied and understood properly is another.
In contrast to this reactive yet trust-building approach, there is the possibility of implementing tagging by setting up regulations that only allow the provisioning of resources if accurate tags are set. This guarantees that no untagged resource is spun up while simultaneously also increasing data quality. However, it also installs guardrails for developers and might cause them to feel less agile or, even worse, micro-managed.
So, how to best set up and manage effective tagging policies? Well, as is so often the answer, it depends on a company’s culture and needs.
To implement effective tag governance, it is important to assess how capable an organization is of providing clear policies to any developer using a cloud resource. Assuming that this can be achieved, it is necessary to find ways to effectively monitor untagged resources (e.g. by account or department) and identify the owner responsible for them. This means that a cloud inventory that automatically detects and lists all cloud resources, their dependencies and the assigned owners, can simplify the process.
Once a cloud tagging strategy has been selected and an overview of your currently tagged and untagged resources is created, it is important to make proper tagging of cloud resources an integral part of an organization's development culture. One tactic for this is to gamify policies to make tagging a habit in the daily lives of your employees.
For example, consider adopting rules that prevent developers from bringing their agenda items to a meeting to discuss them further unless they are correctly tagged and monitored in a central inventory.
Alternatively, the team can be incentivized by pointing out that only correctly tagged items will be selected for upcoming sprints. Another idea could be to hold team tagging contests and compare which team performs best in tagging and award them.
As a rule of thumb, when it comes to cloud operations, automating as much as possible is key. Hence, we recommend using automation to provision resources. Wherever possible and feasible, implement tagging requirements into the automation in use.
For example, if IaC is already in use, embed tagging to templates for development and make it part of a pull request review to ensure that all tags are set. This mechanism comes very handily as you set the tagging for your service once and it will appear automatically on all resources that you provision thereafter using this particular template.
Automated solutions for cloud governance help organizations define and monitor tagging policies in two ways. First, it provides a repository to match cloud information against business context, ownership, and various other sets of information.
Doing so reduces the number of tags that need to be maintained at the hyper scaler and thereby contribute to more stable and reliable information. Secondly, it helps to make the technical concept of cloud tags visible and tangible in ways that business users can easily understand.
Here’s a five-step approach to consolidating, improving, and leveraging tagging with automated cloud tagging.
Users of automated solutions immediately get an automatically discovered overview of their cloud inventory to assess the current status quo of tagging implementation efforts. Once Product IT leadership understands the importance of tagging, automated solutions can support the team responsible for cloud governance to document and make tagging policies centrally accessible throughout an organization. Users are also provided with customizable dashboards to monitor and track central KPIs — those either global or dedicated to specific business areas (e.g., the tagging completion rate over time).
Capturing initial insights on the current status of the tagging practice helps IT management to better understand which incurring cost supports which organizational programs or products. Ideally, one receives this overview automatically and applies filters to generate the detailed views needed.
Since discovering untagged resources is an exercise that should be executed many times, many automated solutions provide powerful notification capabilities (e.g., generating Slack messages or notifying accounts owner whenever VMs reach a certain cost or miss a critical tag).
As discussed, a best practice tagging framework like the one provided by IT service provider CLOUDETEER covers aspects around Operation Management, Security, or Compliance & Governance but nonetheless requires high rigor and alignment to keep data up to date. Though IaC and automation obviously help, topics like responsibilities become hard to maintain consistently over time.
If this information becomes stale, such information tends to become mistrusted or even misleading. As core cloud governance processes rely on information quality, it’s clear that every tag omitted increases stability and decreases tedious efforts.
All tags mentioned offer clear value for stakeholders throughout the IT value chain. However, to connect with individuals outside IT departments, it’s important to limit technical details. Business stakeholders, for example, might be very interested if a certain application leverages AWS, if it hosts data in the U.S., if it carries a technical risk, or how much it costs.
A business stakeholder may never fully understand a tagging policy but automated solutions can nevertheless help. Not only does it make the business context explicit, but modern tools integrate seamlessly with EAM platforms. Here, findings based such as the application tag is aggregated in an actionable way for business stakeholders with technical details just one click away.
Setting up and implementing proper tagging policies brings clarity to cloud environments and will unlock the many benefits offered by the cloud. Automated solutions help to effectively tag these resources and maintain an up-to-date cloud resource inventory.
In particular, by creating this single source of truth, any Cloud Center of Excellence can streamline IT objectives with business requirements and greatly assist in the management of cloud operations.