Continuous Transformation Blog

Recommendations on Cloud Tagging for Cloud Governance

Written by Daniel Neumann | March 10, 2021

Cloud governance is not a novel IT management concept. In many ways, it’s just another method to tackle a decades old problem referred to as shadow IT. The only difference is that cloud governance focuses on challenges with the cloud rather than on-premises technology.

Shadow IT dates back to when company departments and employees installed software to accomplish specific tasks — often without the IT department even knowing. This led to an ever-increasing technology stack that couldn’t properly be tracked and managed.

Shadow IT in the world of cloud is even more convenient for those in need of quick solutions. A credit card is all that a company department or individual employee needs to purchase and begin consuming cloud services. But the flexibility and convenience of this process (e.g., faster time to market) are obstacles for platform operation teams and Cloud Centers of Excellence (CCoEs) who need to monitor these services, understand where they run, how they support the business, and whether they comply to regulatory standards. This includes visibility into PII data, encryption, data sovereignty, and other mandatory security measurements.

To ensure security and regulatory compliance, a cloud governance strategy is needed to help CCoEs and platform operations teams regain control over cloud.

How can tagging help

Cloud tagging is an effective way to implement a cloud governance strategy. Whether for compliance, automation, or cost management, a consistent tagging policy can help allocate cloud resources, streamline reporting, and make cloud environments more compliant and cost-efficient. Tagging is also a proven method to support automation processes such as Infrastructure-as-Code.

For organizations to seize the benefits of standardized tagging, we suggest implementing a combination of the following five tags which are essential for structuring cloud resources. These tags cover compliance, automation, and cost management.

 

Key 

Value (example values) 

1

region

eu, us, ca

2

department

product, marketing, customer success

3

environment

production, test, development

4

cost-center / cost_center

401, 402, 403

5

owner

platform operations, team invent, team alpha

Region and environment tags are vital for governance efforts. For example, a cloud resource with the tag environment:production is treated differently than one with environment:test. This is because production resources hold customer data and show whether data is stored in the correct customer region (which is important given data sovereignty and regulatory requirements).

At LeanIX, a best practice has proven to be implementing one or more policies to automatically assign the correct region tag based on which cloud region a resource is deployed (e.g., eu for Europe, us for the United States). As we run our cloud environment on Microsoft Azure, we use the Azure Policy service, which allows us to use built-in or customized policies to assign the right region tags. An added value of this automated tagging process is that we can streamline reporting, for example, when discussing our compliance posture based on standardized tags.

Besides implementing a policy for the correct region assignment, you should also reflect the configuration in your Infrastructure-as-Code approach. Using standardized region tags, CCoEs can ensure that customer data is stored in the region it is supposed to and that only production systems hold it as they have stricter controls than test systems.

For automation purposes, department and owner tags should be focused on next to region and environment tags.

Our recommendation is to start with region, environment, department, and owner tags as a baseline. Once the CCoE aligns with the development organization and IT controlling, your organization might want to implement additional tags. For example, for cost-saving purposes, LeanIX turns off most of the test systems overnight, which leads us to use the environment and department tags. But we also have some test systems that run 24/7 which is why we have introduced a unique tag called AUTO_STOP:enabled.

For automation, we stop and start our test systems in European and Indian regions according to the local time without affecting our developers by using Azure Functions, one of Azure’s serverless technologies. However, to facilitate cost-efficient use of cloud resources, one also needs to implement cost center tags.

Besides the department and owner tag, the cost center tag helps getting a holistic overview and deep insights into your cloud spend. Depending on what is needed, you can do an internal chargeback on the department’s budget or, at the very least, provide every stakeholder in the company’s management and engineering department an overview on whether money is properly spent for different purposes.

Tags can’t be used and then ignored. In many ways, they are the most essential building block of a cloud governance strategy — even more than a consistent and existing naming schema.

How challenging is tagging in multi-cloud environments

Tagging is a cornerstone of any cloud governance strategy but becomes increasingly complicated in multi-cloud environments. As this occurs, CCoEs must uphold a common tagging strategy to help coordinate change across cloud environments with varying stakeholders. Failing to deliver a consistent tagging strategy for such personas will decrease the acceptance of tagging and lead to confusion across the entire company.

If, for example, environment:production is used as a tag for one cloud provider’s subscription and environment:prod is used in another, there will be two variants for tagging in a production environment. It may seem like a small difference, but without an aligned tagging policy, inconsistencies like this can lead to tremendous problems across cloud environments.

The key benefits of tagging — like resource allocation, cost-efficiency, and automation — can only be achieved when tagging policies are made visible, violations are detected, and deviating tagging practices are easily resolved. The LeanIX Microservice Intelligence module and its unique Cloud Tagging Management feature are here to help your CCoE efficiently evolve cloud environments by ensuring consistent tagging policies. Our LeanIX Policy Engine allows you to define rules, run them against your cloud environment, and instantly detect violations. This serves as a baseline for improving tagging as you can now address stakeholders directly (e.g., via Jira to use consistent tagging).

If you’d like to know more about cloud tagging and how platforms like LeanIX can help, reach out to us here