Cloud sprawl can be avoided with good tagging practices
The cloud has its share of benefits such as greater flexibility, accessibility, and resilience but it also has flaws. We talked to Brian Johnson, co-founder and CEO of DivvyCloud to learn more about the impact of “cloud sprawl” and how to avoid it.
JAXenter: The cloud has given us things like greater flexibility, accessibility, and resilience. But it also has flaws; managing all the services and resources can pose problems for systems administrators since it’s not easy to audit and enforce security policies, track and optimize operational costs. Is tagging the answer to this problem?
Brian Johnson: Absolutely! Organizations can simplify and orchestrate critical tasks across multiple accounts/subscriptions and multiple using a global tagging policy. These helpful bits of user-defined data identify and describe the resources running across environments. They can provide insight into the application running on that infrastructure, the team responsible for that particular resource, who has financial responsibility, and anything else the company finds useful in governing their cloud environment.
JAXenter: Why are tags vital in a multi-cloud environment? What are the immediate benefits of tagging?
Brian Johnson: A tagging strategy gives you visibility and therefore control. Too often, without tagging IT professionals are simply unable to answer basic questions about the what, where, why, and how of their cloud infrastructure. This is often referred to as “cloud sprawl” and has some real impacts.
First, costs are often poorly understood and as a result, there is no accountability for the cost overruns and inefficiency that results. Second, security and compliance are at risk because of the lack of visibility. After all, it isn’t easy to secure something if you don’t know what that thing is. For example, regulated applications have specific controls they must adhere to.
Cloud sprawl means you often don’t know what infrastructure supports what applications and what regulatory standards apply. Tagging helps to solve for these problems. Good tagging practices enable automation that can save your organization significant time and money. And perhaps more importantly, tagging makes policy enforcement manageable – increasing control and security.
Cloud sprawl means you often don’t know what infrastructure supports what applications and what regulatory standards apply.
JAXenter: Since every organization has different goals, every tagging strategy should be different. How can organizations know where to start with their tagging strategy?
Brian Johnson: Whether you’re starting your tagging strategy from scratch or “retrofitting” your current cloud infrastructure, I recommend using the lowest common denominator approach. In other words, design it to accommodate the various and distinct limitations of each major cloud provider.
JAXenter: Are all tags supposed to be different or are there also “universal” tags? What are the tags that all organizations should use?
Brian Johnson: The full scope of your tagging strategy depends on a variety of factors. Every organization has different goals, and every tagging strategy should be defined based on those unique business needs. However, I recommend that every tagging strategy should begin with the following four tags:
- Application ID,
- Environment, and
From there, you can build out a more-complex tagging infrastructure, but these core tags will cover some very important bases for any cloud environment.
JAXenter: What are the dos and don’ts of tagging?
Brian Johnson: The most important “do” of tagging is to automate enforcement of your global tagging strategy especially if you are embracing self-service provisioning and configuration in cloud infrastructure. Without automated enforcement, your tagging strategy will not be adhered to and will ultimately fail. Any automated enforcement needs to key elements.
First, it needs the ability to apply a consequence to a user who doesn’t tag a resource. For example, deleting a resource if no tag is applied after a certain number of warnings and time period. Second, it needs to provide clear feedback to users about what they are doing wrong, the consequences of noncompliance, and the value of compliance. Without this feedback loop, your enforcement policy will not succeed.
The most important don’t is, don’t duplicate tags. In some cases, granular tags may not be necessary. If there’s only one group that owns a specific set of resources, that can be reflected in a separate internal data set. An internal project ID or application ID can relate those items together, reducing error, emission, and cause for replication.