Ever stared at a screenful of Cloud resources and wondered:

  • Who owns this resource? What application does it belong to?
  • Who should we call when the application is broken?
  • Who should pay for this resource? Which applications are driving our costs?
  • Do access controls secure this resource appropriately?
  • How much risk does our Cloud deployment have? Where is that risk concentrated?
  • Which security improvements reduce our risk the most?

Yep, me too.

Figure: Cloud Deployment and Supporting Functions

Previously, I wrote:

  1. People and tools need context to work with your cloud effectively
  2. Existing standards don’t cover security and risk well and this reduces the effectiveness of many security tools

Resource tagging is the primary context communication method in the Cloud but many organizations struggle to define the terms and a model to describe and analyze their Cloud deployments. We need that context to answer the questions above and collaborate with our colleagues.

Many teams find it hard to get excited about creating and implementing a tagging standard. Even when you want to do it, there’s often more urgent things that take priority. Your time and energy slowly melts away answering ‘simple’ questions as your deployments grow.

I wrote a comprehensive guide to tagging cloud deployments to help you define your tagging standard and explain why it’s important. The guide is freely available at:


The guide helps technology teams tag Cloud application and infrastructure resources with the context needed to manage, operate, and secure those resources effectively.

The tagging model organizes and describes three areas of context for your resources:

  1. Identity & Scope
  2. Security
  3. Risk

You can adopt and adapt this tagging model incrementally. If you do it all, you’ll end up with an information model that looks like:

Figure: Managing Resources with Context

With this context, Development, Operations, Finance, Security, Audit, and Risk Management personnel can collaborate efficiently and answer many of their own questions without constantly resorting to time and attention consuming meetings and chats.

I’d love to hear what you think about this tagging model and how you might use it within your organization. I can also help you apply this model and improve your operational, security, and risk management capabilities. Hit reply!