Cloud Deployment Tagging Guide
The Context Your Team Needs
Resource tagging is the primary context communication method in the Cloud but many organizations struggle to define the terms and a model to describe and analyze their Cloud deployments. The k9 Security Guide to Tagging Cloud Deployments helps technology teams tag Cloud application and infrastructure resources with the context needed to manage, operate, and secure those resources effectively.
With this information, Development, Operations, Finance, Security, Audit, and Risk Management personnel can collaborate efficiently and answer many of their own questions without resorting to time and attention consuming meetings and chats.
Get the Tagging Guide
Follow the tagging guide to identify your Cloud resources and analyze deployment security and risks more effectively.
This tagging model will help you answer questions like:
- Who owns this resource? What application does it belong to?
- Who should we call when the application is broken?
- Who should pay for this resource? Which applications are driving our costs?
- Do access controls secure this resource appropriately?
- How much risk does our Cloud deployment have? Where is that risk concentrated?
- Which security improvements reduce our risk the most?
The model is organized into three aspects of context:
- Identity & Scope
Let’s define the tags for each of those aspects now.
Identity & Scope
Let’s start with the context required to perform basic operational and cost management functions. The tags described in this section identify and scope resources to key organizational and process boundaries and form the core of the tagging model.
|Owner||Identifies who is responsible for the resource. The most important tag of all.||Ecommerce, email@example.com, #data-science-ops|
|Application||Identifies resources that support a specific application deployment||ecommerce-frontend, order-fulfillment|
|Name||Identifies a resource with a name meaningful to people||emr-api-dev-14, emr-mysql-db-prod-02|
|Environment||Identifies stage of Application delivery the resource belongs to||dev, stage, prod|
|Role||Describes the function of a resource within an Application’s logical architecture||load balancer, app server, database|
|Business Unit||Identifies the top-level organizational division that owns the resource||Consumer Retail, Enterprise Solutions, Manufacturing|
|Business Process||Identifies the high-level business process the resource supports||Marketing, Fulfillment, Provider Integration|
|Cost Center||(As Needed) Identifies the managerial accounting cost center for the resource||C1234|
|Compliance Scheme||(As Needed) Identifies the regulatory compliance scheme the resource’s configuration should conform to||HIPAA, PCI, SOC2, N/A|
These nine tags identify and scope resources for the purposes of operating Cloud applications and managing their costs effectively. Additionally, this core set of tags lays the foundation for analyzing security and risk.
Once Cloud resources have been identified and scoped to particular applications, business processes, and environments, you can proceed to ask questions about the security of those information assets.
Tag resources in a Cloud deployment with stakeholders’ expectations for the confidentiality, integrity and availability of information processed or stored by that resource.
|Confidentiality||Specifies stakeholders’ intended level of confidentiality and uses of the data processed or stored by this resource, both inside and outside the organization.||Public, Internal, Confidential, Restricted|
|Integrity||Specifies stakeholders’ intended level of integrity for this data as required by the Business Process.||0.999, 0.9999, …, 0.999999|
|Availability||Specifies stakeholders’ desired portion of time or service requests that the resource should provide reliable and timely access in order for the Business Process to function acceptably, measured monthly in NINES of availability or allowed downtime per month.||0.9995, 0.9999, 0.99999|
These tags align your Cloud deployments with mainstream information security and risk management models. Once this domain knowledge is available in tags, Cloud and Security teams can automate much of the recurring security and compliance analysis.
Risk assessments should help people understand a given Cloud deployment’s information security risks and help leaders make better decisions when managing those risks.
Once you describe the security context of your (most critical) information assets’ intended Confidentiality, Integrity, and Availability, you have the foundation to describe and then analyze risk in a fine-grained, scalable, repeatable way.
Record the most important Risk context of your information assets in terms of the impact of the loss of those information security attributes as tags on the resources that process or store them. Quantify a threat’s impact using a confidence interval that covers the range of potential monetary losses you expect to incur from an event such as a data breach 90% of the time.
|ImpactLossConfidentiality||An interval covering 90% of the probable range of potential monetary losses due to a loss of confidentiality for a single incident.||Quantitative: [1000, 1.0E+06]
Qualitative: Low, Moderate, High
|ImpactLossIntegrity||An interval covering 90% of the probable range of potential monetary losses due to a loss of integrity for a single incident.|
|ImpactLossAvailability||An interval covering 90% of the probable range of potential monetary losses due to a loss of availability for a single incident.|
When you share these impact intervals, you’ll likely have a conversation about the boundaries and shape of the distribution of loss. This is great because it means you’ve connected with your colleague on terms they understand. Use that discussion to update the estimate with that new information and move forward together.
Once you adopt the tags recommended by this guide, you will have the data required to:
- Identify resource owners
- Identify which resources support which applications and environments
- Understand and manage budgets for resource usage by Business Process, Application, Environment, and more
- Understand the intended major information security and availability attributes for data sources and application components
- Automate compliance, security, and risk analysis processes
- Understand where risk is concentrated in the Cloud deployment, enabling risk management at the Business Process level and individual Applications
Get k9 News
Get k9 Security technical articles & release updates, at most weekly.