Cloud Tagging Guide for Effective Context

The Context Your Team Needs

Resource tagging is the primary context communication method in the Cloud. But many organizations struggle to define the terms and a model to describe and analyze their Cloud deployments. The k9 Security Cloud Tagging Guide provides a model for technology teams to tag Cloud application and infrastructure resources with the context needed to manage, operate, and secure those resources effectively.

With this information, Development, Operations, Finance, Security, Audit, and Risk Management personnel can collaborate efficiently and answer many of their own questions without resorting to time and attention consuming meetings and chats.

Get the Cloud Tagging Guide

Follow the tagging guide to identify your Cloud resources and analyze deployment security and risks more effectively.

This tagging model will help you answer questions like:

  • Who owns this resource? What application does it belong to?
  • Who should we call when the application is broken?
  • Who should pay for this resource? Which applications are driving our costs?
  • Do access controls secure this resource appropriately?
  • How much risk does our Cloud deployment have? Where is that risk concentrated?
  • Which security improvements reduce our risk the most?

The Cloud tagging guide organizes the model into three aspects of context:

  1. Identity & Scope
  2. Security
  3. Risk

Let’s define the tags for each of those aspects now.

Identity & Scope

Let’s start with the context required to perform basic operational and cost management functions. The tags described in this section identify and scope resources to key organizational and process boundaries and form the core of the tagging model.

Name Definition Example Values
Owner Identifies who is responsible for the resource. The most important tag of all. Ecommerce, [email protected], #data-science-ops
Application Identifies resources that support a specific application deployment ecommerce-frontend, order-fulfillment
Name Identifies a resource with a name meaningful to people emr-api-dev-14, emr-mysql-db-prod-02
Environment Identifies stage of Application delivery the resource belongs to dev, stage, prod
Role Describes the function of a resource within an Application’s logical architecture load balancer, app server, database
Business Unit Identifies the top-level organizational division that owns the resource Consumer Retail, Enterprise Solutions, Manufacturing
Business Process Identifies the high-level business process the resource supports Marketing, Fulfillment, Provider Integration
Cost Center (As Needed) Identifies the managerial accounting cost center for the resource C1234
Compliance Scheme (As Needed) Identifies the regulatory compliance scheme the resource’s configuration should conform to HIPAA, PCI, SOC2, N/A

These nine tags identify and scope resources for the purposes of operating Cloud applications and managing their costs effectively. Additionally, this core set of tags lays the foundation for analyzing security and risk.


Once Cloud resources have been identified and scoped to particular applications, business processes, and environments, you can proceed to asking questions about the security of those information assets.

Tag resources in a Cloud deployment with stakeholders’ expectations for the confidentiality, integrity and availability of information processed or stored by that resource.

Name Definition Example Values
Confidentiality Specifies stakeholders’ intended level of confidentiality and uses of the data processed or stored by this resource, both inside and outside the organization. Public, Internal, Confidential, Restricted
Integrity Specifies stakeholders’ intended level of integrity for this data as required by the Business Process. 0.999, 0.9999, …, 0.999999
Availability Specifies stakeholders’ desired portion of time or service requests that the resource should provide reliable and timely access in order for the Business Process to function acceptably, measured monthly in NINES of availability or allowed downtime per month. 0.9995, 0.9999, 0.99999

These tags align your Cloud deployments with mainstream information security and risk management models. Once this domain knowledge is available in tags, Cloud and Security teams can automate much of the recurring security and compliance analysis.


Risk assessments should help people understand a given Cloud deployment’s information security risks and help leaders make better decisions when managing those risks.

Once you describe the security context of your (most critical) information assets’ intended Confidentiality, Integrity, and Availability, you have the foundation to describe and then analyze risk in a fine-grained, scalable, repeatable way.

Record the most important Risk context of your information assets in terms of the impact of the loss of those information security attributes as tags on the resources that process or store them.  Quantify a threat’s impact using a confidence interval that covers the range of potential monetary losses you expect to incur from an event such as a data breach 90% of the time.

Name Definition Example Values
ImpactLossConfidentiality An interval covering 90% of the probable range of potential monetary losses due to a loss of confidentiality for a single incident. Quantitative: [1000, 1.0E+06]
Qualitative: Low, Moderate, High
ImpactLossIntegrity An interval covering 90% of the probable range of potential monetary losses due to a loss of integrity for a single incident.
ImpactLossAvailability An interval covering 90% of the probable range of potential monetary losses due to a loss of availability for a single incident.

When you share these impact intervals, you’ll likely have a conversation about the boundaries and shape of the distribution of loss. This is great because it means you’ve connected with your colleague on terms they understand. Use that discussion to update the estimate with that new information and move forward together.

Use the Cloud Tagging Guide

Read the full Cloud tagging guide for deeper definitions and analysis. Consider integrating the tagging model into your own contextualized management strategy.

When you adopt the tags recommended by the guide, you will have the data required to:

  • Identify resource owners
  • Identify which resources support which applications and environments
  • Understand and manage budgets for resource usage by Business Process, Application, Environment, and more
  • Understand the intended major information security and availability attributes for data sources and application components
  • Automate compliance, security, and risk analysis processes
  • Understand where risk is concentrated in the Cloud deployment, enabling risk management at the Business Process level and individual Applications

Contact Us

Please contact us and we’ll be happy to discuss any questions you have.


Get k9 News

Get k9 Security technical articles & release updates, at most weekly.