How Using Labels and Tags Can Simplify Cloud Migration and Zero Trust Segmentation

Senior Technical Product Manager

April 21, 2022

23 min. read

Moving applications to the cloud brings with it an array of advantages, such as cost, agility and most importantly, the regaining of your broom closet for actual cleaning supplies.

The move to the cloud also brings an important conversation to be had within your organization about how to tag assets in a cohesive manner. These tags provide a way to group workloads into categories that make sense for your business needs, including running reports, auditing for compliance or billing internal business units. So, if you’re in the position of having a clean slate with no existing tagging strategies already half-implemented, congratulate yourself on being the lucky one percent! But where do you begin?

This blog post is not about providing best practices surrounding tagging strategies. There are numerous well-written posts on tagging strategies from AWS, CloudCheckr, CloudZero and Microsoft worth reading. But what is worth discussing here is a common theme among them: While they all recommend a liberal usage of tags, they also recognize that tags are organized into categories that fit the purpose for which they are written. This grouping of related tags makes segmentation policy implementation achievable and simple to understand.

Keep label categories practical

Here's an analogy to help:

If you have ever attempted the task of creating a personal budget to control your finances, most experts on the subject will tell you how to do it in three easy steps: Create categories for the things you spend money on, assign dollars to them, and then desperately attempt to stay below that amount before the month is half over. (That’s usually how far I make it before stealing money from my "Noble Causes" bucket to pay for movie tickets…)

Now, suppose I start with creating categories for monthly bills, groceries and savings. I could go crazy and make sub-categories under groceries for "Necessities" like milk and bread and "Sugary Goodness" like donuts and mocha lattes. These sub-categories might be useful for tracking how much I’ve wasted on empty calories. But at the end of the day, it’s the “Groceries” category that I’m trying not to exceed. I’m not assigning dollars to donuts but to groceries. So, within the context of enforcing a budget as my primary goal, the limited set of categories helps me never overspend the dollars assigned to that category. I could make dozens of tags that are handy for ways to analyze what I’ve eaten, but when it comes to my accountant (i.e., spouse), it’s that "Groceries" category that she’s keeping an eye on.

So now that you’re on your way to financial freedom, let’s take this concept and apply it to a microsegmentation conversation.

Map and categorize workloads up front

Shifting to the cloud can make traffic flows difficult to map. And if you cannot map out and categorize what’s talking to what, it is hard to apply consistent security policies. It is this up-front exercise of categorization that pays dividends down the road and will help implement security policies that don't leave workloads exposed. Or equally dangerous: Workloads that you think are protected, but leave you vulnerable due to conflicting rulesets and rule-order confusion — this is the danger of using discrete tags as a basis for one-to-one security mappings.

So what does any of this have to do with Illumio?

At Illumio, we are all about helping companies achieve Zero Trust through simple strategies to get your microsegmentation deployment off the ground. Illumio's multi-dimensional labeling design helps guide customers through the process of inventorying their tag usage. We help you develop categories of labels that are practical for implementing segmentation policies.

These labels make it easy to develop a "human-readable," declarative model to describe what you want to protect instead of worrying about the how. Leave the how to Illumio.

Use Illumio CloudSecure's label mapping tool

We recognize that tagging hygiene is difficult to maintain. Each business unit may have started with its own tagging conventions. And as your company grows, migrates and merges, these former islands of tags become an alphabet soup of overlapping names, inconsistent syntax and outdated conventions.

This is where Illumio CloudSecure can help. CloudSecure has a label mapping tool built in so you can begin the journey of organizing tags into useful labels for your cloud-native applications.

Illumio CloudSecure label mapping — Mapping cloud tags to Illumio's standardized labels makes it easier to understand traffic flows and write security rules for cloud-native applications.

This will help you write security rules so that tags like “Production,” “prod,” and “Hands off! This is a critical app!” can be merged into a common label of “Production” on our visibility map.

Perhaps your company is working with several cloud providers such as AWS and Azure. Illumio can unify disparate tagging strategies across your clouds by:

Collecting object metadata and flow telemetry.
Applying a common label schema.
Providing a visualization of all your workloads and their interactions on a single viewing window.

Now, if only personal budgeting was this easy.