Security and privacy are important in cloud services. Numerous security and privacy patterns as well as non-pattern-based knowledge such as practices and principles exist in cloud services. Selecting and combining the appropriate knowledge is difficult due to numerous options and the nature of the layered cloud stack. Herein we propose a metamodel called the Cloud Security and Privacy Metamodel (CSPM) to handle security and privacy in cloud service development and operations. CSPM can classify and support existing cloud security and privacy patterns and practices in a consistent and uniform manner. Moreover, we propose a security and privacy aware process to develop cloud system utilizing CSPM. Several case studies verify the effectiveness and usability of our approach. As a result, we confirmed effectiveness and usability of CSPM, as well as some possible future work.