Illumio gives you the option to manage your security policies by using either adaptive or static policy. Choosing how to implement security policy is possible because of the Illumio policy model.
About the Illumio CloudSecure Policy Model
The Illumio security policy for securing resources differs from traditional network security policies. Traditional security policies use network constructs, such as VLANs, zones, and IP addresses to tie security to the underlying network infrastructure.
In contrast, Illumio security policy uses a multidimensional label system to sort and describe the function of resources. By describing resources functionally, policy statements are clear and unambiguous. Illumio users assign labels to their resources to identify their applications, environments, and regions. Additionally, users specify labels with cloud tag to label mapping. See Cloud Tag to Label Mapping for information.
Together, labeling resources and creating the corresponding rules define the security policies for resources. Illumio converts these label-based security policies into the appropriate protection for the resources.
Security Policy Guidelines
The following guidelines are recommendations on how to create your security policy in Illumio CloudSecure. Creating a security policy is an iterative process, so following these recommendations will provide a broad initial policy, which can then be incrementally improved until a sufficiently robust policy has been established.
When creating your security policy:
- Refine your initial policy to strengthen it by narrowing overly broad access
- Use provisioning to enact your policy
Understanding Rules
Rules are an integral component of Illumio security policy. Create the rules using labels, IP lists, and applications that identify aspects of your cloud environment. See Overview of Policy Attributes in this topic for more information.
Illumio's allowlist model for security policy uses rules to define the allowed communication for two or more resources. For example, if you have two resources that comprise a simple application — a web server and a database server — to allow these two resources to communicate, you must write a rule that describes this relationship.
Types of CloudSecure Policy
CloudSecure provides two types of policies — Organization and Application. For instructions on creating rules for policies, see the pop-ups in the CloudSecure GUI. For guidelines specific to each type, see the following topics:
Overview of Policy Attributes
Illumio CloudSecure uses the following policy attributes that help you write your security policy: