This topic explains the difference between organization and application policies.
For information about creating these types of policies, see Writing Organization Policy and Writing Application Policy.
About CloudSecure Policies
The Policies page lists all the different policies you have created in CloudSecure. The page contains two types of policies:
- Organization policies
- Application policies
What Are Organization Policies?
Codify Organizational Network Security Policies as Guardrails
You can think of organization policies as guardrail policies that prevent application policies from allowing undesired traffic, or that are additive to application policies allowing desired traffic. An organization policy can exist all by itself, but these policies are also evaluated during policy computation for any application policy.
Organization policies are broader policies that you write that are independent of applications. They can override application policies, including any future application policies, that may have overly permissive allow rules.
Although you're not constrained by an application, you could still create an organization policy for an application if you wanted to. Conversely, you might want to create a broader policy such that applications in the development environment cannot talk to anything in the production environment, or block an entire set of IP ranges, or block all Telnet traffic. You could also write an organization policy using more fine-grained labels.
Define Organization Policies
Once you onboard your cloud accounts, you can define your organization policies. To write organization policies, go to Policies > Organization Policies tab. See Writing Organization Policy.
What are Application Policies?
Security teams can drive segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, etc. Creating application policies is critical to minimizing an attacker's lateral movement.
Define Application Policies
If a policy addresses anything within an application, because you've now defined what an application is, it’s an application policy and appears on the Application Policies tab.
Before you write application policies, you will want to first define services and IP lists by going to the Policies menu and selecting the Services and IP List tabs. See Services and IP Lists for information.
First, you will want to use the Tag to Label Mapping menu available in the left navigation under Application Discovery. Once you use the tag to label mapping feature, you can select the labels that you create when writing policy for your applications. See Cloud Tag to Label Mapping for information.
To write application policies, go to Applications > your application > Policy tab. See Writing Application Policy for information.
What Happens When Org and App Policies Conflict?
Consider the following example. If you write an application policy with an allow rule permitting all Telnet connections, but you have an organization policy with an override deny rule that blocks them all, the override deny rule will negate the allow rule.