Glossary

  • The previous name for the Illumio Core. See Illumio Core.
  • Illumio Adaptive User Segmentation secures the inside of your data center and cloud by controlling connectivity to applications based on user identity. You can leverage Microsoft Active Directory User Groups to control access to computing resources by creating user groups in the PCE that map directly to your Active Directory Groups. You can then write Rules using these Groups to control access to specific Workloads based on group membership.
  • The allowlist model means that you must specifically define what traffic is allowed to communicate with your managed workloads; otherwise, it is blocked by default. It follows a trust-centric model that denies everything and only permits what you explicitly allow—a better choice in today’s data centers. The list of what you do want to connect in your data center is much smaller than what you do not want to connect.
  • The App Group map shows your Workloads grouped as an application instance (App Group) based on a set Application, Environment, and Location Labels.
  • Collections of Workloads with the same Location, Environment, and Application labels.
  • A Label that defines a collection of Workloads used to serve an application in a customer environment.
  • An application security policy is defined and visualized during Illumination when Workloads belonging to the application begin to cluster and group together based on the communication (network traffic) relationships. An application security policy contains the following elements: Workloads, Labels, Rules, Name of the policy, and Alerts.
  • Refers to using Pairing Profiles to automate Workload pairing. Typically used to refer to environments where Workloads are added using orchestration or automation and expected to install the VEN, obtain the policy, and enforce it during the instantiation sequence. These Workloads may be called "auto-scaled" Workloads.
  • Blocked inbound connections to help identify potential ransomware.
  • A group of Workloads, Unmanaged Workloads, Virtual Services, or IP addresses that can initiate a connection to a Provider or consume a service. Use the Consumers section of a Rule to define who or what is allowed to communicate with a Workload.
  • A policy object used when writing a Rule to reference the Docker host on which a Pod resides.
  • A tool (Kubernetes) used to deploy, scale, and manage container-based applications.
  • A software (Docker) that manages container images on a node.
  • A Kubernetes pod in the PCE that is secured by Illumio Core.
  • Core nodes, Data nodes
  • Custom iptables Rules allow you to integrate existing Linux iptables into a Ruleset.
  • Delivery of Illumio Core on multiple nodes as a distributed application in the customer's data center. The deployment is very similar to the Illumio Secure Cloud; only it is inside the customer's data center. Illumio works closely with customers to plan, install, and manage the deployment.
  • This virtual appliance is delivered for installation in the customer's data center and contains all Policy Compute Engine components integrated into it. Each customer installs and manages the virtual appliance that is delivered as a VMware OVA file.
  • There are two deployment types: 2x2 or two core nodes with two data nodes, and 4x2 or four core nodes with two data nodes.
  • A service that was discovered running on a paired Workload. You can select a discovered service in a Rule, and once the Rule is added, the service is promoted to a policy service and becomes an OS: All Ports service for either Linux and Windows Workloads. If you want the service to be used as a Windows Process/Service-based service, you will need to add the service first to the Services page.
  • The Draft View of the Illumination map visualizes the potential impact of your draft policy (not provisioned), so you can examine what happens when you provision your changes. The Draft View helps you understand the expected traffic rather than the actual traffic handling (provided by the Reported View) and considers both recently provisioned policy and draft policy
  • Ensures that endpoints are protected with whitelist policy without disruption of business.
  • A Workload policy state in which all Ruleset definitions are enforced.
  • The label that defines a group of Workloads used for a specific stage in the application development life cycle. Examples: Production, Staging, Dev, or QA.
  • An intuitive tool to see traffic between endpoints to understand activity.
  • An Extra-Scope Rule allows communication between Group of Workloads (for example, Group to Group communication).
  • A collection of Workloads and policy configurations displayed in the Illumination map.
  • Logical grouping of endpoints.
  • Illumio provides High availability (HA) so that in the event of a failure, a PCE cluster's availability and operability can be maintained with zero or minimal data loss and no or limited human intervention.
  • The Illumio Core feature that visualizes your Workloads and provides a deep understanding of the traffic flows to write security policies. It includes illuminated state for the workload, auto-labeling rules, application view of workloads, and rule suggestions based on traffic profiles.
  • The Illumio Core consists of the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN). Understanding the interaction between the PCE and VEN is essential to learning about Illumio technology.
  • Delivery of Illumio Core as a cloud service (SaaS). Illumio hosts and manages the infrastructure used to provide the Illumio Core as a service to our customers.
  • Inbound or peer-to-peer services that should be included in the policy.
  • An Intra-Scope Rule allows communication within a Group of Workloads. Compare with extra-scope rule.
  • List of IP addresses, IP address ranges, or CIDR blocks used in Rulesets to allow access to a Workload service.
  • A range of IP addresses that is permitted to communicate for any given inbound service.
  • An Illumio proprietary software used for sending information from Kubernetes to the PCE.
  • Labels define the role of a Workload, the type of application it supports, its product life cycle stage (development, production), and its location. Use Labels to define policy boundaries and determine the Workloads that are affected by Ruleset policies.
  • Used for periodic health checks. For example, liveness probes could detect when an application is running but not progressing. Restarting the container can help make the application more available.
  • Load Balancers can manage Workloads based on the policy defined in the PCE configuration.
  • A Label that defines a Workload based on its location. Examples are Germany, US, Rack #3, and datacenter AWS-east1.
  • A managed Workload is the one with an installed VEN, while the unmanaged has no VEN installed.
  • Micro-Segmentation is a security technique that enables you to assign coarse- to fine-grained security policies to data centers and cloud applications, down to the workload level. It enables Organizations to withstand threats by allowing them to deploy security models using a software-only approach. Unlike conventional network segmentation models, Micro-Segmentation supports granularity and dynamic adaptation.
  • A PCE node is a single host (server or VM) that runs the PCE Software. Illumio provides the PCE Software, and customers provide the environment (operating system and system services) on which the PCE can run.
  • A single instance in Illumio Core. Users have access to their Organization with the account thatʼs identified by the email address used to invite the user to the Organization.
  • Installation of the Illumio VEN software on a workload using a unique secure pairing key. A Workload is paired by executing a pairing script generated from a Pairing Profile.
  • Configuration that controls the pairing process of a Workload. A Pairing Profile contains a pairing script with a unique pairing key, Label and policy state assignment, command line restrictions, as well as limits on how many times the pairing script can be used and for how long.
  • The PCE Cluster represents the total collection of nodes in your deployment. Configure each node by its node type, which defines the tiers of services that run in the node.
  • A central web interface to the Illumio Core. Illumio users access the PCE web console to create security policy and visualize the workloads and traffic flows in your organization. The PCE web console is installed as part of the PCE software; although it can be upgraded independently. Additionally, Illumio administrators can use the PCE web console to configure features and behavior of the PCE.
  • A Kubernetes concept that represents an encapsulation of an application instance. It allows the container(s) to share a common network namespace and storage resource.
  • Configurable set of rules that protect network assets from threats and disruption.
  • The PCE is the "brain" of the Illumio Core, which keeps the Illumio Core program logic and information. It generates and distributes segmentation policies for each VEN connected to it and computes and manages security policies for workloads. The PCE does the following: Examines the relationships between workloads; computes rules required to protect each workload; distributes rules to the VENs installed on the workloads.
  • A tool in the PCE that simplifies the policy creation process by providing an easy way for application owners to write Intra- or Extra-Scope Rules for the individual applications they manage.
  • A set of configuration objects in the PCE that comprise your security policy. The policy objects include Segmentation Templates, Services, IP Lists, Labels, Label Groups, User Groups, Bound Services, and Virtual Servers. Some policy objects must be provisioned before any changes to them takes effect on your Workloads.
  • A policy item that can be used in a Rule. (Policy items must be provisioned before they can take effect.)
  • The VEN supports multiple policy states to help with the policy creation process. Illumination shows these states and uses them to visualize traffic.
  • The Illumio model is provider-centric. You need to declare which consumers can access ports on providers. Providers cannot initiate connections to Consumers.
  • Provisioning is a process of pushing Policies out to workloads with the matching Labels.
  • Acronym for labels: Role, Application, Environment, and Location.
  • The Reported View in the Illumination map visualizes policy coverage as reported by Workloads. You can view the current state of your provisioned policy in it in a view-only format. While you can view all the Rulesets that apply to the Workloads in the Reported View, you must change to the Draft View to add Rules. The Reported View does not immediately reflect the latest changes to the policy. It is updated after you provision a change to the policy and when new traffic flows that use the updated policy get reported from the VEN.
  • A software-built “fence” that secures and typically isolates high-value assets to mitigate the risk of access from East-West connectivity to other systems.
  • A Label that defines the function or purpose that a Workload serves in an application. For example, DB, Web, API, Mail.
  • Rules are defined in Rulesets to allow for access control for a given service and to enable communication between a collection of Workloads. Example: “MySQL: Provider=DB-Servers, Consumer=Web-Servers” opens the MySQL port on the DB-Servers for the Web-Servers.
  • The percentage of the total number of traffic connections covered by Rules.
  • A collection of Rules that govern allowed traffic between Workloads, Unmanaged Workloads, Virtual Services, or IP addresses. The whitelist policies that use labels to generate customized port connections for each workload. Rules are collected into Rulesets for versioning.
  • A configuration file on the PCE.
  • Determines which Workloads receive the rules of the Ruleset. If Workloads share the same Labels as defined in a Ruleset, then those Workloads receive those Rules.
  • Enables users to encrypt communication between Workload services dynamically using IPsec.
  • A complete collection of Rulesets, IP Lists, services, and Security Settings for your Organization. Changes are always saved in the pending Policy version. Once you provision the changes, the pending Policy version becomes active, and all policy changes pushed to the Workloads affected by the Policy.
  • A process running on a managed Workload listening on a network port. For example MySQL or Apache.
  • In Scope: A Discovered or Policy Service running on a Workload whose Labels match the scope Labels of a Ruleset. Out of Scope: A Discovered or Policy Service that is not running on a Workload whose Labels match the scope Labels of a Ruleset.
  • SNC: Single Node Cluster; MNC: Multi Node Cluster
  • A group of clusters operating together. Required if the number of Workloads exceeds the capabilities of a single cluster.
  • Information related to an individual traffic flow on a Workload. This information includes if the traffic to and from the Workload was allowed, potentially blocked, or blocked. Potentially blocked traffic is traffic flow information that is allowed, but will be blocked if the Workload policy's state gets set to Test.
  • Network traffic in your environment flowing between VENs and other entities in your network. The PCE web console captures both the potentially blocked or blocked types of traffic.
  • A Workload that has no VEN installed on it.
  • Virtual Enforcement Node (VEN) is a local control point of the Illumio Core installed on each workload. VEN provides information about the workload and enforces policy rules by controlling the Linux iptables or Windows Filtering Platform (WFP) tables on a workload.
  • A VEN can exist in one of two connectivity states: Online, when the Workload is connected to the network and can communicate with the PCE, and Offline when the Workload is not connected to the network and cannot communicate with the PCE.
  • VEN health status consists of two categories of information: VEN connectivity status and VEN policy sync status. It contains information related to the current state of VEN connectivity, the most recently provisioned policy changes that affect the Workload, any potential firewall tampering, and any issues related to SecureConnect functionality.
  • A VENʼs policy status indicates its policy provisioning and SecureConnect status: Active, Warning, Error.
  • A PCE configuration that allows you to write a Policy for Virtual Servers whose traffic is managed by Load Balancers in your environment.
  • A Service that originates from a Workload but is labeled separately and can be used in a Rule. Virtual services allow you to label processes or services on Workloads.
  • Vulnerability maps combine third party vulnerability and threat insights from companies like Qualys with Illumio’s application dependency map to help teams see which applications are connecting into vulnerable ports in real-time. They enable application security teams, vulnerability management teams, and segmentation teams to understand not only the vulnerability of a workload but, more importantly, the paths that bad actors can leverage to exploit vulnerabilities.
  • Illumio's generic term for anything with an operating system, such as a bare-metal server, VM, or container (e.g., Docker container). An OS endpoint where applications and services are running and where a VEN resides. Workloads may be running in private data centers or cloud environments.
  • Once you pair a Workload, it can exist in one of these Policy states: Idle, Build, and Test.
  • A Workload can have one of three statuses related to its connectivity and policy provisioning by the PCE: In sync, Syncing, and Offline.
  • Workload visibility modes allow you to modulate the amount of data that the VEN collects from the Workload. This data affects the Group's display in the Illumination page of the PCE web console. The visibility modes are High Detail, Less Detail, and No Detail.