Organization Policy versus Application Policy

This topic explains the difference between organization and application policies.

For information about creating these types of policies, see Writing Organization Policy and Writing Application Policy.

About Illumio Segmentation for the Cloud Policies

What Are Organization Policies?

Codify Organizational Network Security Policies as Guardrails

You can think of organization policies as guardrail policies that prevent application policies from allowing undesired traffic, or that are additive to application policies allowing desired traffic. An organization policy can exist all by itself, but these policies are also evaluated during policy computation for any application policy.

Organization policies are broader policies that you write that are independent of applications. They can override application policies, including any future application policies, that may have overly permissive allow rules.

Although you're not constrained by an application, you could still create an organization policy for an application if you wanted to. Conversely, you might want to create a broader policy such that applications in the development environment cannot talk to anything in the production environment, or block an entire set of IP ranges, or block all Telnet traffic. You could also write an organization policy using more fine-grained labels.

Define Organization Policies

Once you onboard your cloud accounts, you can define your organization policies. To write organization policies, go to Policies > Organization Policies tab. See Writing Organization Policy.

What are Application Policies?

Security teams can drive segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, etc. Creating application policies is critical to minimizing an attacker's lateral movement.

Define Application Policies

If a policy addresses anything within an application, because you've now defined what an application is, it’s an application policy and appears on the Application Policies tab.

Before you write application policies, you may want to first define services and IP lists by going to the Policies menu and selecting the Services and IP List tabs. See Services and IP Lists for information. This is optional.

You may also want to use the Tag to Label Mapping menu available in the left navigation under Application Discovery. Once you use the tag to label mapping feature, you can select the labels that you create when writing policy for your applications. See Cloud Tag to Label Mapping for information. This is optional, as the application definition workflow itself also creates labels.

To write application policies, go to Applications > your application > Policy tab. See Writing Application Policy for information.

Cloud