Security reviews
Enable Azure and AWS policies using security reviews. Illumio Segmentation for the Cloud security reviews ensure that users review policy enforcement on Azure subscriptions and AWS accounts, reducing the risk of implementing ineffective rules. First, onboard your Azure subscription, Azure Tenant, AWS account, or AWS organization with either read or read and write permissions. Then, perform a security review to check for existing organization policy issues and review subscription security controls to correct ineffective policies. Conduct a security review before you write application or additional organization policies for your subscription.
Note
Use Case: You onboarded an Azure subscription with read and write permissions. You have now decided that you want to write organization policies for Illumio Segmentation for the Cloud to enforce on your subscription. You must review and approve your subscription policies before you enforce any application policies on your subscription.
Perform the security review
Onboard your Azure subscription, Azure Tenant, AWS account, or AWS organization with read and write permissions. If your subscription has only read permissions, see Change Azure permissions from read to read and write and Enable read-write permissions. If your account or organization has only read permissions, also see Enable read-write permissions.
The Onboarding page Cloud Accounts tab shows that the security review is pending approval for your subscription.
Navigate to Cloud > Security Review and select your subscription.
Click Review.
Using Azure as an example, the Security Review page displays your subscription's organization policies. You can filter by 'Has Policy Conflicts' or 'No Policy Conflicts,' which display warning icons or check marks respectively in the Policy Effectiveness column.
A warning icon means the policy has one or more rules requiring your attention before you can effectively implement it. Review each organization policy with a warning icon to ensure it has the appropriate security controls and applications, as described in the next step. Illumio strongly recommends reviewing at least the policies with a warning icon.
Rule effectiveness can be defined as able to meet the flow condition, able to successfully provision so that it can act by denying or allowing a given flow, and able to be evaluated. If an existing rule is found to be effective, any equivalent rules of lower priority are not evaluated, and would be found ineffective by default. For example, a customer-defined rule that allows certain traffic, followed by an Illumio-written rule that denies the same traffic, cannot be effective due to order. Note that Illumio Segmentation for the Cloud attempts to give Illumio-written rules higher priority than non Illumio-written rules, although this may not always be possible.
Click Review for an organization policy.
The Policy Impact tab displays the policy security controls. Reasons for ineffectiveness can include:
Reason
Description
Max Rule Limit
Because all new rules are non-effective, this warning doesn't return any particular rule. For example, SGs and NSGs can accommodate only a given number of rules. The rule limit varies depending on your setup.
Resource locked
For example, an NSG could be locked, preventing Illumio Segmentation for the Cloud from implementing rules.
Broader Rule Exists
For example, if you have an existing rule that allows traffic from a broad range of IPs on a given port, any new rules that are provisioned covering a subset of this IP range, and are given a lower rule priority (in other words, evaluated after the broader rule), it is marked as ineffective, because there is no scenario in which it can be evaluated.
Conflicting Rule Present
Illumio Segmentation for the Cloud does not implement conflicting new rules if an existing one is more permissive. For example, if you have a customer-defined Security Group that allows all inbound and outbound traffic, and a new, lower priority Illumio Segmentation for the Cloud rule that allows such traffic on port 80 only, the new rule is not evaluated, and is considered ineffective. For rules to conflict, there must be a difference in action take, like Allow vs. Deny, for example. If rules have the same actions, there may instead be a broader rule that makes another rule ineffective.
Unsupported Protocol
For example, this warning could be about Azure NSG policies not supporting ICMPv6 or IGMP protocols.
Click View Rules to see details about the rules in your security controls and investigate any ineffective rules.
A side panel displays the security control, its outbound rules, and its inbound rules. It lists which rules are Illumio-authored, modified, deleted, added, and ineffective, by default. Ineffective rules display a warning icon. To view all rules, not just Illumio-authored, modified, and so forth, remove the filter.
Click <number> Ineffective to assess the ineffective rules.
The side panel lists the rule and information such as source, destination, port, protocol, and whether it is cloud or Illumio-managed. Click > to list individual issues, such as conflicting or broader organization policy rules. For example, your ineffective rule may be a deny rule that conflicts with existing allow rules.
Note
Click Export to save a .csv of the ineffective rule and the reasons it is ineffective.
Resolve issues such as Conflicting Rule Present, Resource locked, and so forth.
Approve the security review
Note
If you have not enabled read and write permissions for your Azure subscription, you'll need the following:
Permissions to run the provided read access script. See Prerequisites for Onboarding Azure and Permissions for Onboarding Azure. If you don't have permissions, see Change Azure permissions from read to read and write and Enable read-write permissions.
A service account and its token
Note
If you have not enabled read and write permissions for your AWS account or organization, you'll need the following:
Permissions to run the provided read access script. See Prerequisites for Onboarding AWS and Permissions for Onboarding AWS. If you don't have permissions, see Enable read-write permissions.
Resolve any issues you encountered during your security review.
Navigate to Cloud > Security Review, select your subscription and click Approve Security Review.
If you did not enable read and write permissions when you onboarded your subscription, the approval dialog prompts you to do so. See Onboard an Azure Cloud subscription - default setup. Click the Azure Deployment Complete checkbox once you have completed the steps as prompted.
Click Approve.