Unified Policy
This topic explains the unified policy capability of the Illumio Zero Trust Platform.
Overview
Three policy tabs are available in the Policies menu:
All Policies: This tab includes all policy types, described below
Organization Policies: Considered guardrail policies, they prevent application policies from allowing undesired traffic. These policies apply to all scopes. See Writing Organization Policy.
Application Policies: Security teams can drive segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, and so forth. Creating application policies is critical to minimizing an attacker's lateral movement. See Writing Application Policy.
For distinctions between organization and application policy, see Organization Policy versus Application Policy.
From each of the above tabs, you can write policies for policy objects that span both the cloud and the datacenter:
Services
IP Lists
Labels
User Groups
Label Groups
Virtual Services
Virtual Servers
Illumio allows or denies traffic between applications using policies that you write. In order to write application policies, you must create rules for the policy. Illumio has the following types of rules for application policies:
Custom IPtables Rules
You can write rules for Linux workloads.
Notices
Scopes and role-based access control (RBAC) remain the same as in previous releases
Allow rules function the same as in previous releases
Override Deny rules are now supported
Override Deny rules take precedence over Allow Rules. They block traffic with no exceptions.
Deny rules can be scoped and support RBAC
Deny rules are introduced in policies to support scope and RBAC
“Global” Deny rules (also known as enforcement boundaries) will be deprecated. Illumio recommends that you move legacy deny rules into policies. See the Guidelines section of Writing Organization Policy.