Types of Illumio Policy
This section explains the differences between adaptive and static policy in the Illumio Core.
Adaptive Policy
Without adaptive security, enterprises face an overwhelming number of firewall rules, manual changes required to policies, and the possibility of errors leading to outages or serious vulnerabilities and breaches. Adaptive security automatically accounts for moves, scale, and changes to the applications and infrastructure that are typical of modern datacenters.
Because Illumio bases workload security on a policy model, it enables adaptive security that continuously adjusts to changes in the environment and to changed workload relationships. When a change occurs, the PCE responds dynamically by re-computing the OS-level firewall rules for the impacted workloads. The PCE alerts the VENs of the new OS-level firewall rules. The VENs request the new rules and apply them immediately.
The Illumio Core dynamically adapts and updates security policy when events, such as the following ones, occur in the managed environment.
Workloads are added to or removed from your environment.
Workloads change their IP addresses.
Managed workloads come online and go offline.
The labels on workloads change.
The PCE does not require Illumio users or automated processes to provision these changes for the PCE to re-compute the OS-level firewall rules for the impacted workloads and transmit them to the VENs.
See the following related topics:
Pairing in VEN Installation and Upgrade Guide for information about adding workloads to your environment
IP Lists for information about using them in security policies
Provisioning for information about provisioning, which is a manual process
Staged Policy for information about how provisioning differs from adaptive policy
Static Policy
For the large majority of your workloads, adaptive security is the best method for protecting them from the lateral spread of threats. By default, the Illumio Core implements adaptive security for your workloads in all roles, all applications, all environments, and all locations. See Adaptive Policy to learn how Illumio provides adaptive security.
However, in certain scenarios, you might want to control when the VENs apply new or changed OS-level firewall rules to workloads. Using labels, you designate which workloads are impacted by static policy. See Apply Static Policy for the steps to configure static policy using labels.
When you configure the Policy Update Mode for workloads to use static policy, you control when the Illumio VENs running on the workloads apply new OS-level firewall rules that they received from the PCE. The Illumio Core blocks the immediate application of new firewall rules that result from users provisioning policy changes in the PCE and from dynamic updates to firewall rules (adaptive policy) when your environment changes. For example, you add a new rule to a ruleset in the PCE and provision the change, or a change occurs in your environment, such as a workload changes its IP address. In both cases, the VENs for your impacted workloads receive the new OS-level firewall rules from the PCE but they do not apply them until you explicitly select the workloads and click Apply Policy in the PCE web console.
See Staged Policy for information about how the Illumio Core uses static policy and stages OS-level firewall updates rather than apply them immediately.
You should view static policy as a Security Setting rather than a type of security policy because configuring workloads to use static policy is a mechanism to control when VENs apply new or updated OS-level firewall rules to affected workloads. You can use the static policy setting to establish an audit trail of which Illumio users apply new OS-level firewall rules to workloads and when they apply them.
Use Cases for Static Policy
By default, the PCE is set to apply security policy updates dynamically through adaptive policy. However, scenarios occur where you want to control when updates to the OS-level firewall rules are applied to workloads.
For example, you might want to control when these updates occur in the following scenarios:
Corporate policy for business-critical applications requires oversight on when updates to the OS-level firewall rules are applied to workloads.
For example, a financial institution requires that security updates to its transaction processing application must be explicitly controlled by its security team. The security team authorizes the date and time of the update and applies it in the Illumio PCE.
The corporate IT team has established policies for applying security updates during disparate maintenance windows.
The IT team utilizes distributed maintenance windows to lessen the up-time impact on applications; for example, half the application is upgraded during the first maintenance window and the second part during the second maintenance window to keep the application up and running and minimize risk.
The central security team sets the security policy to static for certain environments and adaptive for others.
For example, the security policy is adaptive for workloads running in the development environment (using the labels All Applications, Development Environment, and All Locations). However, workloads in the production environment (All Applications, Production Environment, and All Locations) require static policy.
See Caveats for guidance on choosing when to configure workloads with static policy.
Example: Static Policy Workflow
The security team for an internet retail application has strict requirements for updating their production environment. They require that all updates to the OS-level firewall rules for their Database tier running in production must be applied during maintenance windows. For their Illumio-managed workloads, they configure a static policy that has the following labels: Role: Database, Applications: All, Environment: Production, Locations: All.
A spike in customer demand occurs and their production environment automatically scales by adding servers to the Web tier. The Illumio PCE detects the web servers connecting to the Database tier workloads and re-computes their security policy to include rules for the web servers. The PCE re-compute the OS-level firewall rules for those workloads and sends them to the VENs running on the Database workloads. The VENs stage the updates locally but they do not apply them to OS-level firewalls.
A maintenance window opens and a security team member filters the Database workloads in the PCE to determine which ones have staged security policy. She selects these workloads and applies the staged changes.
The VENs request the latest OS-level firewall rules from the PCE to ensure that all changes are included. The PCE sends the latest OS-level firewall rules to the VENs and they apply them.
Static Policy Prerequisites, Limitations, and Caveats
Before configuring your workloads to use static policy, review the following prerequisites and limitations, and consider the following caveats.
Prerequisites
You must be a member of the Global Organization Owner role or Global Administrator role to manage Security Settings and add static policy.
The VENs on affected workloads must be running version 17.2 or later. Earlier versions of VENs cannot stage static policy. They will apply security policy updates immediately to workloads even though you configured them to use static policy.
Limitations
You should provision label gGroups before adding them to static policy.
In the following situations, a VEN will apply a security update immediately and will not stage it even though the workload on which the VEN is running is configured to use static policy:
When you pair a new workload, the VEN applies the policy it receives from the PCE immediately.
When a VEN detects tampering, it requests security updates from the PCE and applies them immediately.
A VEN is offline when a user applies changes to their workloads. The VEN comes back online, connects to the PCE, and receives updated OS-level firewall rules. The VEN applies the updated rules to the workload even though it is configured to use static policy.
Note
When a VEN goes offline and online, its OS-level firewall rules can become out-of-sync from the rules of other VENs that remained online.
See Staged Policy for an explanation of how the VENs stage policy.
Because of the possibility for a VEN to apply security updates immediately, Illumio recommends that you do not provision security policy updates until the updates are final. Keep the updates in Draft state until you complete them.
To maximize performance, the PCE transmits 5,000 updated OS-level firewalls to the VENs at a time until all updates are sent.
Caveats
Illumio recommends implementing static policy for special cases and advanced users should oversee the process.
The Illumio Core is designed to ensure that your workloads are protected by the latest versions of your security policy across your environment. Users provision policy changes or the PCE responds dynamically to changes in the environment. In both cases, the PCE re-computes new OS-level firewall rules incorporating the changes, and sends them to the VENs to be applied immediately.
However, when you configure workloads to use static policy, you override this design by controlling when the VENs apply the security update to the workloads. As a result, you can have inconsistent security policy across your managed environment and cause communication disruptions between workloads.
Troubleshooting communication issues is difficult when the workloads within a scope are using different versions of a security policy.
Illumio recommends that you keep the number of workloads in your environment that utilize static policy as low as your business processes allow.
Apply Static Policy
By default, the Illumio Core implements adaptive security for your workloads in all roles, all applications, all environments, and all locations. See Adaptive Policy to learn how Illumio provides adaptive security.
However, you might want to control when updates to OS-level firewall rules are applied to your workloads by adding static policy.
You designate which workloads use static policy by configuring the Policy Update Mode in the Security Settings. To configure the Policy Update Mode, you specify labels for the role, application, environment, and location. Any workloads within the scope of the specified labels will use static policy. You can add multiple scopes. Overlap between the scopes does not affect how workloads use static policy.
Label groups are not supported with static policy currently. To create scopes using multiple labels from the same type, add them as separate scopes. For example, you have four Role labels added to the PCE: Web, Database, API, and Mail. You want to add static policy for the Web and Database roles only so you add two scopes.
See Static Policy Prerequisites, Limitations, and Caveats for information before you complete this task.
To add static policy:
From the PCE web console menu, choose Settings > Security.
Choose Edit > Manage Policy Update.
The page refreshes with the settings to configure Static as the Policy Update Mode.
Click Add.
A dialog box appears in which you set the scope of the static policy.
Select labels to select workloads for static policy.
Click OK.
The static policy appears in the list.
Click Provision from the PCE web console toolbar.
Staged Policy
Understanding the distinction between using static policy to stage updates to OS-level firewall rules and provisioning security policy is important because the actions differ in crucial ways.
When you configure workloads to use static policy, the PCE sends the new OS-level firewall rules for Linux iptables or the Windows Filtering Platform (WFP) to the VENs and they stage them locally. The VENs do not apply the new firewall rules immediately. You must select the workloads and explicitly click Apply Policy in the Workloads page to activate the staged OS-level firewall rules.
Configuring a set of workloads to use static policy does not eliminate the requirement to provision policy updates for those workloads. Through provisioning, you update the PCE's version of your security policy.
When you provision security policy changes, you trigger the PCE to apply these changes to the workloads. When the workloads are set to use static policy, the VENs on the workloads will stage the changes until you explicitly click Apply Policy. However, under certain circumstances, the VENs could apply the latest changes before you explicitly click Apply Policy. See Static Policy Prerequisites, Limitations, and Caveats for information.
Tip
The orange badge on the Provision button (top toolbar) indicates the number of changes you need to provision.
In addition to rulesets and rules, you must provision changes to the Illumio policy objects, such as services, IP lists, and label groups. To make security policies easier to maintain and update, Illumio supports including re-usable policy objects in intra- and extra-scope rules. When you update a policy object, all the rules using the object are updated without you needing to change each rule where the object is included.
When you provision changes to rulesets and policy objects, the PCE saves your security policy as a new version. It recomputes the OS-level firewall rules for all the workloads affected by the change and instructs the VENs on those workloads to download the updated OS-level firewall rules.
See the following topics related to provisioning:
Overview of Policy Objects for a description of each type of policy item
Provisioning for the policy items that require provisioning
Active vs Draft Versions to learn how provisioning establishes the active version of policy
Determine When Workloads Have Staged Policy
Workloads Page
The Workloads page displays each VEN's current state in the Policy Sync column. You can filter your workloads by this column to quickly determine which ones have staged OS-level firewall rules.
Active (Syncing): The PCE is in the process of sending new policy to the VEN. Typically, this process takes only a few seconds.
Note
Workloads configured for adaptive policy and static policy can appear in the active (syncing) state while the PCE is sending new policy.
Staged: The VEN has received the latest OS-level firewall rules but has not applied them.
Active: The VEN has received, applied, and confirmed all policies sent from the PCE. (Active workloads have a green dot icon.)
For more information about the VEN Policy Sync states, see “VEN Policy Sync” in VEN Installation and Upgrade Guide.
Workload Details
The Workload details page provides important information about when and how your workloads received staged policy.
The General section indicates whether the workload is configured to use static policy (Policy Update Mode field) and displays the date and time that the VEN staged the policy (Last Policy Staged field).
The VEN section includes the Policy Sync state, which can be active (syncing), staged, active, error, warning, and suspended.
Note
These fields will not appear in the General or VEN sections when all your workloads are configured to use adaptive policy.
Apply Staged Policy
See Static Policy Prerequisites, Limitations, and Caveats for information before you complete this task.
From the PCE web console menu, choose Workloads.
The Workloads page appears.
(Optional) Use the Workload property filter in the following ways:
To find all your workloads that are configured to use static policy, choose Policy Update Mode > Static Workloads.
To find workloads that have staged policy that needs to be applied, choose Policy Sync > Staged Workloads.
To apply staged policy to specific workloads, select the workloads and choose Apply Policy > Update Selected Workloads.
Note
Choosing Update Selected Workloads only applies staged policy. It does not provision pending policy changes for workloads that are configured to use adaptive policy even when you selected them.
If you applied policy to a subset of workloads with staged policy, the remaining workloads will continue to use the older policy.
The Apply Policy button is enabled only when you have workloads with staged policy waiting to be applied.
To apply policy to all workloads with staged policy, choose Apply Policy > Update All Workloads.
Note
If you filtered workloads by label and chose Update All Workloads, the PCE applies the staged updates to all the workloads matching that label scope and not just the workloads appearing in the PCE web console page.
The Apply Policy dialog box appears displaying the number of workloads the staged policy will be applied to.
Click OK.
The VEN applies the staged policy and displays the status of the update.