Illumio Glossary
This glossary provides a list of Illumio defined terms and definitions.
Term | Definition |
|---|---|
Adaptive User Segmentation | Illumio Adaptive User Segmentation secures the inside of your data center and cloud by controlling connectivity to applications based on user identity. You can leverage Microsoft Active Directory User Groups to control access to computing resources by creating user groups in the PCE that map directly to your Active Directory Groups. You can then write Rules using these Groups to control access to specific Workloads based on group membership. |
Allowlist model | The allowlist model means that you must specifically define what traffic is allowed to communicate with your managed workloads; otherwise, it is blocked by default. It follows a trust-centric model that denies everything and only permits what you explicitly allow—a better choice in today’s data centers. The list of what you do want to connect in your data center is much smaller than what you do not want to connect. |
App Group Map | The App Group map shows your Workloads grouped as an application instance (App Group) based on a set Application, Environment, and Location Labels. |
Application groups (App groups) | Collections of Workloads with the same Location, Environment, and Application labels. |
Application label | A label that defines a collection of Workloads used to serve an application in a customer environment. |
Application security policy | An application security policy is defined and visualized during Illumination when Workloads belonging to the application begin to cluster and group together based on the communication (network traffic) relationships. An application security policy contains the following elements: Workloads, Labels, Rules, Name of the policy, and Alerts. |
Auto-scale | Refers to using pairing profiles to automate workload pairing. Typically used to refer to environments where workloads are added using orchestration or automation and expected to install the VEN, obtain the policy, and enforce it during the instantiation sequence. These workloads may be called "auto-scaled" workloads. |
Consumer | A group of Workloads, Unmanaged Workloads, Virtual Services, or IP addresses that can initiate a connection to a Provider or consume a service. Use the Consumers section of a Rule to define who or what is allowed to communicate with a Workload. |
Container host | A policy object used when writing a Rule to reference the Docker host on which a Pod resides. |
Container Orchestrator | A tool (Kubernetes) used to deploy, scale, and manage container-based applications. |
Container Runtime | A software (Docker) that manages container images on a node. |
Container workload | A Kubernetes pod in the PCE that is secured by Illumio Core. |
Core, Data | Core nodes, Data nodes |
Custom iptables rules | Custom iptables Rules allow you to integrate existing Linux iptables into a Ruleset. |
Customer datacenter - cluster software | Delivery of Illumio Core on multiple nodes as a distributed application in the customer's data center. The deployment is very similar to the Illumio Secure Cloud; only it is inside the customer's data center. Illumio works closely with customers to plan, install, and manage the deployment. |
Customer datacenter - Virtual Appliance | This virtual appliance is delivered for installation in the customer's data center and contains all Policy Compute Engine components integrated into it. Each customer installs and manages the virtual appliance that is delivered as a VMware OVA file. |
Deployment types | There are two deployment types: 2x2 or two core nodes with two data nodes, and 4x2 or four core nodes with two data nodes. |
Discovered service | A service that was discovered running on a paired Workload. You can select a discovered service in a Rule, and once the Rule is added, the service is promoted to a policy service and becomes an OS: All Ports service for either Linux and Windows Workloads. If you want the service to be used as a Windows Process/Service-based service, you will need to add the service first to the Services page. |
Enforcement | A Workload policy state in which all Ruleset definitions are enforced. |
Environment label | The label that defines a group of Workloads used for a specific stage in the application development life cycle. Examples: Production, Staging, Dev, or QA. |
Explorer | A tool to see traffic between endpoints to understand activity. |
Extra-scope rule | An Extra-Scope Rule allows communication between Group of Workloads (for example, Group to Group communication). |
Group | A collection of Workloads and policy configurations displayed in the Illumination map. |
High Availability | Illumio provides High availability (HA) so that in the event of a failure, a PCE cluster's availability and operability can be maintained with zero or minimal data loss and no or limited human intervention. |
Core | Core consists of the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN). Understanding the interaction between the PCE and VEN is essential to learning about Illumio technology. |
CloudSecure | Delivery of Illumio Core as a cloud service (SaaS). Illumio hosts and manages the infrastructure used to provide the Illumio Core as a service to our customers. |
Intra-scope rule | An Intra-Scope Rule allows communication within a Group of Workloads. Compare with extra-scope rule. |
IP list | List of IP addresses, IP address ranges, or CIDR blocks used in Rulesets to allow access to a Workload service. |
Kubelink | An Illumio proprietary software used for sending information from Kubernetes to the PCE. |
Labels | Labels define the role of a Workload, the type of application it supports, its product life cycle stage (development, production), and its location. Use Labels to define policy boundaries and determine the Workloads that are affected by Ruleset policies. |
Liveness Probes | Used for periodic health checks. For example, liveness probes could detect when an application is running but not progressing. Restarting the container can help make the application more available. |
Load balancer | Load Balancers can manage Workloads based on the policy defined in the PCE configuration. |
Location label | A Label that defines a Workload based on its location. Examples are Germany, US, Rack #3, and datacenter AWS-east1. |
Managed or unmanaged workloads | A managed Workload is the one with an installed VEN, while the unmanaged has no VEN installed. |
Micro Segmentation | Micro-Segmentation is a security technique that enables you to assign coarse- to fine-grained security policies to data centers and cloud applications, down to the workload level. It enables Organizations to withstand threats by allowing them to deploy security models using a software-only approach. Unlike conventional network segmentation models, Micro-Segmentation supports granularity and dynamic adaptation. |
Node | A PCE node is a single host (server or VM) that runs the PCE Software. Illumio provides the PCE Software, and customers provide the environment (operating system and system services) on which the PCE can run. |
Organization | A single instance in Illumio Core. Users have access to their Organization with the account thatʼs identified by the email address used to invite the user to the Organization. |
Pairing | Installation of the Illumio VEN software on a workload using a unique secure pairing key. A Workload is paired by executing a pairing script generated from a Pairing Profile. |
Pairing profile | Configuration that controls the pairing process of a Workload. A Pairing Profile contains a pairing script with a unique pairing key, Label and policy state assignment, command line restrictions, as well as limits on how many times the pairing script can be used and for how long. |
PCE Cluster | The PCE Cluster represents the total collection of nodes in your deployment. Configure each node by its node type, which defines the tiers of services that run in the node. |
PCE web console | A central web interface to the Illumio Core. Illumio users access the PCE web console to create security policy and visualize the workloads and traffic flows in your organization. The PCE web console is installed as part of the PCE software; although it can be upgraded independently. Additionally, Illumio administrators can use the PCE web console to configure features and behavior of the PCE. |
Pod | A Kubernetes concept that represents an encapsulation of an application instance. It allows the container(s) to share a common network namespace and storage resource. |
Policies | Configurable set of rules that protect network assets from threats and disruption. |
Policy Compute Engine (PCE) | The PCE is the "brain" of the Illumio Core, which keeps the Illumio Core program logic and information. It generates and distributes segmentation policies for each VEN connected to it and computes and manages security policies for workloads. The PCE does the following: Examines the relationships between workloads; computes rules required to protect each workload; distributes rules to the VENs installed on the workloads. |
Policy Generator | A tool in the PCE that simplifies the policy creation process by providing an easy way for application owners to write Intra- or Extra-Scope Rules for the individual applications they manage. |
Policy objects | A set of configuration objects in the PCE that comprise your security policy. The policy objects include Segmentation Templates, Services, IP Lists, Labels, Label Groups, User Groups, Bound Services, and Virtual Servers. Some policy objects must be provisioned before any changes to them takes effect on your Workloads. |
Policy service | A policy item that can be used in a Rule. (Policy items must be provisioned before they can take effect.) |
Policy states | The VEN supports multiple policy states to help with the policy creation process. Illumination shows these states and uses them to visualize traffic. |
Provider | The Illumio model is provider-centric. You need to declare which consumers can access ports on providers. Providers cannot initiate connections to Consumers. |
Provisioning | Provisioning is a process of pushing Policies out to workloads with the matching Labels. |
RAEL | Acronym used for labels: Role, Application, Environment, and Location. |
Reported view (Illumination) | The Reported View in the Illumination map visualizes policy coverage as reported by Workloads. You can view the current state of your provisioned policy in it in a view-only format. While you can view all the Rulesets that apply to the Workloads in the Reported View, you must change to the Draft View to add Rules. The Reported View does not immediately reflect the latest changes to the policy. It is updated after you provision a change to the policy and when new traffic flows that use the updated policy get reported from the VEN. |
Ringfence | A software-built “fence” that secures and typically isolates high-value assets to mitigate the risk of access from East-West connectivity to other systems. |
Role label | A Label that defines the function or purpose that a Workload serves in an application. For example, DB, Web, API, Mail. |
Rules | Rules are defined in Rulesets to allow for access control for a given service and to enable communication between a collection of Workloads. Example: “MySQL: Provider=DB-Servers, Consumer=Web-Servers” opens the MySQL port on the DB-Servers for the Web-Servers. |
Rule coverage | The percentage of the total number of traffic connections covered by Rules. |
Ruleset | A collection of Rules that govern allowed traffic between Workloads, Unmanaged Workloads, Virtual Services, or IP addresses. The whitelist policies that use labels to generate customized port connections for each workload. Rules are collected into Rulesets for versioning. |
runtime_env.yml (PCE) | A configuration file on the PCE. |
Scope | Determines which Workloads receive the rules of the Ruleset. If Workloads share the same Labels as defined in a Ruleset, then those Workloads receive those Rules. |
SecureConnect | Enables users to encrypt communication between Workload services dynamically using IPsec. |
Security policy | A complete collection of Rulesets, IP Lists, services, and Security Settings for your Organization. Changes are always saved in the pending Policy version. Once you provision the changes, the pending Policy version becomes active, and all policy changes pushed to the Workloads affected by the Policy. |
Service | A process running on a managed Workload listening on a network port. For example MySQL or Apache. |
Service in scope/Service out of scope | In Scope: A Discovered or Policy Service running on a Workload whose Labels match the scope Labels of a Ruleset. Out of Scope: A Discovered or Policy Service that is not running on a Workload whose Labels match the scope Labels of a Ruleset. |
SNC, MNC | SNC: Single Node Cluster; MNC: Multi Node Cluster |
Supercluster | A group of clusters operating together. Required if the number of Workloads exceeds the capabilities of a single cluster. |
Traffic flow record | Information related to an individual traffic flow on a Workload. This information includes if the traffic to and from the Workload was allowed, potentially blocked, or blocked. Potentially blocked traffic is traffic flow information that is allowed, but will be blocked if the Workload policy's state gets set to Test. |
Traffic/traffic flows | Network traffic in your environment flowing between VENs and other entities in your network. The PCE web console captures both the potentially blocked or blocked types of traffic. |
Unmanaged workload | A Workload that has no VEN installed on it. |
VEN | Virtual Enforcement Node (VEN) is a local control point of the Illumio Core installed on each workload. VEN provides information about the workload and enforces policy rules by controlling the Linux iptables or Windows Filtering Platform (WFP) tables on a workload. |
VEN connectivity status | A VEN can exist in one of two connectivity states: Online, when the Workload is connected to the network and can communicate with the PCE, and Offline when the Workload is not connected to the network and cannot communicate with the PCE. |
VEN health status | VEN health status consists of two categories of information: VEN connectivity status and VEN policy sync status. It contains information related to the current state of VEN connectivity, the most recently provisioned policy changes that affect the Workload, any potential firewall tampering, and any issues related to SecureConnect functionality. |
VEN policy sync status | A VENʼs policy status indicates its policy provisioning and SecureConnect status: Active, Warning, Error. |
Virtual servers | A PCE configuration that allows you to write a Policy for Virtual Servers whose traffic is managed by Load Balancers in your environment. |
Virtual service | A Service that originates from a Workload but is labeled separately and can be used in a Rule. Virtual services allow you to label processes or services on Workloads. |
Vulnerability Map | Vulnerability maps combine third party vulnerability and threat insights from companies like Qualys with Illumio’s application dependency map to help teams see which applications are connecting into vulnerable ports in real-time. They enable application security teams, vulnerability management teams, and segmentation teams to understand not only the vulnerability of a workload but, more importantly, the paths that bad actors can leverage to exploit vulnerabilities. |
Workload | Illumio's generic term for anything with an operating system, such as a bare-metal server, VM, or container (e.g., Docker container). An OS endpoint where applications and services are running and where a VEN resides. Workloads may be running in private data centers or cloud environments. |
Workload policy state | Once you pair a Workload, it can exist in one of these Policy states: Idle, Build, and Test. |
Workload status | A Workload can have one of three statuses related to its connectivity and policy provisioning by the PCE: In sync, Syncing, and Offline. |
Workload visibility modes | Workload visibility modes allow you to modulate the amount of data that the VEN collects from the Workload. This data affects the Group's display in the Illumination page of the PCE web console. The visibility modes are High Detail, Less Detail, and No Detail. |