Static Policy Overview
A static policy enables administrators to stage policy updates for workloads that match a defined label-based scope. These workloads will receive but not apply new firewall rules until manual approval is obtained (via the Apply Policy action in the UI or API).
For most of your workloads, adaptive security is the best method for protecting them from the lateral spread of threats. By default, the Illumio Core implements adaptive security for your workloads in all roles, applications, environments, and locations.
However, in certain scenarios, you might want to control when the VENs apply new or changed OS-level firewall rules to workloads. Using labels, you can designate which workloads are impacted by static policy.
When you configure the Policy Update Mode for workloads to use static policy, you control when the Illumio VENs running on the workloads apply new OS-level firewall rules that they received from the PCE. The Illumio Core blocks the immediate application of new firewall rules that result from user's provisioning policy changes in the PCE and from dynamic updates to firewall rules (adaptive policy) when your environment changes. For example, let's say you add a new rule to a policy in the PCE and provision the change, or a change occurs in your environment, such as a workload changing its IP address. In both cases, the VENs for your impacted workloads receive the new OS-level firewall rules from the PCE, but they do not apply them until you explicitly select the workloads and click Apply Policy in the PCE web console.
View a static policy as a security setting rather than a type of security policy because configuring workloads to use a static policy is a mechanism to control when VENs apply new or updated OS-level firewall rules to affected workloads. You can use the static policy setting to establish an audit trail of which Illumio users apply new OS-level firewall rules to workloads and when they apply them.
Static Policy Prerequisites, Limitations, and Recommendations
Before configuring your workloads to use a static policy, review the prerequisites, limitations, and Illumio recommendations.
Prerequisites for Using a Static Policy
You must be a member of the Global Organization Owner or Global Administrator role to manage security settings and add a static policy.
The VENs on affected workloads must be running version 17.2 or later. Earlier versions of VENs cannot stage a static policy. They will apply security policy updates immediately to workloads even though you configured them to use a static policy.
Limitations of Static Policies
You must provision label groups before you add them to the static policy.
In the following situations, a VEN will apply a security update immediately and will not stage it even though the workload on which the VEN is running is configured to use the static policy:
When you pair a new workload, the VEN immediately applies the policy it receives from the PCE.
When a VEN detects tampering, it requests security updates from the PCE and applies them immediately.
A VEN is offline when a user applies changes to their workloads. When the VEN returns online, it connects to the PCE and receives updated OS-level firewall rules. The VEN applies the revised rules to the workload even though it is configured to use a static policy.
Note
When a VEN goes offline and then comes back online, its OS-level firewall rules can become out of sync with those of other VENs that remain online.
See Staged Policy for an explanation of how the VENs stage a policy.
Because a VEN may apply security updates immediately, Illumio recommends that you do not provision security policy updates until they are final. Keep the updates in the Draft state until you complete them.
To maximize performance, the PCE transmits 5,000 updated OS-level firewalls to the VENs until all updates are sent.
Recommendations About Implementing Static Policies
Illumio recommends implementing a static policy for special cases. Advanced users should oversee the process.
The Illumio Core is designed to ensure that the latest versions of your security policy across your environment protect your workloads. Users provision policy changes, or the PCE responds dynamically to environmental changes. In both cases, the PCE re-computes new OS-level firewall rules incorporating the changes and sends them to the VENs to be applied immediately.
However, when configuring workloads to use a static policy, you override this design by controlling when the VENs apply the security update to the workloads. As a result, you may have inconsistent security policies across your managed environment, leading to communication disruptions between workloads.
Troubleshooting communication issues is difficult when the workloads within a scope use different security policy versions.
Illumio recommends keeping the number of workloads in your environment that use static policies as low as possible, within the constraints of your business processes.
Typical Use Cases for a Static Policy
By default, the PCE is set to apply security policy updates dynamically through adaptive policy. However, scenarios occur where you want to control when updates to the OS-level firewall rules are applied to workloads.
For example, you might want to control when these updates occur in the following scenarios:
Corporate policy for business-critical applications requires oversight on when updates to the OS-level firewall rules are applied to workloads.
For example, a financial institution requires that its security team explicitly control security updates to its transaction processing application. The security team authorizes the date and time of the update and applies it in the Illumio PCE.
The corporate IT team has established policies for applying security updates during disparate maintenance windows.
The IT team utilizes distributed maintenance windows to minimize the impact on application uptime; for example, half of the application is upgraded during the first maintenance window and the second part during the second maintenance window, keeping the application running and minimizing risk.
The central security team sets the security policy static for certain environments and adaptive for others.
For example, the security policy is adaptive for workloads running in the development environment, which utilizes labels such as All Applications, Development Environment, and All Locations. However, workloads in the production environment (All Applications, Production Environment, and All Locations) require the static policy.
See Caveats for guidance on choosing when to configure workloads with a static policy.
A Static Policy Workflow Example
The security team for an internet retail application has strict requirements for updating its production environment. They require that all updates to the OS-level firewall rules for their database tier running in production be applied during maintenance windows. For their Illumio-managed workloads, they configure a static policy with the following labels: Role: Database, Applications: All, Environment: Production, Locations: All.
A spike in customer demand occurs, and the production environment automatically scales by adding servers to the web tier. The Illumio PCE detects the web servers connecting to the database tier workloads and re-computes their security policy to include rules for the web servers. The PCE re-computes the OS-level firewall rules for those workloads and sends them to the VENs running on the database workloads. The VENs stage the updates locally but do not apply them to OS-level firewalls.
A maintenance window opens, and a security team member filters the database workloads in the PCE to determine which ones have a staged security policy. The team member then selects these workloads and applies the staged changes.
The VENs request the latest OS-level firewall rules from the PCE to ensure that all changes are included. The PCE sends the latest OS-level firewall rules to the VENs, who apply them.
Apply a Static Policy
By default, the Illumio Core implements adaptive security for your workloads in all roles, all applications, all environments, and all locations.
However, you might want to add a static policy to control when updates to OS-level firewall rules are applied to your workloads.
You designate which workloads use a static policy by configuring the Policy Update Mode in the Security Settings. To configure the Policy Update Mode, you specify the role, application, environment, and location labels. Any workloads within the scope of the selected labels will use a static policy. You can add multiple scopes. The overlap between the scopes does not affect how workloads use a static policy.
Label groups are currently not supported by a static policy. To create scopes using multiple labels from the same type, add them as separate scopes. For example, four role labels are added to the PCE: web, database, API, and mail. You want to add a static policy for the web and database roles only, so you add two scopes.
See Static Policy Prerequisites, Limitations, and Recommendations before you complete this task.
Add a Static Policy
From the PCE web console menu, choose Settings > Security > Static Policy
To define the scope, click Add.
A dialog box appears, where you set the scope of the static policy.
Select labels to select workloads for a static policy (Role, Application, Environment, Location).
Click OK.
The static policy is listed.
Click Provision from the PCE web console toolbar.