Trend Account Hierarchy and Policy Replication
Product Overview
Armor Anywhere includes enhancements to improve account level policy management and policy management across multiple DSMs. One new feature provides more finite control at the account level. Another enhancement allows for replicating parts of the account level policy across multiple DSMs to reduce effort and prevent the need for updating account policies on DSMs manually.
Features
Account Hierarchy Structure
Before: Trend policy structure was flat with the only inheritance coming from the base OS (Linux or Windows) policy. The virtual machine (device) policy is managed at each virtual machine and account level changes must take place on each virtual machine.
osName_Base_v3 (windows_Base_v3, linux_Base_v3)
accountId__CoreInstanceId (1024__0d5a7372-95e4-4b68-82e9-31da03895777)
After: Trend will have an additional account level policy as such.
osName_Base_v3 (windows_Base_v3, linux_Base_v3)
acountId__OsName (1024__windows, 1024__linux)
accountId__CoreInstanceId (1024__0d5a7372-95e4-4b68-82e9-31da03895777)
During the release account level policies for each OS (Windows and Linux) will be created on all DSMs. Policies will then be moved under their respective account and OS policies. Any changes that need to occur at the VM policy should still be done at the VM policy level. Also, enabling or disabling of services (AV/FIM/IPS) at the policy level and not through the CLI or Toolbox will result in inaccurate health messages in the Armor Management Portal.
The main use case for the Account Level Policies is to manage things such as account wide Malware Configuration changes including account wide exclusions. This is especially useful for account wide changes where there is a lot of adding or removing of new virtual machines to that account because they will inherit the account level policy after the first security service is activated.
Trend Policy and Object Replication
Trend Policy and Object Replication is a new feature that will replicate partial objects across the different DSMs. Below is a list of the objects that will be replicated:
Directory List
File Extension List
File List
IP List
Account Level Policies
Schedules
Malware Configuration
Workflow Process & FAQ
The following guidelines and processes must be followed in order to get a successful outcome. A primary DSM is designated. All changes must be initiated from the primary Trend DSM.
Which DSMs are set as primary?
What is the impact if changes are not made on a primary DSM?
Changes will not be replicated
Changes will be overwritten by changes made to primary DSM.
Why are some of the changes are not replicated?
Armor is replicating changes listed under the section "Trend Object Replication". Armor is performing partial replication only.
Why is there Account Level policy without any asset levels policies underneath it?
This is to support future asset policies and keep consistent structure across all DSMs
Is there any impact to changing the policy structure?
No, changes to the policy, it will inherit the parent structure and cascade to asset level
Will this process migrate existing objects such as "File List", "Directory List", and etc?
Armor will not migrate all objects. It will replicate changes when modified. For example, making changes to File List, will kick off the replication on this object.