On this page
Application-centric Policy Management
Accelerate application delivery and enhance security by managing network policies based on application intent—enabling seamless collaboration and automated change implementation.
Application-centric Policy Management guides you through using SecureApp to:
-
Build and manage an inventory of applications, owners, interfaces, and connectivity requirements.
-
Validate compliance, connectivity, and dependencies before implementing changes.
-
Create and track SecureChange tickets for required application connectivity changes.
-
Associate cloud resources, support application migration, and enable self-service application access.
Why this matters
-
Deliver applications faster without sacrificing security.
-
Align network policy with application requirements to improve agility.
-
Map application flows to security policy objects and automate policy alignment.
Who this is for
-
Application owners responsible for defining and maintaining application metadata and ownership.
-
Network engineers responsible for validating application connectivity and dependencies.
- Security operation managers responsible for reviewing compliance results and policy alignment.
-
Operational specialists driving workflow adoption and standardization across teams.
Key capabilities
Application-centric Policy Management leverages key features in SecureApp to create and manage applications.
Prerequisites
-
Successful completion of:
-
Centralized Security Policy Visibility, to understand existing access rules, track changes, or assess policy impact across the environment.
-
Security Policy Compliance & Audit, to ensure that security policies comply with industry standards and regulatory frameworks, and are consistently enforced across environments.
-
Network Mapping and Visualization, to see how the different parts of your network infrastructure fit together and interact.
-
Network Path Analysis and Troubleshooting, to resolve connectivity and enforcement issues with precise traffic path visibility.
-
Implementation approach
This use case is implemented in two parts.
-
Prepare the application data outside SecureApp (Step 1)
Identify the applications to onboard, confirm ownership, and collect the required application details from existing sources. -
Onboard and manage the applications in SecureApp (Steps 2 - 9)
Define inventory, connectivity, compliance, and change workflows.SecureApp is an application-centric network security management solution for viewing network topology from a functional perspective, and for monitoring and controlling communication between applications and services in their network.
See SecureApp overview.
Step 1: Prepare applications for SecureApp
Before you monitor or manage applications in SecureApp, define the application scope and prepare the initial application repository. This step helps you identify the applications to model, confirm ownership, collect the required application details, and identify data gaps before onboarding begins.
Define application scope
Identify the applications to be modeled in SecureApp, confirm ownership for each application, and document the core application details, such as application name, application owners, environment, business unit, and tier.
This step ensures that each application is in scope, has clear ownership, and includes the business context needed for consistent onboarding.
Populate initial application repository
Accelerate and prioritize application onboarding by creating the application repository.
Use available source materials and documentation, such as spreadsheets and CMDB exports, to begin populating the application repository. Identify data gaps, such as missing IP addresses, services, or owners, and use that information to plan a phased onboarding approach, starting with critical applications first.
Step 2: Verify SecureApp user roles and permissions
Before you start working in SecureApp, verify that SecureApp users are assigned the correct roles and permissions.
SecureChange and SecureApp use predefined roles, while administrators can also create custom roles with specific permissions.
-
Use SecureChange's Users to verify roles and permissions.
See Configuring and assigning user roles.
Step 3: Onboard applications and resources in SecureApp
Use the prepared application data to create the application in SecureApp, add or import the required resources, and assign the appropriate application owners.
Onboarding moves the application from offline preparation into active management in SecureApp, so you can define connectivity, validate policy alignment, and manage changes.
Select an onboarding method
Choose how to add the application data to SecureApp based on the volume of data and the level of automation required:
-
Individual: Add applications manually one at a time directly in the SecureApp UI.
-
Bulk import: Import application data from a CSV file or template.
-
API integration: Use the SecureApp API to automate data import from existing systems.
See Importing and exporting SecureApp data.
Create application and add supporting resources
Create the application in SecureApp, then add or import the associated servers, services, and users.
This step establishes the application record and the supporting objects required for interface and connection modeling.
See:
Manually creating application resources
Define application ownership and permissions
After creating the application, assign the appropriate owners and define who can view or edit the application and its resources.
-
Assign view/edit permissions per application for individual users or LDAP groups.
-
Control access using application-level permissions, or resource-level ownership, for shared servers for example.
See:
Step 4: Build application interfaces and connections
After creating the application and defining resources and ownership, build the application's interfaces and connections.
-
Use SecureApp's Applications to select an application, and then define interfaces and connections.
Build application interfaces
Build the interfaces exposed by the application such as web services, and the interfaces it connects to, such as databases, and other applications. Publish each interface to make it available to other applications.
See:
Building interfaces to an application
Building an application interface
Build application connections
Build the application's connectivity by:
-
Selecting the source, service, and destination resources
-
Specifying the required protocols and ports
-
Linking the relevant servers, services, and users
See:
Managing application connections
Defining new application connections
Step 5: Validate compliance, connectivity, and dependencies
Run the built-in SecureApp calculations to validate that the application’s required access is policy-compliant and functional. Use these calculations to review USP compliance, confirm connectivity paths, and identify dependencies on other applications.
Calculate USP compliance violations
Identify compliance violations against organizational security policies, based on the Unified Security Policy (USP) defined in SecureTrack.
-
Go to Applications, select the application, and then click Connectivity > Compliance.
See Checking security compliance.
Confirm topology connectivity
Review all connections to the application to confirm topology paths, including associated cloud instances and devices with explicitly defined connections.
-
Go to Applications, select the application, and click Connectivity Map.
Review application dependencies
Review dependencies to identify links between the application and other applications.
-
Go to Applications, select the application, and click Dependencies.
See Visualize application dependencies.
Step 6: Integrate with SecureChange
For each connection, open a SecureChange ticket directly from SecureApp.
After you build or update the application connections, create a SecureChange ticket directly from SecureApp to implement the required changes on your firewalls. SecureApp automatically enters the connection details into the Access Request fields, and you can track ticket progress in SecureApp.
You can create tickets for the following and track their status in SecureApp:
-
Change validation
-
Risk analysis
-
Auto-verification
Create tickets in SecureApp
-
Go to Applications, select the application, and click Connectivity > Create Ticket.
See Implementing connections with SecureChange.
Step 7: Associate cloud resources with applications
Use Cloud Console to associate cloud-based resources with applications. You can manually associate VM instances with an application or automatically associate them by specifying the VM tag that contains the SecureApp application name.
-
Use SecureApp's Cloud Console to associate cloud resources with the application.
Step 8: Migrate applications
Applications move through different environments before they are released into production. Instead of rebuilding the application definition in each environment, use SecureApp's migration capabilities to migrate the application.
SecureApp supports application lifecycle automation for repeated migrations, and it also supports template-based migration as a reusable baseline. When migration results in connectivity changes, submit those changes through SecureChange.
There are two ways to migrate applications:
-
Use application lifecycle automation
-
Create a template to use as a baseline when configuring or creating the application
See:
Application lifecycle automation
Step 9: Define self-service application access
In some cases, users who are not application owners or editors need predefined types of access to an application. The application owner can define this connectivity in SecureApp and allow users to submit application access requests through the Application Access Portal. Application owners then review and process those requests in SecureApp.
-
Use SecureApp's Applications.
See:
Defining access to an application
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague