Distributed network application security policy generation and enforcement for microsegmentation

What is claimed is: 1 . A method comprising: receiving network communication information that describes flows between hosts in a network and applications executed on the hosts; generating a network communication model based on the network communication information, wherein the generating the network communication model comprises automatically selecting, from among a plurality of available constraints, one or more constraints comprising at least human readability or human modifiability, and applying the selected constraints to produce labeled network flows in the network communication mode; and providing policies to the hosts based on the network communication model where the policies cause performance a set of actions, locally at a host, on any of the flows based on corresponding labels, wherein the policies are provided to the host based on one or more automatically generated microsegments defined by an identity-based protection policy at a workload, the workload is application-centric and independent of a network structure and configured to enable granular security via the microsegments. 2 . The method of claim 1 , wherein the labeled network flows are one of healthy and unhealthy. 3 . The method of claim 1 , wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 4 . The method of claim 1 , wherein the labeled network flows are one of healthy and unhealthy, and wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 5 . The method of claim 1 , wherein the policies are configured to govern a connection between the one or more microsegments on the network by applying granular security controls at a workload level, the connection defined by an east-west connection. 6 . The method of claim 1 , wherein the labeled network flows are multiple sequential flows combined into a single flow and are internal workload communications defining east-west traffic. 7 . The method of claim 1 , further comprising providing output to a user representing the one or more microsegments; receiving policy decisions for hosts based on the set of actions; and performing a reconciliation that can include causing termination of a flow after being allowed. 8 . A non-transitory computer-readable medium having computer program instructions stored thereon, the computer program instructions being executable by at least one computer processor communicatively coupled to a network to perform steps of: receiving network communication information that describes flows between hosts in the network and applications executed on the hosts; generating a network communication model based on the network communication information, wherein the generating the network communication model comprises automatically selecting, from among a plurality of available constraints, one or more constraints comprising at least human readability or human modifiability, and applying the selected constraints to produce labeled network flows in the network communication mode; and providing policies to the hosts based on the network communication model where the policies cause performance a set of actions, locally at a host, on any of the flows based on corresponding labels, wherein the policies are provided to the host based on one or more automatically generated microsegments defined by an identity-based protection policy at a workload, the workload is application-centric and independent of a network structure and configured to enable granular security via the microsegments. 9 . The non-transitory computer-readable medium of claim 8 , wherein the labeled network flows are one of healthy and unhealthy. 10 . The non-transitory computer-readable medium of claim 8 , wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 11 . The non-transitory computer-readable medium of claim 8 , wherein the labeled network flows are one of healthy and unhealthy, and wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 12 . The non-transitory computer-readable medium of claim 8 , wherein the policies define microsegments on the network. 13 . The non-transitory computer-readable medium of claim 8 , wherein the labeled network flows are internal workload communications. 14 . The non-transitory computer-readable medium of claim 8 , wherein the steps further include receiving policy decisions for hosts based on the set of actions; and performing a reconciliation that can include causing termination of a flow after being allowed. 15 . A system comprising at least one processor and memory storing instructions that, when executed, cause the at least one processor to: receive network communication information that describes flows between hosts in a network and applications executed on the hosts; generate a network communication model based on the network communication information, wherein the generating the network communication model comprises automatically selecting, from among a plurality of available constraints, one or more constraints comprising at least human readability or human modifiability, and applying the selected constraints to produce labeled network flows in the network communication mode; and provide policies to the hosts based on the network communication model where the policies cause performance a set of actions, locally at a host, on any of the flows based on corresponding labels, wherein the policies are provided to the host based on one or more automatically generated microsegments defined by an identity-based protection policy at a workload, the workload is application-centric and independent of a network structure and configured to enable granular security via the microsegments. 16 . The system of claim 15 , wherein the ed network flows are one of healthy and unhealthy. 17 . The system of claim 15 , wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 18 . The system of claim 15 , wherein the labeled network flows are one of healthy and unhealthy, and wherein the set of actions include blocking, allowing, and allowing for a period of time before confirmation. 19 . The system of claim 15 , wherein the policies define microsegments on the network. 20 . The system of claim 15 , wherein the labeled network flows are internal workload communications.