Elisity is the only cloud delivered and cloud native identity-based microsegmentation solution that offers a policy plane actionable at the edge of the network.
Introduction
Thank you for your interest in Elisity Microsegmentation. Our solution aims to reduce the complexity that is commonly associated with deploy true microsegmentation in brownfield environments. Forrester said in The Forrester Wave™: Microsegmentation Solutions, Q3 2024 that we are in the Golden Era of Microsegmentation. With minimal prerequisites and the ability to leverage existing access-layer switching hardware, we are transforming the way dynamic edge segmentation is achieved. Elisity provides an intelligent and robust policy language based on identity and context rather than location or IP and is fully applicable to users, applications, and devices no matter who or what they are or where they might show up on the network.
Components of Elisity
The Elisity solution is a true software-defined network security platform, ensuring that the control and data plane are separate and independent of each other. Elisity has developed a robust control and policy plane that can scale at the enterprise level and provide unparalleled flexibility, performance, and security. The Elisity policy plane offers the industry the most comprehensive identity-based policy language while also achieving simplicity in its deployment and management methodology. The combined components of the Elisity architecture establish a holistic and continuously verified secure network that addresses every possible network-based vulnerability in the enterprise.
There are several primary components:
Cloud Control Center - centralized policy management, visibility, and integration console
IdentityGraph - The single source of truth for asset identities on your network
Virtual Edge - controllers for policy enforcement points that translate data and policy between switches and Cloud Control Center.
Virtual Edge Nodes - access layer switches transformed into policy enforcement points.
Elisity Cloud Control Center
Elisity Cloud Control Center is the management, control, and policy plane for Elisity. An administrator logs into the Cloud Control Center portal to provision, manage and monitor the Elisity fabric and all identity or cloud service provider platform integrations (Active Directory, AWS, Claroty, Medigate, ServiceNow etc). Among many other things, Cloud Control Center also provides multi-domain asset discovery and identity mapping and presents identify behavior analytics to the end-user. Within this portal, the network security administrator builds advanced contextual and identity-based policies that will immediately harden the edge of the entire enterprise network. Lastly, Cloud Control Center orchestrates applying these policies across all components of the Elisity architecture through a secure TLS based control channel. A dedicated Cloud Control Center is spun up on a per-customer basis and hosted as a service by Elisity. Cloud Control Center is based on a cloud native distributed micro services architecture designed to dynamically scale horizontally to meet the scale demands of large enterprises.
Within Cloud Control Center users can leverage identity data that has been gleaned about all assets discovered on the network to easily deploy policy, using our Graphical Policy Visualization Matrix. Users can also make policy decisions based on learned traffic flows from the Traffic Visualization Matrix.
Devices Page
The Device Dashboard serves as a comprehensive inventory of all discovered devices within your network.
Inventory Management: Easily manage and keep track of discovered devices by employing sorting and filtering criteria tailored to your needs.
Asset Insights: Clicking on a device opens the "Asset Details" view, offering a wealth of information about the device, including data we've collected, telemetry data, and policies associated with the device.
See Connectors for Each Device: See the column for Connectors to see which connectors from which a device has enriched data.
Filter Device Views: Filter devices by Site Label, Online Status, Type, active Connectors and more with a single click. Essentially any attribute field for a device can be filtered here.
Save Custom Filters: You can save custom filters on the Device page and load them with a single click for frequently used filters. This feature is also available on other pages within the UI, including the Device, Policy Group, and Virtual Edge pages.
Policies Page
The Policies Dashboard serves as the central hub for crafting, overseeing, and deploying Policy Groups and Policies. While there are numerous features packed into this dashboard, let's focus on two key processes:
-
Policy Group Creation: Design and configure Policy Groups to suit your network's unique requirements. This step is vital for establishing a structured and effective network security policy framework.
-
Policy Deployment: Utilize our Graphical Policy Visualization Matrix to deploy policies seamlessly. This visual representation of deployed Policy Groups and their associated policies simplifies the deployment process.
Our Policy Matrix offers two modes:
-
Graphical Policy View: This mode enables you to deploy policies between groups with just a few clicks, streamlining the policy deployment process for increased efficiency.
-
Traffic Flow View: Switching to this mode grants you a visual representation of observed traffic flows between Policy Groups. You can interact with colored cells to access detailed flow information and deploy policies based on this valuable data.
Active Directory Users
The User Dashboard is your gateway to a comprehensive view of all imported users, courtesy of our integrated Identity Provider (IDP), which, in this case, is Active Directory. Here's how you can make the most of this dashboard:
-
Organized User Data: Within this dashboard, user data is neatly organized and presented in a tabular format. You have the option to sort, filter, and explore data with ease.
-
Asset Details: By clicking on a user's name, you can dive deeper into the Asset Details window, which provides a holistic view of all available data related to that user. This includes login event history, current login status, policies, and other vital traffic flow information.
-
Login Insights: Keep track of user login events and their current login status directly from this dashboard, allowing you to monitor user activity efficiently.
IdentityGraph™
At the heart of Elisity's pioneering approach to network security and management is IdentityGraph™.
What is IdentityGraph? Identity Graph is an intricate map that provides a holistic view of every entity in your network ecosystem. It doesn't just see devices or users; it perceives relationships, roles, and patterns. In essence, it translates the raw, complex data of your network into a comprehensible visual story.
How Does it Work? The power of Identity Graph lies in its ability to constantly evolve. As devices and users interact, the graph adjusts, learning and refining its understanding. This adaptability ensures that you're not just seeing a static snapshot of your network but a dynamic, real-time portrayal of its state.
Why is it Pivotal to the Elisity Experience? Here's where the real magic happens:
-
User Dashboard: When you glance at the User Dashboard, what you're seeing is a distilled, user-centric view from the Identity Graph. It provides a clear, concise snapshot of who is on your network, their roles, their behaviors, and any potential risks they might represent.
-
Device Dashboard: Similarly, the Device Dashboard offers a lens into the devices' perspective of the Identity Graph. Whether it's a trusted workstation or a newly connected IoT device, you'll get a complete picture of every device's activity, security posture, and identity data discovered through our robust Identity Engine.
-
Policy Creation in the Matrix: Beyond just understanding your network, the Identity Graph empowers you to act. When creating policies in the matrix, the insights derived from the Identity Graph ensure that your policies are not based on mere guesswork. Instead, they're sculpted from a deep understanding of the user-device relationships, interactions, and historical patterns. This means your policies are precise, effective, and adaptive.
Identity Graph is not just a feature; it's at the core of the Elisity solution. It embodies the fusion of dynamic and intelligent device discovery with action, providing enterprises with clarity and precision in the complex world of network management.
Elisity Virtual Edge
Elisity Virtual Edge is a secure virtual appliance running Elisity software to provide both east-west and north-south identity based zero trust control and microsegmentation at the network edge. Once deployed, Elisity Virtual Edge gleans identity metadata from traffic flows, collects flow analytics, and detects IT/OT/IoT/IoMT devices. This information is shared with Cloud Control Center where additional identity and policy classification occurs. Through a secure Elisity control channel, a policy is distributed to the appropriate Virtual Edges in the network which in turn is enforced using switch native functionality on the access switch closest to the endpoint.
For more information on design options for deploying Elisity Virtual Edge, click here.
Virtual Edge is the primary deployment methodology for campus and large branch customers. There are multiple ways to insert Elisity Virtual Edge into your network. Those methods consist of hosting the software directly on switches using the native built in application hosting functionality, or hosting the software as a VM on your hypervisor of choice and onboarding switches to the Virtual Edge VM. Elisity Virtual Edge (switch hosted) is a container-based solution that allows an organization to run Elisity software directly on edge switches or aggregation layer switches deployed across the enterprise network. Virtual Edge can be installed on supported network switches with application hosting capabilities (i.e., Cisco, Extreme Networks, Arista, etc.). Virtual Edge VM (hypervisor hosted) can be run as a VM anywhere in the network with control and data connections to compatible switches. The Virtual Edge code can glean identity metadata, learn device/user/application behavior and configure switch native access controls based on Elisity Policy.
Elisity Virtual Edge Node
Elisity can transform your supported switches into policy enforcement points with minimal friction. All you need to begin onboarding Virtual Edge Nodes (VENs) is a Virtual Edge deployed anywhere in your network with connectivity to the switches you want to onboard. It's then as simple as loading a few required configurations on the switch, and inputting the network address and credentials for your desired switches. Many Virtual Edge Nodes can be "controlled" by the same Virtual Edge, and you can onboard many VENs with one click using bulk-onboarding functionality. The flexibility and ease of deployment using this model is unparalleled, and many of our customers are surprised at just how easy and fast it is to deploy Elisity.
Learn more about Virtual Edge Nodes by reading any of these articles.