Policy Groups are the building blocks of Elisity microsegmentation and are used to dynamically or statically group assets into groups that receive the same level of cybersecurity treatment.
Policy Groups
A Policy Group is a core building block of the Elisity policy architecture and allows an administrator to group together multiple users, devices or applications based on match criteria. Policy Groups can also be used to define custom IP ranges to be treated as policy endpoints. The policy group can then be referenced during policy creation as a source or destination entry, effectively simplifying and avoiding policy sprawl.
Default Policy Groups
Cloud Control Center is delivered with several pre-built Policy Groups, including Unassigned and InternetPG.
Unassigned is a catch-all Policy Group for any user, device or application that does not match to any explicit customer-defined Policy Group. This allows customers to secure any asset on the network that is unidentified, or does not yet have a policy group defined.
| Note: Unassigned PG applies to any device not classified by Elisity. This includes upstream devices north of the policy enforcement point. Use caution when deploying DENY policies to the unassigned Policy Group. This can block critical functions like DNS if used improperly. |
InternetPG is a modifiable Static Policy Group that defines external subnets as a policy endpoint, effectively controlling any traffic destined for network addresses in those defined subnets with policy.
Types of Policy Groups
There are two types of Policy Groups that are used to meet two specific use cases:
Dynamic Policy Groups
These Policy Groups dynamically group assets (users and devices) using identity to be used as policy endpoints. Dynamic means that as assets are discovered and evaluated by our policy engine, they are assigned to these policy groups using a holistic view of the policy group structure you have built including context of Policy Group order (precedence), match criteria using a variety of attributes, and if an asset is known by your AD or CMDB.
Static Policy Groups
Statically define IP addresses or subnets to be used as policy endpoints. Define subnets from /1 all the way to individual hosts at /32. These Policy Groups always take lower precedence than dynamic PG's during policy evaluation.
| Note: Because assets are assigned to Static PGs based on IP address, if a device goes offline (loses it's IP address) it will show as unclassified until an IP address can again be associated with the said device. This is only pertinent to static Policy Groups. |
Baseline Policy Groups
There are a handful of Policy Groups that we ship with Cloud Control Center as standard or "baseline" Policy Groups for IT and IoT devices. These are completely modifiable and serve to group the most common IT and IoT devices that we find in customer environments into Policy Groups. This provides customers the ability to see assets auto-classify into Policy Groups upon discovery when deploying Elisity in their environments. Custom PGs need to be built for all IoMT, OT, or unique IT/IoT devices that are expected on the network.
Creating Policy Groups
Dynamic Policy Group
In the following example a policy group is being created that matches users that are a part of the Physicians AD group AND are connecting to the network using a laptop. This policy group will later be referenced as a source or destination on the Policy Matrix when creating a policy.
To create this policy group, navigate to the Policy section on the left pane in Cloud Control Center, select Policy Groups on the top menu bar and then select Add Policy Group.
We will give our Policy Group a name that aligns with the rest of our naming conventions., and insert a brief description. Select "Dynamic Assets" for Asset Type, and we can begin to select our match criteria.
First we will match on User AD Group 'physicians.' We will Navigate to the user match criteria section and click "AD Group".
Note that only AD groups that already exist in Active Directory can be matched; type the first three letters of the group you want to match on to query Active Directory for available groups.
Next we will match on Device Type -> Laptop. To do this, click Add New Criteria on the right hand side and set your match criteria.
The result should show that the policy group matches users in the Physician AD group and devices that are Laptops. Note that AND operation logic is displayed because of the cross-asset category definition. Anything currently known by Elisity matching the policy group criteria can be viewed by clicking the number next to "Matched Assets" just above your Matched Criteria box. Remember to Deploy the policy group once completed. Deploy means that the Policy Group is built and stored in Cloud Control Center and is also available to be leveraged in policy match criteria.
To review or edit the policy group configuration, select the policy group name. You can also edit and delete the policy group by selecting the three dots (more options) on the right hand side.
Note: You cannot delete a Policy Group until you have first deleted all policies associated with that Policy Group. It you have not yet deployed a policy, this will make more sense in the next section.
Policy Group Reordering Mode - Establishing Order of Precedence
In some cases, assets can match to multiple Policy Groups. You may have created a broad Policy Group that matches on Device Genre = IoT. If you then create other IoT Policy Groups that are narrower and more granular matching on Device Type, or any other match criteria, you may be questioning which Policy Group takes precedence. We have made this simple with our Policy Group Reordering Mode.
| Policy Group Reordering only applies to dynamic Policy Groups. Static Policy Groups always have lower precedence than dynamic Policy Groups and the most specific prefix match will always win when it comes to Static Policy Groups. |
Default Order of Precedence = Order of PG Creation
When you begin creating Policy Groups, the order in which they were created is the order of precedence by default. This means if a classified asset can match multiple Policy Groups, it will match to whichever Policy Group was created first. The left hand column gives a numbered Policy Group order.
You can re-order this list by clicking REORDERING MODE in the top right of the Policy Group dashboard. You can then drag and drop using the (6 dot) handles on the left, or you can manually specify the order by selecting which Policy Groups you want to re-order and clicking the "Specify Order" button.
After clicking specify order, you can select a PG and click the up or down arrow. You can also select the number field and type in a unique number to re-order the PG.
Note that if you attempt to move a PG to a different slot such as '3', you will have to re-order whatever PG is located in slot 3.
After creating a new Policy Group or re-ordering, the matched assets category will show 'processing' on all affected Policy Groups while assets are re-assigned based on match criteria and Policy Group order.