Cloud Control Center can validate a device’s existence in a particular Identity integration before trusting it and assigning it to a policy group, adding an additional layer of security verification.
This article details all of the trust attributes currently supported and how they can be leveraged for Policy Group Definition.
Utilizing "Known In" Trust Attribute
Upon detecting a new device on the network through Elisity's native identity engine, IdentityGraph queries all active identity connectors for additional information. If any connector recognizes the device, IdentityGraph automatically marks it as "Known in" the respective connectors.
You can inspect the "known in" status by navigating to the device's IdentityGraph page and exploring the Trust Attributes section.
Besides enhancing the device's attributes with extra data from the identity connectors, the "known in" status is instrumental in policy group formulation, helping determine a device's eligibility for inclusion in the Policy Group. Essentially, if a chosen Trust Attribute match criterion is utilized in defining the Policy Group, the device must have its "known in" flag marked as "Yes" to be included in the Policy Group and be governed by the corresponding policies.
If multiple "known in" items are selected, the device must be recognized in all chosen identity integrations to be classified into the Policy Group.
Trust Attribute functionality is currently supported with the following integrations:
- Active Directory
- Claroty xDome
- Palo Alto IoT Security
Utilizing Manually Verified Trust Attribute
By manually verifying assets within the Cloud Control Center, admins can confirm the authenticity of devices and establish their association with the organization. This feature becomes especially valuable when building highly secure policy groups for critical assets, ensuring that only assets that have undergone rigorous admin review can access these sensitive resources. With the ability to establish trust and control over verified devices, organizations can reinforce their security posture and minimize the risk of unauthorized access to their most crucial assets.
To leverage "Manually Verified" match criteria, first add the match criteria to your policy group. This can be found in "Trust Attributes" for Devices.
Now you need to review the assets you want to be permitted into this Policy Group. Find your devices in Cloud Control Center, verify them, and edit the device by clicking the three dots and clicking edit.
You need to select the "Manually Verified" box for the asset to be permitted to our Policy Group. If this box is unchecked, the asset cannot be included in our verified Policy Group.
Utilizing Unverified Trust Attribute
It's crucial to note that if a device is unrecognized by any active Identity Connector, IdentityGraph labels it as "Unverified." This status can be viewed by navigating to the device's IdentityGraph page and examining the Trust Attributes section.
The "Unverified" status can serve as a matching criterion when outlining Policy Group Trust Attributes.