Cloud Control Center can validate a device’s existence in a particular Identity integration before trusting it and assigning it to a policy group, adding an additional layer of security verification.
This article details all of the trust attributes currently supported and how they can be leveraged for Policy Group Definition.
Understanding Trust Attributes in IdentityGraph
The Trust Attributes section in Elisity Cloud Control Center (CCC) provides visibility into how a device is identified and validated across different identity sources. It enhances security by ensuring a device is recognized in a trusted identity system before being assigned to a Policy Group.
How Trust Attributes Work
When IdentityGraph detects a new device, it queries all active identity connectors to determine if the device exists in any external system. Devices are categorized as follows:
- Manually Verified: An administrator has explicitly marked the device as trusted.
- Unverified: The device is not validated by any identity connector.
- Identity Connector Tiles: Each configured connector (e.g., Claroty, CrowdStrike, Active Directory, Armis, ServiceNow) appears as an interactive tile, displaying the device’s status.
A device "Known In" a connector means it has been identified by that system, whereas "Not Known" connectors appear greyed out.
Managing Trust Attributes
Administrators can interact with trust attributes through each connector’s menu (⋮):
- Refresh Attributes – Queries the connector for updated trust data.
- Purge Attributes – Clears previously retrieved attributes for the device.
Refreshing attributes across all connectors is also possible via the refresh button at the top of the Trust Attributes section.
Manually Verified vs. Unverified Devices
- Manually Verified: Allows an administrator to override connector validation and trust a device, even if it isn’t registered in an external system. This is useful for critical devices that lack system records or experience identity sync delays.
- Unverified: This is an automatically assigned attribute when no identity connector recognizes the device. This status remains unless the device is later identified by a connector or manually verified.
Impact on Policy Group Formulation
The "Known In" status directly affects Policy Group assignments:
- A device must be recognized by at least one required connector to be included in a Policy Group.
- If multiple "Known In" conditions are specified, a device must match all selected identity integrations.
- Manually Verified devices can still qualify for Policy Groups if they meet other conditions.
- Unverified devices may be excluded if external validation is required.
By leveraging Trust Attributes, security teams improve context-aware policy enforcement, ensuring precise and adaptive segmentation across the network.
Trust Attributes are supported for the majority of integrations offered by Elisity, as seen in the image below.
With these enhancements, administrators have greater control over device trust status and segmentation enforcement. By leveraging Trust Attributes effectively, organizations can ensure that only properly identified and validated devices gain network access according to their policies.
Utilizing Manually Verified Trust Attribute
By manually verifying assets within the Cloud Control Center, admins can confirm the authenticity of devices and establish their association with the organization. This feature becomes especially valuable when building highly secure policy groups for critical assets, ensuring that only assets that have undergone rigorous admin review can access these sensitive resources. With the ability to establish trust and control over verified devices, organizations can reinforce their security posture and minimize the risk of unauthorized access to their most crucial assets.
To leverage "Manually Verified" match criteria, first add the match criteria to your policy group. This can be found in "Trust Attributes" for Devices.
Now you need to review the assets you want to be permitted into this Policy Group. Find your devices in Cloud Control Center, verify them, and edit the device by clicking the three dots and clicking edit. You need to select the "Manually Verified" box for the asset to be permitted to our Policy Group. If this box is unchecked, the asset cannot be included in our verified Policy Group.
Utilizing Unverified Trust Attribute
It's crucial to note that if a device is unrecognized by any active Identity Connector, IdentityGraph labels it as "Unverified." This status can be viewed by navigating to the device's IdentityGraph page and examining the Trust Attributes section.
The "Unverified" status can serve as a matching criterion when outlining Policy Group Trust Attributes.