1. Help Center
  2. Getting Started

Introduction to Elisity Cognitive Trust

Elisity Cognitive Trust is the only Zero Trust and Software Defined Perimeter platform that offers a ubiquitous policy plane actionable at the edge of the network.

Introduction

Thank you so much for being so interested in Elisity Cognitive Trust. Our Cognitive Trust platform is the only Zero Trust and Software Defined Perimeter platform that offers a ubiquitous policy plane actionable at the network’s edge. Elisity Cognitive Trust provides an intelligent and robust policy language based on identity and context rather than location or IP and is fully applicable to users, apps, and devices no matter who or what they are or where they might show up on the network.

Components of Elisity Cognitive Trust

The Elisity Cognitive Trust solution is a true software-defined networking platform, ensuring that the control and data plane are separate and independent of each other. Elisity has developed robust control and data plane protocols to scale at the enterprise level and provide unparalleled flexibility, performance, and security. The Elisity Cognitive Trust policy plane offers the industry the most comprehensive identity-based policy language while also achieving simplicity in its deployment and management methodology. The combined components of the Elisity architecture establish a holistic and continuously verified secure network that addresses every possible network-based vulnerability in the enterprise.

architecture

Elisity Cloud Control Center

Elisity Cloud Control Center is the management, control, and policy plane for Elisity Cognitive Trust. An administrator logs into the Cloud Control Center portal to provision, manage and monitor the Elisity Cognitive Trust fabric and all identity or cloud service provider platform integrations (AD, Okta, AWS, etc). Among many other things, Cloud Control Center also provides multi-domain asset discovery and identity mapping and presents identify behavior analytics to the end-user. Within this portal, the network security administrator builds advanced contextual and identity-based policies that will immediately harden the edge of the entire network. Lastly, Cloud Control Center orchestrates applying these policies across all data plane components of the Elisity Cognitive Trust architecture through a secure TLS based control channel.  A dedicated Cloud Control Center is spun up on a per-customer basis and hosted as a service by Elisity. Cloud Control Center is based on a distributed microservices architecture designed to dynamically scale horizontally to meet the scale demands of large enterprises.

Elisity Connect Client

The Elisity Connect client is a lightweight agent that runs on an endpoint and facilitates the data plane connectivity to the Elisity Cognitive Trust fabric. Elisity Connect can be installed on many platforms, including Windows, macOS, Linux, and mobile devices, enabling a unified security experience. Elisity Connect dynamically connects to the closest Elisity Access Service (detailed further below) where policy can be applied and secure access to remote workloads on-premises and in the cloud is established. If IDP integration (i.e., Okta, PING ID, Azure AD) has been configured, a user can authenticate Elisity Cognitive Trust by single sign-on (SSO). Once a user or device is connected to Elisity Cognitive Trust through the Elisity Connect, Cloud Control Center provides detailed analytics about the user identity, application traffic flows, applied policies, and policy violations. The Elisity Connect client can be downloaded directly from the Cloud Control Center portal or the Elisity support web page.

Elisity Edge

Elisity Edge is a secure physical or virtual appliance running Elisity Cognitive Trust software to provide both east-west and north-south identity based zero trust control and segmentation at the network edge. The appliance offers a flexible deployment model and can be configured in either Layer 2 switched or Layer 3 routed mode. Elisity Edge is being provided in multiple form factors to meet port density and performance requirements. Elisity Edge supports a robust suite of layer two and layer three protocols such as STP, OSPF, and BGP for frictionless insertion to the enterprise network. Once deployed, Elisity Edge gleans identity metadata from traffic flows, collects flow analytics, and detects OT/IoT/IoMT devices. This information is shared with Cloud Control Center where additional identity and policy classification occurs. Through a secure Elisity control channel, a policy is distributed to Elisity Edges so that secure enforcement can happen at the edge closest to the endpoint. Elisity Edge supports Zero Touch Provisioning, a familiar CLI interface, and is monitored through the Cloud Control Center portal.

While the Elisity Edge maintains a persistent secure control connection to Cloud Control Center, it can also dynamically build secure data plane tunnels based on e-VXLAN to other Elisity Edges on-premises or in the cloud and EAS if deployed in Layer 3 routed mode. This dynamic data plane fabric provides seamless data forwarding over any underlay when desired.

Finally, Elisity Edge can be deployed as an instance in your cloud of choice to act as a secure application gateway to the rest of the Elisity Cognitive Trust fabric. An administrator simply onboards into CC the cloud where their applications reside and Cloud Control Center orchestrates the instantiation of a Elisity Cloud Edge in the application VPC as well as the control and data plane tunnels required to provide the same zero trust experience end to end. An administrator can then leverage native cloud service provider tags to group cloud-deployed applications together in policy logic.

Elisity Micro Edge

Micro Edge is the primary deployment methodology for campus and a large branch, customers. Elisity Micro Edge is a container-based solution that allows an organization to run Elisity Cognitive Trust software directly on edge switches deployed across the enterprise network. Micro Edge can be installed on supported network devices with application container capabilities  (i.e., Cisco, Extreme Networks, Cradlepoint, etc.). The Micro Edge code can glean identity metadata, configure switch native access controls based on Elisity Policy, and orchestrate data plane tunnels on the switch. The details of how Micro Edge integrates and operates are out of the scope of this design guide and will be explained in a future technical document.

Elisity Access Service

Elisity Access Service (EAS) is the component of the Elisity Cognitive Trust data plane that offers an optimal point-of-presence in the cloud for all remote users, branches, data centers, and devices. EAS can be an ingress point for remote users and devices running the EC client and provides a policy enforcement point closest to where the endpoint resides and secure access to workloads in the cloud and on-premise. EAS can be leveraged to onboard remote sites, data centers, and cloud workloads that are not currently running through an Elisity Edge by building and terminating standards-based IPsec tunnels with BGP for dynamic routing. Effectively, EAS can be used as a secure performance hub for access to applications no matter where they may be provisioned. EAS points-of-presence is dynamically spun up in multiple regions with the closest proximity to the endpoints so that the service is highly available and performant. EAS is based on a distributed microservices architecture designed to dynamically scale horizontally to meet the scale demands of large enterprises.

Design Guide

Elisity Micro Edge

Elisity Micro Edge code runs within a container on supported switches that offer application hosting. In this design, the Micro Edge code can glean identity information by receiving copies of particular protocol messages and metadata while enforcing policy at the edge using security functions native to the switch operating system. The Micro Edge maintains a persistent connection to Cloud Control Center and orchestrates a native data plane tunnel to EAS or other Elisity data plane forwarders.

Further details on how Micro Edge integrates and operates are out of the scope of this design guide and will be explained in a future technical document.

micro-edge

Elisity Edge Layer 2 Switched Mode

In this design, the Elisity Edge is placed as a “bump-in-the-wire” between the access switch and the distribution switch. As traffic passes from access to distribution, the Elisity Edge can glean identity through several mechanisms, including DHCP messages, MAC addresses, and HTTP/S metadata. Traffic going from one switch or VLAN to another switch or VLAN passes through the Elisity Edge, where policy can be enforced. Multiple Elisity Edges can be inserted in the same fashion for high availability, and link aggregation (LACP or static) is supported. Spanning-Tree Protocol is supported for environments with more complex L2 topologies and can aid in the avoidance of bridging loops. This design is depicted below:

l2-bump-in-wire

The Elisity Edge can be placed Layer 2 in-line between the wireless controller and the connected switch for WiFi-connected users. This design is depicted below:

l2-bump-in-wire-wireless-controller

Today, to achieve micro-segmentation, where users and devices on the same switch and in the same VLAN are bound by the policy when communicating with each other, you must connect the endpoints directly to the Elisity Edge. When endpoints are on the same switch and in the same VLAN, local switching occurs, essentially bypassing the Elisity Edge. Bridge groups are configured to forward frames from switch port to switch port. This design is depicted below:

l2-switching-mode-micro-seg

Alternatively, Elisity Micro Edge running on a container in a supported switch can provide micro-segmentation (see below).

Elisity Edge Layer 3 In-line Routed mode with FHRP (supported in an upcoming release)

In this design, the Elisity Edge is configured as a Layer 3 router in-line with OSPF running as the IGP. Traffic crossing VLAN boundaries or destined north of the switching infrastructure is passed through the Elisity Edge because that is also where the Layer 3 boundary exists. For example, traffic sourced from VLAN A and destined to VLAN B is IP routed to its destination once the VLAN A Bridge Virtual Interface (BVI) is reached. At this point, the Elisity Edge can glean identity information and enforce the policy. Micro-segmentation is not supported in this mode unless endpoints are connected directly to the Elisity Edge. A routing protocol such as OSPF or BGP can be configured to establish dynamic routing to the rest of the enterprise network.  To meet high availability requirements, Elisity Edges support first-hop redundancy through VRRP. This design is depicted below:

layer-3-in-line-with-FHRP

Elisity Edge Layer 3 Routed mode In-line with IGP

In this design, the Elisity Edge is configured as a Layer 3 router in-line with OSPF running as the IGP both southbound and northbound. Traffic destined north of the switching infrastructure is passed through the Elisity Edge because of the learned OSPF routes pointing to a next hop of the Elisity Edges. For example, traffic sourced from VLAN A and destined to a network outside of the switching infrastructure is routed to its destination by following the OSPF populated RIB. At this point, the Elisity Edge can glean identity information and enforce the policy. Micro-segmentation is not supported in this mode unless endpoints are connected directly to the Elisity Edge. 

layer-3-in-line-with-IGP

Elisity Cloud Edge

Organizations that host applications in the cloud can benefit from Elisity Cognitive Trust technology through an Elisity Cloud Edge. After onboarding the cloud of choice, an administrator can select which VPCs are to be protected and Cloud Control Center will then orchestrate the instantiation of an Elisity Cloud Edge virtual appliance in the same VPC as the cloud application. Cloud Control Center will also learn the cloud native tags assigned to the applications and configure the appropriate cloud native routes and security groups based on the Elisity policy deployed. Data plane connectivity will be established from the Elisity Cloud Edge to other Elisity Edges and Elisity Access Service if required. 

cloud-edge

Elisity Site Connect

Site Connect provides data plane connectivity from branch sites, data centers and cloud workloads into the Elisity fabric. From the Cloud Control Center UI, a standards-based IPsec VPN can be configured to connect the Elisity Access Service to any endpoint that supports IPsec. To learn and advertise remote site prefixes, either static routing can be configured, or a BGP relationship can be established over the tunnel. Once connectivity is set to branch sites, data centers, and cloud workloads, users running Elisity Connect Client can access any resource presented to EAS through Site Connect. This design is depicted below:

site-connect-1