1. Help Center
  2. Getting Started

Introduction to Elisity Cognitive Trust

Elisity Cognitive Trust is the only Zero Trust and Software Defined Perimeter platform that offers an actionable policy plane at the edge of the network.

HubSpot Video

Introduction

Thank you so much for being so interested in Elisity Cognitive Trust. Our Cognitive Trust platform is the only Zero Trust and Software Defined Perimeter platform that offers an actionable policy plane at the network’s edge. Elisity Cognitive Trust provides an intelligent and robust policy language based on identity and context rather than location or IP and is fully applicable to users, apps, and devices no matter who or what they are or where they might show up on the network.

Components of Elisity Cognitive Trust

The Elisity Cognitive Trust solution is a true software-defined networking platform, ensuring that the control and data plane are separate and independent of each other. Elisity has developed robust control and data plane protocols to scale at the enterprise level and provide unparalleled flexibility, performance, and security. The Elisity Cognitive Trust policy plane offers the industry the most comprehensive identity-based policy language while also achieving simplicity in its deployment and management methodology. The combined components of the Elisity architecture establish a holistic and continuously verified secure network that addresses every possible network-based vulnerability in the enterprise.

Intro to ECT SLide

Elisity Cloud Control Center

Elisity Cloud Control Center is the management, control, and policy plane for Elisity Cognitive Trust. An administrator logs into the Cloud Control Center portal to provision, manage and monitor the Elisity Cognitive Trust fabric and all identity or cloud service provider platform integrations (AD, Okta, AWS, etc). Among many other things, Cloud Control Center also provides multi-domain asset discovery and identity mapping and presents identify behavior analytics to the end-user. Within this portal, the network security administrator builds advanced contextual and identity-based policies that will immediately harden the edge of the entire network. Lastly, Cloud Control Center orchestrates applying these policies across all data plane components of the Elisity Cognitive Trust architecture through a secure TLS based control channel.  A dedicated Cloud Control Center is spun up on a per-customer basis and hosted as a service by Elisity. Cloud Control Center is based on a distributed microservices architecture designed to dynamically scale horizontally to meet the scale demands of large enterprises.

Elisity Edge

Elisity Edge is a secure physical or virtual appliance running Elisity Cognitive Trust software to provide both east-west and north-south identity based zero trust control and segmentation at the network edge. The appliance offers a flexible deployment model and can be configured in either Layer 2 switched or Layer 3 routed mode. Elisity Edge is being provided in multiple form factors to meet port density and performance requirements. Elisity Edge supports a robust suite of layer two and layer three protocols such as STP, OSPF, and BGP for frictionless insertion to the enterprise network. Once deployed, Elisity Edge gleans identity metadata from traffic flows, collects flow analytics, and detects OT/IoT/IoMT devices. This information is shared with Cloud Control Center where additional identity and policy classification occurs. Through a secure Elisity control channel, a policy is distributed to Elisity Edges so that secure enforcement can happen at the edge closest to the endpoint. Elisity Edge supports Zero Touch Provisioning, a familiar CLI interface, and is monitored through the Cloud Control Center portal.

While the Elisity Edge maintains a persistent secure control connection to Cloud Control Center, it can also dynamically build secure data plane tunnels based on e-VXLAN to other Elisity Edges on-premises or in the cloud and EAS if deployed in Layer 3 routed mode. This dynamic data plane fabric provides seamless data forwarding over any underlay when desired.

Finally, Elisity Edge can be deployed as an instance in your cloud of choice to act as a secure application gateway to the rest of the Elisity Cognitive Trust fabric. An administrator simply onboards into CC the cloud where their applications reside and Cloud Control Center orchestrates the instantiation of a Elisity Cloud Edge in the application VPC as well as the control and data plane tunnels required to provide the same zero trust experience end to end. An administrator can then leverage native cloud service provider tags to group cloud-deployed applications together in policy logic.

Elisity Micro Edge and Virtual Edge

Micro Edge and Virtual Edge are the primary deployment methodologies for campus and a large branch, customers. Elisity Micro Edge/Virtual Edge is a container-based solution that allows an organization to run Elisity Cognitive Trust software directly on edge switches deployed across the enterprise network. Micro Edge can be installed on supported network devices with application container capabilities (i.e., Cisco, Extreme Networks, Cradlepoint, etc.), while the Virtual Edge can be run as a hypervisor anywhere in the network with control and data connections to compatible switches. The Micro Edge code can glean identity metadata, configure switch native access controls based on Elisity Policy, and orchestrate data plane tunnels on the switch.

Design Guides

Elisity Micro Edge

Elisity Micro Edge code runs within a container on supported switches that offer application hosting. In this design, the Micro Edge code can glean identity information by receiving copies of particular protocol messages and metadata while enforcing policy at the edge using security functions native to the switch operating system. The Micro Edge maintains a persistent connection to Cloud Control Center.

Please review the Micro Edge deployment guide here for more details. 

micro-edge

Elisity Virtual Edge

Elisity Virtual Edge code runs as a virtual machine on any hypervisor anywhere in your network. Similar to the Micro Edge, the Virtual Edge can glean identity information by receiving copies of particular protocol messages and metadata while enforcing policy at the edge using security functions native to the switch operating system. The Micro Edge maintains a persistent connection to Cloud Control Center as well as connections to the edge switches it actively manages. 

Further details on how Virtual Edge integrates and operates, as well as deployment strategy, can be found in the Virtual Edge Deployment Guide.

 

Elisity Edge Design Options 

Elisity Edge Layer 2 Switched Mode

In this design, the Elisity Edge is placed as a “bump-in-the-wire” between the access switch and the distribution switch. As traffic passes from access to distribution, the Elisity Edge can glean identity through several mechanisms, including DHCP messages, MAC addresses, and HTTP/S metadata. Traffic going from one switch or VLAN to another switch or VLAN passes through the Elisity Edge, where policy can be enforced. Multiple Elisity Edges can be inserted in the same fashion for high availability, and link aggregation (LACP or static) is supported. Spanning-Tree Protocol is supported for environments with more complex L2 topologies and can aid in the avoidance of bridging loops. This design is depicted below:

l2-bump-in-wire

The Elisity Edge can be placed Layer 2 in-line between the wireless controller and the connected switch for WiFi-connected users. This design is depicted below:

l2-bump-in-wire-wireless-controller

Today, to achieve micro-segmentation, where users and devices on the same switch and in the same VLAN are bound by the policy when communicating with each other, you must connect the endpoints directly to the Elisity Edge. When endpoints are on the same switch and in the same VLAN, local switching occurs, essentially bypassing the Elisity Edge. Bridge groups are configured to forward frames from switch port to switch port. This design is depicted below:

l2-switching-mode-micro-seg

Alternatively, Elisity Micro Edge running on a container in a supported switch can provide micro-segmentation (see below).

Elisity Edge Layer 3 In-line Routed mode with VRRP

In this design, the Elisity Edge is configured as a Layer 3 router in-line with OSPF running as the IGP. Traffic crossing VLAN boundaries or destined north of the switching infrastructure is passed through the Elisity Edge because that is also where the Layer 3 boundary exists. For example, traffic sourced from VLAN A and destined to VLAN B is IP routed to its destination once the VLAN A Bridge Virtual Interface (BVI) is reached. At this point, the Elisity Edge can glean identity information and enforce the policy. Micro-segmentation is not supported in this mode unless endpoints are connected directly to the Elisity Edge. A routing protocol such as OSPF or BGP can be configured to establish dynamic routing to the rest of the enterprise network.  To meet high availability requirements, Elisity Edges support first-hop redundancy through VRRP. This design is depicted below:

layer-3-in-line-with-FHRP

Elisity Edge Layer 3 Routed mode In-line with IGP

In this design, the Elisity Edge is configured as a Layer 3 router in-line with OSPF running as the IGP both southbound and northbound. Traffic destined north of the switching infrastructure is passed through the Elisity Edge because of the learned OSPF routes pointing to a next hop of the Elisity Edges. For example, traffic sourced from VLAN A and destined to a network outside of the switching infrastructure is routed to its destination by following the OSPF populated RIB. At this point, the Elisity Edge can glean identity information and enforce the policy. Micro-segmentation is not supported in this mode unless endpoints are connected directly to the Elisity Edge. 

A deployment guide for the Elisity Edge can be found here.

layer-3-in-line-with-IGP

Elisity Cloud Edge

Organizations that host applications in the cloud can benefit from Elisity Cognitive Trust technology through an Elisity Cloud Edge. After onboarding the cloud of choice, an administrator can select which VPCs are to be protected and Cloud Control Center will then orchestrate the instantiation of an Elisity Cloud Edge virtual appliance in the same VPC as the cloud application. Cloud Control Center will also learn the cloud native tags assigned to the applications and configure the appropriate cloud native routes and security groups based on the Elisity policy deployed. 

cloud-edge