1. Help Center
  2. Creating Policies

Policy Constructs and Logic

Before creating an Elisity policy, it is important to understand the policy constructs that can be leveraged to create granular, flexible, and scalable policy sets.

The Elisity policy constructs consist of Asset Groups, Policy Groups and Security Profiles.

Quick Links:

Asset Groups

Policy Groups

Security Profiles

Asset Groups

An Asset Group is a logical construct that allows an administrator to group together users, applications, or devices. Once populated, the asset group can be referenced by name in your policy logic as match criteria. This allows users, apps, or devices with commonalities to be referenced together, across different policy entries, without having to be selected one by one multiple times over.

NOTE: You cannot mix users, applications, or devices in the same Asset Group. You must create separate Asset Groups for each type of policy object.

To create an Asset Group, navigate to the Policies section on the left pane of Cloud Control Center, select Asset Groups on the top menu bar and then select Add Asset Group.

Give the Asset Group a name and then select the type of Asset Group you want to create: User, App or Device. Select the match criteria and add the devices. In the following example, a device Asset Group is being created and the match criteria is Hostname. Multiple devices are added to the Asset Group and the Asset Group is then Saved or Deployed. Save means that the Asset Group is built and stored in Cloud Control Center but not actionable. Deploy means that the Asset Group is built and stored in Cloud Control Center and is also available to be leveraged in policy match criteria. You can always save an Asset Group and come back later to deploy it.

Once you have added all your assets to the Asset Group you can review them by selecting the Details pop out next to the matched assets count.

Note: The match logic for an Asset Group is “OR”, meaning you will be creating a list of Users, Devices or Applications. Any object specified within the list will match into the Asset Group.

To review or edit the Asset Group configuration, select the Asset Group name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.

Policy Groups

A Policy Group is a core building block of the Elisity policy architecture and allows an administrator to group together multiple users, devices or applications based on match criteria. Assets can be grouped using “OR” logic within an asset category and “AND” logic across asset categories. The policy group can then be referenced during policy creation as a source or destination entry, effectively simplifying and avoiding policy sprawl. Policy Groups can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy.

In the following example a policy group is being created that matches users that are a part of the Physicians AD group AND are connecting to the network using an Apple MacBook device. This policy group will later be referenced as a source entry in an Elisity policy. 

To create this policy group, navigate to the Policy section on the left pane in Cloud Control Center, select Policy Groups on the top menu bar and then select Add Policy Group.

Give the policy group a name and start adding your User and Device criteria by selecting Add New Asset(s). The Add New Asset operation must be executed twice since this is a cross asset category policy group.

The result should show that the policy group matches users in the Physician AD group and devices that are Macbooks. Note that “AND” operation logic is displayed because of the cross-asset category definition. Anything currently known by Elisity matching the policy group criteria can be viewed by selecting the Details link. Remember to Save or Deploy the policy group once completed. Save means that the Policy Group is built and stored in Cloud Control Center but not actionable. Deploy means that the Policy Group is built and stored in Cloud Control Center and is also available to be leveraged in policy match criteria. You can always save a Policy Group and come back later to deploy it.

To review or edit the policy group configuration, select the policy group name. You can also delete the policy group by selecting the three dots (more options) next to the asset group name. Note: deleting a policy group will also delete the associated policy.

Security Profiles

A security profile is a policy construct that enables an administrator to define a set of security rules based on application, L7 protocol, L3/L4 protocol or application category to be allowed or denied in the policy. Security profiles can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy.

To configure a security rule the Rule Type, Rule, Attributes (optional) and Action must be defined. A rule type can either be an application, L7 protocol, L3/L4 protocol or application category. Rule types are defined below:

ApplicationThe Elisity deep packet inspection engine enables an administrator to match on a specific application name such as Facebook or Zoom.

L7 Protocol – The Elisity deep packet inspection engine enables an administrator to match on a specific L7 protocol such as SCADA or FTP.

L3/L4 Protocol – Specific L3/L4 protocols can be matched such as ICMP or custom source or destination TCP/UDP ports. Note: to define the ports select the cog icon to the right of the security rule.

Application Category – Specific application categories that have pre-defined application matches can be defined such as database, education and mobile.

Attributes enable an administrator to define a more granular level of match criteria for a specific application or L7 protocol. For example, an application rule matching FaceTime could be defined, and the attribute could be set to Audio. This means the security rule will only match on FaceTime Audio and not FaceTime Video.

Finally, the Action drop drown enables an administrator to set either a Accept or Deny action for the defined security rule.

In the following example a security profile is being created that allows application FaceTime Audio, denies L7 protocol RDP and denies L3/L4 protocol ICMP. 

Note: Multiple security rules defined in the same security profile operate as “OR” logic meaning any of the traffic seen that matches any of the entries is matched and the action for that entry is enforced.

To create this security profile, navigate to the Policy section on the left pane in Cloud Control Center, select Security Profiles on the top menu bar and then select Add Security Profile.

Give the security profile a name and start adding your security rules. Select + Add Security Rule to add additional rules under the initial one.

Remember to Save or Deploy the security profile once completed. Save means that the security profile is built and stored in Cloud Control Center but not actionable. Deploy means that the security profile is built and stored in Cloud Control Center and is also available to be leveraged in policy security rule set criteria. You can always save a security profile and come back later to deploy it.

To review or edit the security profile configuration, select the security profile name. You can also clone or delete the security profile by selecting the three dots (more options) next to the security profile name.

Next Article: Putting it all together - Creating an Elisity Policy