1. Help Center
  2. Creating Policies

Putting it all together - Creating an Elisity Policy

How you build your policy logic will depend on what mode your Elisity Cognitive Trust is configured for.

HubSpot Video

Quick Links:

IoT and OT Security

Time-based Policies

As a reminder, Elisity policy logic has two modes: Explicit Trust enabled and Explicit Trust Disabled.  When this setting is enabled, all access by users, devices, and applications is denied by default until a policy explicitly allows it (default deny rule). When this setting is disabled, all access is allowed by default until a policy explicitly denies it (default allow rule). Enabling Explicit Trust is a common greenfield deployment strategy (i.e., over new infrastructure), while disabling it is a typical brownfield deployment strategy to avoid disrupting business operations while access policies are being built. It is recommended to disable Explicit Trust if the strategy is to observe, learn, and build access policies as part of a brownfield deployment. Be advised that switching from “disabled” Explicit Trust to “enabled” after access policies were created could cause disruption at policy enforcement points and require adjustments to existing policies.

Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes options such as Active Directory group, Department, Title, cloud native tag, device type, device vendor, and much more.

There are a couple of ways to select your source and destination objects: by manually deploying a policy and searching for match criteria and by using the Policy Matrix.

First, let’s look at deploying a policy using the Graphical Policy Visualization Matrix.

Go To: Policies -> All Policies -> Graphical View

At the bottom right of the policy matrix, there is a toggle button that allows you to switch between Graphical View and Traffic Flow. Graphical View is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow. Traffic Flow view allows you to see where traffic has been observed in the network, whether that traffic was allowed or blocked, and if there is a policy in place. In both views, deploying a new policy or even modifying an existing policy, is as simple as finding the intersection between the source group on the left and the destination group on the top, and clicking on the box at the intersection. From here, deploying a policy is as simple as selecting your security rules.

Here we want to deploy a policy that denies access from Physicians to Roku TVs on the network to block them from controlling the TVs with their mobile devices. To deploy policy, we find the intersection between these groups, click on the empty box, and select our rules.

Graphical Policy Visualization View

(Click to enlarge)

Traffic Flow View

Picture1-2

(Click to enlarge)

 

We can see that source and destination were automatically populated. In this case we are going to deny all L3/L4 traffic. We then click deploy, and in just a few seconds we have built and deployed a policy.

 

(Click to enlarge)

Next, let’s look at manually deploying a policy.

Go To: Policies -> All Policies -> Add Policy

 

(Click to enlarge)

 

Step 1: Define Source Match Criteria

 

Picture4Picture5(Click to enlarge)

 

Step 2: Define Destination Match Criteria

 

Picture6

(Click to enlarge)

Step 3: Define Security Rules

 

Picture7(Click to enlarge)

The following examples will be with Explicit Trust disabled. 

Example 1: IoT and OT security

An administrator is tasked to secure a subset of dynamically discovered IoT and OT devices from critical servers on the network. To meet this requirement the administrator can reference previously created policy constructs such as Asset Groups, Policy Groups and Security Profiles or they can be defined on the fly during policy creation.

One way to accomplish this requirement is to match the source of Device Genre: IoT and OT and match the destination of a previously defined Asset Group that includes the identity of all critical servers. No traffic should be allowed between the source and destination.

To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy.

 

Picture8(Click to enlarge)

 

Give the policy a name and define your source by selecting Add New Source. Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group”.

 

Picture9

Picture10(Click to enlarge)

 

Add the destination in the same way the source was added.

 

Picture11(Click to enlarge)

 

Specifying the security rules are not required in this instance since the IP and protocols the server communicates on were defined during application onboarding.

The resulting policy should look like this:

Picture12(Click to enlarge)

 

Select deploy and the policy will be immediately enforced across all edges of the network.

To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.  

Picture13(Click to enlarge)

Example 2: Student User web access only during school hours

An administrator is tasked to ensure users that are a part of the Student AD Group only have access to the internet during school hours.

One way to accomplish this requirement is to match the source of AD group “students”, use a time-based policy, and set a destination of Any. In this example, a pre-defined security profile that matches and denies web based L7 protocols such as HTTP and SSL is referenced.

To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy.

 

Picture14

(Click to enlarge)

 

Give the policy a name and define your source and destination by selecting Add New Source and Add New Destination. Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group”.

 

Picture15

Picture16

Picture18(Click to enlarge)

 

Create a time-based entry for the policy

Select the pre-defined security profile and then under security profile action select Clone or Edit to populate the security rule entries.
Picture19(Click to enlarge)

The resulting policy should look like this:

Picture20(Click to enlarge)

Select deploy and the policy will be immediately enforced across all edges of the network.

To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.  

Picture21(Click to enlarge)