1. Help Center
  2. Creating Policies

Putting it all together - Creating an Elisity Policy

How you build your policy logic will depend on what mode your Elisity Cognitive Trust is configured for.

Quick Links:

IoT and OT Security

Time-based Policies

As a reminder, Elisity policy logic has two modes: Explicit Trust enabled (default) and Explicit Trust Disabled.  When this setting is enabled, all access by users, devices, and applications is denied by default until a policy explicitly allows it (default deny rule). When this setting is disabled, all access is allowed by default until a policy explicitly denies it (default allow rule). Enabling Explicit Trust is a common greenfield deployment strategy (i.e., over new infrastructure), while disabling it is a typical brownfield deployment strategy to avoid disrupting business operations while access policies are being built. It is recommended to disable Explicit Trust if the strategy is to observe, learn, and build access policies as part of a brownfield deployment. Be advised that switching from “disabled” Explicit Trust to “enabled” after access policies were created could cause disruption at policy enforcement points and require adjustments to existing policies.

Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes options such as Active Directory group, Department, Title, cloud native tag, device type, device vendor, and much more.

Step 1:

Step 2:

Step 3:

The following examples will be with Explicit Trust disabled.

Example 1: IoT and OT security

An administrator is tasked to secure a subset of dynamically discovered IoT and OT devices from critical servers on the network. To meet this requirement the administrator can reference previously created policy constructs such as Asset Groups, Policy Groups and Security Profiles or they can be defined on the fly during policy creation.

One way to accomplish this requirement is to match the source of Device Genre: IoT and OT and match the destination of a previously defined Asset Group that includes the identity of all critical servers. No traffic should be allowed between the source and destination.

To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy.

Give the policy a name and define your source by selecting Add New Source. Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group”.

Add the destination in the same way the source was added.

Specifying the security rules are not required in this instance since the IP and protocols the server communicates on were defined during application onboarding.

The resulting policy should look like this:

Select deploy and the policy will be immediately enforced across all edges of the network.

To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.  

Example 2: Student User web access only during school hours

An administrator is tasked to ensure users that are a part of the Student AD Group only have access to the internet during school hours.

One way to accomplish this requirement is to match the source of AD group “students”, use a time-based policy, and set a destination of Any. In this example, a pre-defined security profile that matches and denies web based L7 protocols such as HTTP and SSL is referenced.

To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy.

Give the policy a name and define your source and destination by selecting Add New Source and Add New Destination. Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group”.

Create a time-based entry for the policy

Select the pre-defined security profile and then under security profile action select Clone or Edit to populate the security rule entries.

The resulting policy should look like this:

Select deploy and the policy will be immediately enforced across all edges of the network.

To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.