Jan 10, 2025The Hacker NewsNetwork Security / Policy ManagementNetwork segmentation remains a critical security requirement, yet organizations struggle with traditional approaches that demand extensive hardware investments, complex policy management, and disruptive network changes. Healthcare and manufacturing sectors face particular challenges as they integrate diverse endpoints from legacy medical devices to IoT sensors onto their production networks. These devices often lack robust security hardening, creating significant vulnerabilities that traditional segmentation solutions struggle to address.Elisity aims to solve these challenges through an innovative approach that leverages existing network infrastructure while providing identity-based microsegmentation at the network edge. Rather than requiring new hardware, agents or complex network redesigns, Elisity customers run a few lightweight virtual connectors (called Elisity Virtual Edge) to enforce security policies through organizations' current switching infrastructure.In this hands-on review, we'll examine Elisity's technical capabilities and real-world applicability based on testing in a simulated healthcare environment that mirrors common enterprise deployment scenarios. To get a personalized demo, visit the Elisity website here.Identity-First ArchitectureAt the core of Elisity's platform is the Cloud Control Center, which provides centralized policy management and visibility. During testing, we saw how "Elisity's Virtual Edge" components can be deployed either directly on supported switches (Cisco Catalyst 9K series) or as VMs or containers in private clouds or on networks, they integrate with existing network switches including Cisco, Juniper and Arista. The test environment demonstrates that Elisity can manage segmentation at both a series of clinics that connect to the network with Cisco 9300 and 3850 switches, and hospital sites with a Cisco 9300 running the Elisity Virtual Edge on it.The Elisity IdentityGraph engine proves particularly impressive in practice. Beyond just discovering devices, it correlates identity data from multiple sources into what Elisity calls "core effective attributes" - a consolidated view of the most valid and trusted data about each asset. During testing, we saw it pull data simultaneously from Active Directory, ServiceNow, CrowdStrike and other sources, creating rich contextual profiles that inform policy decisions.Because Elistiy's Virtual Edge "connectors" are connected corporate networks they discover and sees more than just the device details, it also sends network flow data to Elisity's Cloud Control Center. This level of integration enables the platform to correlate "who is talking to who".Policy Creation and ManagementAll of this correlated meta data for users, workloads and devices becomes valuable with Elisity access policy capabilities. The policy interface uses an intuitive matrix visualization that clearly shows relationships between asset groups. A key feature demonstrated was the ability to classify assets dynamically based on multiple criteria. For example, we watched an unauthorized laptop get automatically reclassified into an authorized radiology group based on matching ServiceNow asset tags, device type, and CrowdStrike EDR status. The platform includes powerful features for policy refinement: Learning mode to understand actual traffic patterns Policy simulation before enforcement Traffic flow analytics overlaid on the policy matrix The ability to lock assets in specific groups (particularly valuable for OT environments)A particularly useful feature is the traffic flow analysis view, which overlays actual communication patterns on the policy matrix. This helps administrators identify unused paths that can be safely blocked and validate policy changes before enforcement.Healthcare Use Case Deep Dive To evaluate real-world applicability, we tested a common healthcare scenario: securing legacy medical devices running outdated operating systems. The platform automatically discovered our simulated medical equipment and provided granular visibility into their communication patterns. The demo showed how easily policies could be created for diverse medical equipment including X-ray machines, CT scanners, and EHR systems. A particularly valuable example demonstrated blocking specific ports (like SSH port 22) to legacy medical devices running outdated operating systems while maintaining necessary clinical access.Performance and ScaleTesting revealed minimal performance impact from Elisity's enforcement mechanisms. By leveraging switch ASICs for policy enforcement, the solution maintained sub-millisecond latency with no noticeable throughput reduction. The distributed architecture handled our test load efficiently, suggesting good scalability for enterprise deployments.The deployment process proved remarkably straightforward, taking under 30 minutes per site with no network downtime. This efficiency stems from Elisity's container-based approach and ability to work with existing infrastructure. Areas for Enhancement While Elisity delivers on its core promise, some areas could be improved. The wireless integration capabilities have recently been expanded to include Cisco Catalyst 9800 wireless controllers supporting inter and intra SSID segmentation or alternatively on the switch where the AP or Controller connects to the network which could be significant for healthcare environments with increasing wireless device adoption. Additionally, while the policy interface is intuitive, more predefined templates would help accelerate initial deployment.We also noted that some manual policy tuning was needed to optimize rules for specific use cases. While the platform provides good visibility for this tuning, additional automation could streamline this process. We do note that Elisity informed us that they are launching Elisity Intelligence in early 2025, which they say will provide a stronger automated policy recommendation engine.Public Case Study ExampleElisity shares that a leading U.S. health system with 800+ hospitals and healthcare clinics achieved remarkable efficiency gains and cost savings by implementing Elisity, reducing total costs from $38M to $9M - a 76% TCO reduction. The implementation required only 2 staff members per site instead of 14, with deployment taking just 4-10 hours per location while avoiding downtime and patient care disruption. Elisity's platform discovered and classified 99% of devices within 4 hours and eliminated the need for costly IoMT device re-IP processes, and provided automated, continuous device inventory updates to their CMDB with comprehensive network visibility across all locations. Read more on Elisity's successful deployments in healthcare, pharma and manufacturing on their website.ConclusionElisity successfully addresses the primary challenges of traditional microsegmentation approaches while providing a practical path to implementation. The solution's ability to leverage existing infrastructure while delivering identity-based controls makes it particularly valuable for organizations with diverse endpoint types and complex segmentation requirements. During testing, we were particularly impressed by Elisity's incident response capabilities. The platform allows organizations to maintain multiple policy sets - including pre-configured "locked down" policies that can be rapidly deployed via their SOAR playbooks or API integrations, if ransomware or other threats are detected. The platform's rapid deployment capabilities and minimal performance impact make it a compelling option for enterprises looking to improve their security posture without massive infrastructure investments. While some aspects like wireless integration could be enhanced, Elisity offers a pragmatic approach to implementing microsegmentation across the enterprise. For organizations struggling with traditional segmentation approaches, particularly those in healthcare and manufacturing sectors, Elisity provides a clear path forward that balances security requirements with operational realities. To learn more about Elisity IdentityGraph, visit the solution page here.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE