ElisityIdentity-Based Microsegmentation · Course
Beginner Intermediate Advanced
Practice Q&A ↗

Elisity — Beginner → Advanced

Identity-based microsegmentation, taught in 12 modules. Each module has objectives, content, a Highlights card, cited references, and a self-check. An offline mirror of every sourced page is in elisity-mirror/.

12 modules + capstone 14 cited references ~410-page offline mirror
Sourcing: mechanics are grounded in Elisity docs + Cisco TrustSec references. Percentage/performance figures (65% fewer firewall licenses, 85% less lateral-movement risk, etc.) are Elisity marketing claims — present them as vendor claims.
How to use: work top-to-bottom. Beginner = the mental model; Intermediate = architecture & mechanics; Advanced = scaling, integrations, deployment, competitive positioning, design. Do each module's self-check out loud before moving on.

M1Beginner The Problem: Why Microsegmentation Exists

Objectives: explain lateral movement, flat-network risk, and "east-west."
Network segmentation is the key to stopping lateral movement and east-west attacks.
Network segmentation is the key to stopping lateral movement and east-west attacks.Image: Elisity ↗

Traditional security is a castle: hard perimeter, soft trusting interior. Once something's inside — a phished user, a vulnerable IoT device — it can reach almost anything. That sideways spread is lateral movement (east-west traffic).

  • North-south = in/out through the perimeter firewall.
  • East-west = device-to-device inside the LAN; perimeter firewalls barely see it.

This is how ransomware spreads: infect one host, move laterally to servers, backups, domain controllers. A flat network turns one infection into an enterprise outage. Microsegmentation divides the interior into per-role zones with least-privilege rules between them, containing the blast radius.

Highlights
  • Perimeter = hard shell, soft center; once inside, attackers move east-west.
  • Lateral movement turns one infection into a full breach (ransomware).
  • Microsegmentation contains the blast radius with least-privilege rules between devices.
Self-check: explain lateral movement with the "locked doors between rooms" analogy.

M2Beginner What Elisity Is (The One-Breath Model)

Objectives: one-sentence definition; the brain-vs-muscle separation.
Elisity delivers identity-based microsegmentation for OT/IoT/IoMT with Zero Trust - on existing infrastructure.
Elisity delivers identity-based microsegmentation for OT/IoT/IoMT with Zero Trust - on existing infrastructure.Image: Elisity ↗

One sentence: Elisity is a cloud-managed, identity-based microsegmentation platform that stops lateral movement by pushing policy onto the switches you already own — with no new hardware, no agents, no VLAN/IP redesign.

  • Brain (cloud): the Cloud Control Center — see everything, author policy. Out-of-band (not in the traffic path).
  • Muscle (switches): access switches enforce at the port closest to each device.

The differentiator: policy = WHO/WHAT a device is (identity), not WHERE it sits (IP/subnet). So moving or re-IPing a device doesn't break its policy.

Highlights
  • Cloud-managed · identity-based · agentless · runs on existing switches.
  • Brain = cloud (control, out-of-band); muscle = switch (enforcement, inline).
  • Policy = identity, not IP → no re-IP, no agents.
Self-check: one-sentence pitch + brain/muscle model in under 30 seconds.

M3Beginner Core Concepts: Identity & Zero Trust East-West

Objectives: identity-as-perimeter; Zero Trust applied east-west.
Microsegmentation and Zero Trust - the identity-as-perimeter shift (David Holmes, ex-Forrester).
Microsegmentation and Zero Trust - the identity-as-perimeter shift (David Holmes, ex-Forrester).Image: Elisity ↗

Zero Trust = never trust/always verify, least privilege, assume breach. Elisity applies it inside the LAN — least privilege between devices, continuously. Identity is the new perimeter: "this camera → the camera server, nothing else," not "this IP → that subnet."

Versus VLANs (segment by location — coarse, IP-based, break when things move): Elisity segments by identity, and policy travels with the device.

Highlights
  • Elisity = Zero Trust applied east-west.
  • VLANs segment by location; Elisity segments by identity — same device, same rule, anywhere.
  • Identity is learned (traffic + integrations), not assigned by where you plug in.
Self-check: "How is this different from VLANs?" — use the phone-and-printer example.

M4Intermediate Architecture: The Four Components

Objectives: Cloud Control Center, Virtual Edge, VENs, IdentityGraph.
Elisity's platform discovers, classifies, and monitors devices and integrates with your existing stack.
Elisity's platform discovers, classifies, and monitors devices and integrates with your existing stack.Image: Elisity ↗
ComponentRolePlane
Cloud Control CenterBrain — provision/manage/monitor, policy authoring, discovery, analytics, integrationsControl (out-of-band)
Virtual EdgeTranslator — learns identity from flows; converts cloud policy to switch-native; controls many switchesDistribution
Virtual Edge Nodes (VENs)Muscle — the onboarded switches (Cisco C9000, Arista, Juniper, Aruba) that enforceEnforcement (inline)
IdentityGraph™Real-time correlated map of every user/workload/deviceVisibility

Data flow: Virtual Edge gleans identity from flows → up to Cloud Control Center, correlated in IdentityGraph → admin authors policy → distributed back down over a secure channel → Virtual Edge translates & enforces on VENs, switch-native, closest to the endpoint. Virtual Edge runs as a VM or on the switch itself.

Highlights
  • Four parts: Control Center (brain), Virtual Edge (translator), VENs = switches (muscle), IdentityGraph (map).
  • Cloud is out-of-band; enforcement is on the existing access switch.
  • One Virtual Edge → many VENs; runs as VM or on-switch.
Self-check: draw the four components + arrows from memory.

M5Intermediate How Enforcement Works (TrustSec / SGT / SGACL)

Objectives: exactly what's programmed on a Cisco switch; why no added latency.
device10.1.1.50bindIP-to-SGT bindingSGT 100 (Cameras)SGACLSGACL (tag-to-tag)permit tcp 443deny ipenforced inTCAM · line rate
Cisco enforcement path: an IP-to-SGT binding tags the device, an SGACL permits/denies tag-to-tag, programmed into TCAM at line rate.Image: Cisco TrustSec ↗

Elisity programs the switch's own Cisco TrustSec constructs. Three things land on a Cisco VEN:

  1. IP-to-SGT bindings — identity: 10.1.1.50 → SGT 100 (Cameras).
  2. SGACLs — permit/deny written tag-to-tag: SGT100→SGT200: permit tcp 443; deny ip.
  3. CTS / TrustSec enforcement — applies the SGACLs.

Programmed into TCAM, enforced in hardware at line rate. The Virtual Edge Nodes "don't process or intercept packets" — the existing switch does. No added latency, no new chokepoint.

Highlights
  • Cisco enforcement = IP-to-SGT bindings + SGACLs + CTS, in TCAM, at line rate.
  • Rules are tag-to-tag (identity), not IP-to-IP → portable policy.
  • Elisity ≈ automated, cloud-native TrustSec (the ISE classification/SGACL work, automated).
  • Vendor-agnostic: Cisco = TrustSec; Arista/Juniper/Aruba use native equivalents.
Self-check: "What gets pushed to the switch?" — name the three constructs + where enforced.

M6Intermediate Policy Lifecycle: Discover → Classify → Simulate → Enforce

Objectives: walk an identity from device-join to enforced rule.
Elisity implementation timeline - discover, classify, simulate, then enforce.
Elisity implementation timeline - discover, classify, simulate, then enforce.Image: Elisity ↗
  1. Discover — device connects; Virtual Edge scrapes identity from traffic (MAC OUI, behavior). ~99–100% of assets in ~a day.
  2. Classify — up to Control Center, correlated in IdentityGraph + integrations → identity group/tag.
  3. Author + Simulate — write identity policy; simulate against real traffic before enforcing.
  4. Distribute — cloud pushes policy to Virtual Edge over a secure channel.
  5. Translate + Enforce — Virtual Edge → SGT bindings + SGACLs → VEN enforces in TCAM.
Highlights
  • Arc: Discover → Classify → Simulate → Distribute → Translate → Enforce.
  • Monitor/simulate before enforce — never blind-enforce.
  • Cloud decides; switch enforces.
Self-check: narrate the full six-step flow, ending at SGACLs in hardware.

M7Advanced Scaling & Distribution Zones (TCAM Exhaustion)

Objectives: the TCAM/IP-SGT ceiling; how Distribution Zones prevent exhaustion.
Modern defensible architecture for OT - scaling segmentation across the estate.
Modern defensible architecture for OT - scaling segmentation across the estate.Image: Elisity ↗

A Catalyst 9K holds ~10,000 IP-SGT mappings in TCAM. Push every binding to every switch and the table overflows — policy silently stops programming. Distribution Zones scope where policy data goes:

  • Local: bulky dynamic IP-to-Tag mappings go only to the zone that needs them — enforcement close to the source; each switch carries only its zone's bindings.
  • Global: compact static / subnet-based rules (one line covers a subnet) go everywhere cheaply.

Sizing: Access DZ (C9300) ~9,000 devices; IE3400/C9200 ~1,000; Core DZ (C9500/9600) ~200,000 tag bindings. Mental model: OSPF areas for identity — localize high-volume state, flood only the small summary.

Highlights
  • Catalyst 9K cap ≈ 10,000 IP-SGT mappings → TCAM is the constraint.
  • Dynamic bindings stay local; compact subnet rules go global. No TCAM overrun.
  • Access DZ ~9k devices; Core DZ ~200k bindings.
Self-check: what stays local vs global, and why global doesn't blow the TCAM.

M8Advanced IdentityGraph & Integrations

Objectives: agentless classification; which systems feed identity.
Identity enrichment through integrations (e.g. Armis) feeds the IdentityGraph.
Identity enrichment through integrations (e.g. Armis) feeds the IdentityGraph.Image: Elisity ↗

Being agentless (critical for IoT/OT/IoMT), Elisity builds the IdentityGraph from:

  • Traffic-flow observation — behavior, protocols, MAC OUI (Virtual Edge).
  • IntegrationsActive Directory, ServiceNow, Medigate, Claroty, AWS, Palo Alto, and more (also SentinelOne, Microsoft Sentinel per current docs).

Result: a real-time, correlated map that makes confident identity-based policy possible.

Highlights
  • Agentless classification = traffic observation + integrations.
  • Feeds: AD, ServiceNow, Medigate, Claroty, AWS, Palo Alto, SentinelOne, MS Sentinel.
  • This is why it works for IoMT/OT devices that can't run agents.
Self-check: "How does it know what a device is with no agent?" — name the two sources.

M9Advanced Deployment: Onboarding Switches & Virtual Edge Models

Objectives: onboarding + Virtual Edge deployment options.
Microsegmentation deployment - agentless, on the switches you already own.
Microsegmentation deployment - agentless, on the switches you already own.Image: Elisity ↗
  • Virtual Edge: hypervisor-hosted VM or switch-hosted (on a supported switch).
  • VENs: most TrustSec-capable switches — Catalyst 3650/3850, many C9000, some IE3400, plus Arista/Juniper (Mist)/Aruba.
  • Speed: agentless + existing switches → first enforced policy in ~2 weeks (vendor claim).
  • Wireless: Catalyst 9800 — SGACL enforcement in the wireless policy profile.
Highlights
  • Virtual Edge = VM or on-switch; VENs = your existing TrustSec switches.
  • Supported: C3650/3850, many C9000, some IE3400, Arista/Juniper/Aruba.
  • Agentless + existing gear → fast rollout (vendor claim).
Self-check: two Virtual Edge deploy models + two switch families that can be VENs.

M10Advanced Elisity vs the Alternatives

Objectives: position vs Illumio, TrustSec/ISE, NAC, firewalls — with the driver.
Elisity vs NAC and other segmentation approaches.
Elisity vs NAC and other segmentation approaches.Image: Elisity ↗
ApproachEnforcesBest whenTrade-off
ElisityAgentless, cloud, switch-native (TrustSec)IoT/OT/IoMT, campus, no-touch, avoid full ISERelies on network enforcement; newer vendor
IllumioAgent-based host firewall + dependency mapAgent-tolerant DC/cloud, per-host granularityAgent on every host; weaker for unmanaged/IoT
Cisco TrustSec/ISENative SGT/SGACL, ISE-drivenAlready Cisco/ISE, want nativeHeavy to deploy (802.1X, ISE)
NACPort admission (802.1X/MAB)Deciding who gets onCoarse; not granular east-west
Firewall-basedInternal firewallsStrong north-southCostly/complex east-west at scale
Highlights
  • Pick by the requirement: agent tolerance, device type, existing footprint, ops maturity.
  • Elisity ≈ automated cloud-native TrustSec — complements ISE; rescues stalled TrustSec projects.
  • NAC decides who gets on; Elisity decides where they can go once on.
Self-check: "Elisity over Illumio — when and why?" — driver + trade-off.

M11Advanced Use Cases, Compliance & Frameworks

Objectives: map Elisity to use cases + governing frameworks.
Healthcare / IoMT - the flagship microsegmentation use case.
Healthcare / IoMT - the flagship microsegmentation use case.Image: Elisity ↗

Use cases: healthcare/IoMT (flagship), ransomware containment, OT/industrial (IEC 62443), Zero Trust, compliance (PCI-DSS, HIPAA, NIST).

NIST SP 800-207: Cloud Control Center = policy plane (Policy Engine/Administrator); switch (VEN) = Policy Enforcement Point. CISA ZTMM: advances the Networks and Devices pillars.

Marketing outcome claims (vendor figures): ~90% fewer over-privileged paths, ~85% less lateral-movement risk, ~65% fewer firewall licenses.
Highlights
  • Flagship: healthcare IoMT; also ransomware, OT (IEC 62443), Zero Trust.
  • NIST 800-207: cloud = policy plane, switch = PEP.
  • Outcome percentages are vendor claims.
Self-check: map Elisity's components to NIST 800-207 PDP/PEP.

M12Advanced Design & Consulting: Segmenting a Real Environment

Objectives: turn knowledge into an architecture recommendation + phased rollout.
Compliance-driven design - e.g. a PCI-DSS cardholder-data environment.
Compliance-driven design - e.g. a PCI-DSS cardholder-data environment.Image: Elisity ↗

Discovery first (before naming a product): what are we protecting + compliance; existing stack (switching, IdP, SIEM/EDR, NAC/ISE, cloud); device reality (managed vs IoT/OT/IoMT — the decisive agent-vs-agentless question); ops maturity/day-2; budget/timeline/downtime.

Method: visibility first → classify by identity/role → policy in business terms → monitor before enforce → enforce crown-jewels first → operationalize.

Worked example — hospital: guest = internet-only, off the LAN; PoS = isolated PCI-DSS zone; IT = corporate; clinical/IoMT = crown jewel, agentless-enforced. Rollout: monitor everywhere → guest → PoS → IT → clinical/IoMT last (life-safety; longest observation + tested rollback). Justify by risk vs disruption.

Highlights
  • Discovery before product; the device/agent-tolerance question drives the vendor.
  • Method: visibility → classify → business-language policy → monitor → crown-jewels-first → operationalize.
  • Communicate trade-offs & business outcomes; enforce highest-risk zone last.
Self-check: hospital — define four zones, enforcement per zone, rollout order + one-line justifications.

Capstone — Prove You've Got It

  1. One-sentence pitch + brain/muscle model (M2).
  2. What gets pushed to a Cisco switch, and why no added latency (M5).
  3. Full policy lifecycle, device-join to enforcement (M6).
  4. Distribution Zones: local vs global + the TCAM reason (M7).
  5. Elisity vs Illumio vs ISE — pick by the driver (M10).
  6. Design + sequence a hospital segmentation rollout (M12).

References

  1. Elisity — homepage. elisity.com
  2. Elisity — Platform overview. elisity.com/platform
  3. The Hacker News — Hands-On Walkthrough: Microsegmentation by Elisity (2025). link
  4. Elisity Support — Introduction to Elisity Microsegmentation. link
  5. Elisity Support — Managing Virtual Edges and Virtual Edge Nodes. link
  6. Elisity Support — Onboarding Catalyst 9000/3850/3650 as a Virtual Edge Node. link
  7. NIST SP 800-207 — Zero Trust Architecture. link
  8. Cisco — Cisco TrustSec (SGT/SGACL/CTS). link
  9. Elisity Support — Onboarding Arista Switches as Virtual Edge Nodes. link
  10. Elisity Support — Distribution Zones (within Managing Virtual Edges). link
  11. Cisco — Understand Hardware Resources on Catalyst 9000. link
  12. Elisity Support — Hardware Compatibility Matrix. link
  13. Elisity Support — Onboarding Catalyst 9800 Wireless Controller. link
  14. CISA — Zero Trust Maturity Model (v2). link
Offline mirror: ~410 pages (~100 blog posts + ~139 support/doc articles + product pages, 32 MB) saved in elisity-mirror/ — open index.html to browse, or manifest.csv for the full list. Includes the support/documentation articles that are bot-blocked from normal fetching.