Elisity is a cloud-native, identity-based microsegmentation platform that transforms the approach to network security in enterprise environments. Rather than relying on IP addresses, VLANs, or physical network topology, Elisity ties security policies directly to user and device identity — drawing from Active Directory or Microsoft Entra ID. The result is microsegmentation that follows identity, not network location.
What Is Elisity
Elisity is a microsegmentation platform built from the ground up as a cloud-native solution, designed to segment east-west traffic in enterprise networks. The fundamental difference from traditional NAC solutions is that Elisity does not control the moment a device connects to the network — instead, it continuously monitors inter-segment traffic and enforces policies based on identity.
Elisity's key differentiator is its agentless approach: the platform requires no software installation on protected devices and no replacement of network infrastructure. Instead, the Elisity Cloud Agent — a lightweight virtual appliance — is deployed on existing network switches (Cisco, Aruba, Juniper, Extreme). This enables rapid deployment without touching endpoint devices, which is especially important in environments with OT, IoT, or medical devices that cannot be managed by traditional agents.
How Elisity Works
The Elisity Cloud Agent is a lightweight virtual appliance deployed on existing network switches. The agent does not require changes to network hardware configuration — it integrates with the switch through standard API interfaces or a SPAN port, collecting network traffic information and enforcing policies at the network level.
Identity integration happens in real time: Elisity connects to Active Directory or Microsoft Entra ID and retrieves device and user group memberships. When a device joins the network, Elisity identifies its identity and assigns it to the appropriate segmentation group — without manual configuration.
Elisity's policy engine works on simple rules of the form "Group A can communicate with Group B." Rules are defined at the identity group level, not at the IP address level, eliminating the need to update policies with every network topology or addressing change. When a device changes its identity (for example, a laptop moves from the employee group to the contractor group), policies update automatically.
Visibility is one of the platform's core elements: Elisity generates a continuous map of all device-to-device communication flows in the network. This map allows you to understand which systems communicate with each other and why — essential both for designing segmentation policies and for detecting traffic anomalies.
Key Features
Rapid deployment distinguishes Elisity from traditional NAC solutions: a proof of concept can be running in 1-2 days, and full production deployment typically takes 2-4 weeks. There is no requirement to replace network infrastructure, redesign VLANs, or install agents on endpoints. This dramatically lowers the barrier to entry and shortens time-to-value.
Multi-vendor network support is native: Elisity works with Cisco, Aruba, Juniper, and Extreme switches. Segmentation policies are consistent regardless of network hardware manufacturer, eliminating the silo problem in heterogeneous environments.
Built-in compliance mapping is included in the platform: Elisity provides predefined tags and policy templates for PCI DSS, HIPAA, and NIS2 standards. Organizations can document and demonstrate compliance with network segmentation requirements without manually creating documentation.
Zero Trust segmentation with default-deny is the foundation of Elisity's security model: traffic between microsegments is blocked by default, with access granted only on the basis of explicitly defined policies. This directly implements Zero Trust architecture principles at the network layer.
OT and IoT environment support is one of Elisity's primary use cases: the platform can segment OT, IoT, and medical devices without agent installation — which is impossible with solutions requiring client software on protected devices.
Elisity vs Traditional Approaches
Compared with Cisco ISE + SGT, Elisity offers several significant advantages: it operates in multi-vendor environments without requiring Cisco infrastructure, deployment time is dramatically shorter, and management is entirely cloud-based without maintaining local ISE infrastructure. ISE remains the better choice for organizations with extensive Cisco infrastructure that need full NAC capabilities (802.1X, posture assessment, BYOD portals) and have the resources to deploy and maintain the platform.
Compared with VLAN-based segmentation, Elisity eliminates the need to redesign the network every time security requirements change. Identity-based policies follow devices regardless of their network location, while VLANs require manual reconfiguration whenever a device moves to a different segment.
Compared with agent-based solutions such as Illumio, Elisity's agentless approach eliminates the need to manage agents on thousands of devices, enables segmentation of OT/IoT devices that do not support agents, and simplifies deployment in environments with large numbers of diverse device types.
Use Cases
Ransomware containment is one of Elisity's most compelling use cases: when a ransomware infection is detected, the platform can automatically isolate the infected device by changing its segmentation group membership, preventing malware propagation to other network segments. Automating this response reduces isolation time from hours (manual IT intervention) to seconds.
OT/IT separation is particularly important in industrial and manufacturing environments: Elisity enables strict enforcement of segmentation between IT and OT networks without touching OT devices, which often cannot be modified for operational or warranty reasons. The platform sees and controls traffic between segments without installing anything on OT devices.
NIS2 network segmentation requirements can be met and documented using Elisity: the platform generates reports showing which device groups are separated from each other, which policies are in effect, and when they were last modified. This significantly simplifies the preparation of documentation required by NIS2 auditors.
Data centre east-west traffic control allows Elisity to constrain "flat" server networks where servers can communicate freely with each other. Microsegmentation in the data centre limits the potential lateral movement of an attacker who has compromised a single server.
Deploying Elisity: What to Expect
Days 1-2 are the deployment phase: deploying the Elisity Cloud Agent on switches, integrating with Entra ID or Active Directory, and activating visibility mode. In this mode, the platform collects network traffic data without applying any restrictions — allowing you to see how devices communicate before policies are defined.
Weeks 1-2 are the mapping phase: analysis of collected traffic flows, identification of device groups, and definition of microsegment boundaries. This phase designs segmentation groups — typically based on existing AD/Entra ID groups — and preliminary communication policies between them.
Weeks 3-4 are the policy testing phase: writing segmentation policies, activating shadow mode (policies are logged but not enforced), and verifying that no necessary traffic is blocked by the planned policies. This is a critical phase that minimizes the risk of disrupting production systems when enforcement is activated.
Month 2 onwards: activating policy enforcement for the first device groups, gradually extending segmentation scope to additional network segments. A typical project timeline achieves full environment coverage within 2-3 months from project start.
How ExColo Can Help
ExColo has experience implementing Elisity — from environment assessment and proof of concept through full production deployment to knowledge transfer for your internal IT team. We understand both the technical aspects of the platform and the operational challenges organizations face when implementing microsegmentation for the first time.
We guide clients through the complete deployment cycle: existing network assessment, identity-based segmentation design, Elisity Cloud Agent deployment, Active Directory or Entra ID integration, policy design and testing, and production go-live. We also offer training for IT teams that will manage the platform after deployment.
If you are considering implementing microsegmentation and want to evaluate whether Elisity is the right solution for your environment, contact us.
