User and Thing Identity in the Zero Trust Networking Era
Here we are in 2020 and MAC address is still the prominent identifier used for network identity and policy derivation for the millions (likely billions) of “things”, those IoT and consumer devices connected to enterprise networks. Yes, MAC address. That network interface “hardware” identifier that can be changed in software and is often randomized on user-centric devices in an effort to preserve user privacy. The “Zero Trust” model has brought increased attention to transport-agnostic continuous authorization for applications and resources but network identity and policy-based segmentation still play a critical role at the network edge. We’ll look at new technologies and protocols like the Device Provisioning Protocol (DPP) which simplifies provisioning for end-users and enterprise administrators as well as provides a persistent, cryptographically backed device identity to the network. We’ll also look at some older technologies, like Tunneled EAP (TEAP), that have resurfaced to solve new use cases like binding a user and machine identity together on user-centric devices like laptops, tablets and smartphones.