Cloud

5/31/2018
01:30 PM
Rich Chetwynd
Rich Chetwynd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Good News about Cross-Domain Identity Management

Adoption of the SCIM open source, standards-based approach for syncing user information between applications is ratcheting up among SaaS vendors as well as enterprises.

The System for Cross-domain Identity Management, or SCIM, has existed for a while, but adoption by solution providers had been sporadic and inconsistent ... that is, until recently. In recent months, this standards-based approach for syncing user information between applications is finally ratcheting up, and adoption rates are showing no signs of slowing down.

What exactly is SCIM? It's an open standard developed out of the need for a way to synchronize user information between multiple applications. SCIM is fantastic for streamlining processes while also reducing mistakes and data inconsistencies between identity ecosystems.

For example, while onboarding a new employee, it's common for companies to create a new user profile in a central identity directory. It's also likely that the user also needs access to other services or applications, such as Salesforce, G Suite, or Slack. But it's inefficient for administrators to enter user information in all those environments. Provided the identity directory and the applications support a standards-based SCIM connector, users can be automatically provisioned to those enterprise apps.

SCIM also has security benefits. In many cases, when an employee is terminated or leaves a company, administrators often forget to deprovision the user's account for applications that contain sensitive data. According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks.

This is where SCIM really shines. When a user departs from your company, admins can terminate the user in your central directory with the knowledge that the user's account will also be suspended or deleted in your SCIM-enabled apps.

SCIM Adoption Is Surging
Many large SaaS vendors started supporting SCIM a few years ago, and today, some enterprise solutions are starting to enable it. Recently, I've seen a large surge in both the number of vendors supporting SCIM, and the number of customers who have happily adopted it.

SCIM adoption by OneLogin customers
SCIM adoption by OneLogin customers

When we analyzed our customer base at OneLogin, we found that our most widely used SCIM connector is Slack, followed by a top 10 list that includes the likes of well-known brands such as Lucidchart, Facebook Workplace, Github, Trello, Envoy, and Asana. Over the past few months, we've added over a dozen new SCIM connectors to Evernote, LastPass, and Wrike, with many more like Zscaler, Netskope, and RingCentral coming soon. It's getting to the point where enterprise-level companies are demanding that vendors support SCIM. As their complex web of interconnected apps continues to grow out of control, SCIM provides some relief in ensuring that user provisioning is taken care of and ghost user accounts aren't floating around all over the place.

Wrike, a cloud-based collaboration and project management software company, for example, identified an opportunity to strengthen its enterprise scalability story by adding a SCIM connector after a number of requests for SCIM from large prospects and customers. It has an interesting story that starts out implementing SCIM for enterprise customers and ends up with it also finding value internally. Wrike used SCIM to integrate its internal identity management system for employees and partners with its own software for project management and collaboration. The SCIM integration enabled it to automate user provisioning and deprovisioning between the two systems, which immediately took some of the load off the IT department. This also opened the door for more customization when company officials realized they could also sync custom attributes for things such as granting different privileges in Wrike based on an employee's department. It's still early days for Wrike on its SCIM journey, but indications are very positive so far.

I am excited about the future of SCIM as another building block in successful unified access management strategies. Companies can save time and effort by streamlining the onboarding/offboarding of employees, with the added benefit of improving security and standardized processes. If your cloud-based software vendors don't yet support SCIM, it's time to nudge them in that direction.

Related Content:

 

Rich Chetwynd is the head of developer experience at OneLogin, the leader in Unified Access Management. Chetwynd is responsible for all things developer at the company. Before OneLogin he started three companies including Litmos.com (acquired by CallidusCloud Inc), ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richchetwynd
50%
50%
richchetwynd,
User Rank: Author
6/4/2018 | 12:45:56 PM
Re: Minor correction
Thanks David. I agree the article doesnt mention this as a leading cause, I did have another source for that so will have to dig it up. However, it does mention that terminated employees still had access to systems which is what I think is most relevant when considering a benefit of implementing SCIM.
dmddd
50%
50%
dmddd,
User Rank: Apprentice
6/4/2018 | 1:20:30 AM
Minor correction
Hi Rich, Thanks for this interesting article. As a side note, I think your article contains an incorrect information. You state that According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks. and provide a link to a 2014 DHS public announcement. That announcement does not make in any way the above statement. It only states that disgruntled and former employees pose a significant cyber threat. From significant cyber threat to leading cause, theres a quite a semantic distance. From disgruntled and former employees to unprovisioned accounts as well. While I see your line of reasoning and desire to strengthen your argument, and admit that everyone (including me) makes mistakes, I think it is important for the credibility of our industry that we demand more rigor from ourselves. Best regards, David
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.