Cloud

5/31/2018
01:30 PM
Rich Chetwynd
Rich Chetwynd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Good News about Cross-Domain Identity Management

Adoption of the SCIM open source, standards-based approach for syncing user information between applications is ratcheting up among SaaS vendors as well as enterprises.

The System for Cross-domain Identity Management, or SCIM, has existed for a while, but adoption by solution providers had been sporadic and inconsistent ... that is, until recently. In recent months, this standards-based approach for syncing user information between applications is finally ratcheting up, and adoption rates are showing no signs of slowing down.

What exactly is SCIM? It's an open standard developed out of the need for a way to synchronize user information between multiple applications. SCIM is fantastic for streamlining processes while also reducing mistakes and data inconsistencies between identity ecosystems.

For example, while onboarding a new employee, it's common for companies to create a new user profile in a central identity directory. It's also likely that the user also needs access to other services or applications, such as Salesforce, G Suite, or Slack. But it's inefficient for administrators to enter user information in all those environments. Provided the identity directory and the applications support a standards-based SCIM connector, users can be automatically provisioned to those enterprise apps.

SCIM also has security benefits. In many cases, when an employee is terminated or leaves a company, administrators often forget to deprovision the user's account for applications that contain sensitive data. According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks.

This is where SCIM really shines. When a user departs from your company, admins can terminate the user in your central directory with the knowledge that the user's account will also be suspended or deleted in your SCIM-enabled apps.

SCIM Adoption Is Surging
Many large SaaS vendors started supporting SCIM a few years ago, and today, some enterprise solutions are starting to enable it. Recently, I've seen a large surge in both the number of vendors supporting SCIM, and the number of customers who have happily adopted it.

SCIM adoption by OneLogin customers
SCIM adoption by OneLogin customers

When we analyzed our customer base at OneLogin, we found that our most widely used SCIM connector is Slack, followed by a top 10 list that includes the likes of well-known brands such as Lucidchart, Facebook Workplace, Github, Trello, Envoy, and Asana. Over the past few months, we've added over a dozen new SCIM connectors to Evernote, LastPass, and Wrike, with many more like Zscaler, Netskope, and RingCentral coming soon. It's getting to the point where enterprise-level companies are demanding that vendors support SCIM. As their complex web of interconnected apps continues to grow out of control, SCIM provides some relief in ensuring that user provisioning is taken care of and ghost user accounts aren't floating around all over the place.

Wrike, a cloud-based collaboration and project management software company, for example, identified an opportunity to strengthen its enterprise scalability story by adding a SCIM connector after a number of requests for SCIM from large prospects and customers. It has an interesting story that starts out implementing SCIM for enterprise customers and ends up with it also finding value internally. Wrike used SCIM to integrate its internal identity management system for employees and partners with its own software for project management and collaboration. The SCIM integration enabled it to automate user provisioning and deprovisioning between the two systems, which immediately took some of the load off the IT department. This also opened the door for more customization when company officials realized they could also sync custom attributes for things such as granting different privileges in Wrike based on an employee's department. It's still early days for Wrike on its SCIM journey, but indications are very positive so far.

I am excited about the future of SCIM as another building block in successful unified access management strategies. Companies can save time and effort by streamlining the onboarding/offboarding of employees, with the added benefit of improving security and standardized processes. If your cloud-based software vendors don't yet support SCIM, it's time to nudge them in that direction.

Related Content:

 

Rich Chetwynd is the head of developer experience at OneLogin, the leader in Unified Access Management. Chetwynd is responsible for all things developer at the company. Before OneLogin he started three companies including Litmos.com (acquired by CallidusCloud Inc), ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richchetwynd
50%
50%
richchetwynd,
User Rank: Author
6/4/2018 | 12:45:56 PM
Re: Minor correction
Thanks David. I agree the article doesnt mention this as a leading cause, I did have another source for that so will have to dig it up. However, it does mention that terminated employees still had access to systems which is what I think is most relevant when considering a benefit of implementing SCIM.
dmddd
50%
50%
dmddd,
User Rank: Apprentice
6/4/2018 | 1:20:30 AM
Minor correction
Hi Rich, Thanks for this interesting article. As a side note, I think your article contains an incorrect information. You state that According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks. and provide a link to a 2014 DHS public announcement. That announcement does not make in any way the above statement. It only states that disgruntled and former employees pose a significant cyber threat. From significant cyber threat to leading cause, theres a quite a semantic distance. From disgruntled and former employees to unprovisioned accounts as well. While I see your line of reasoning and desire to strengthen your argument, and admit that everyone (including me) makes mistakes, I think it is important for the credibility of our industry that we demand more rigor from ourselves. Best regards, David
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...