Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/31/2018
01:30 PM
Rich Chetwynd
Rich Chetwynd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Good News about Cross-Domain Identity Management

Adoption of the SCIM open source, standards-based approach for syncing user information between applications is ratcheting up among SaaS vendors as well as enterprises.

The System for Cross-domain Identity Management, or SCIM, has existed for a while, but adoption by solution providers had been sporadic and inconsistent ... that is, until recently. In recent months, this standards-based approach for syncing user information between applications is finally ratcheting up, and adoption rates are showing no signs of slowing down.

What exactly is SCIM? It's an open standard developed out of the need for a way to synchronize user information between multiple applications. SCIM is fantastic for streamlining processes while also reducing mistakes and data inconsistencies between identity ecosystems.

For example, while onboarding a new employee, it's common for companies to create a new user profile in a central identity directory. It's also likely that the user also needs access to other services or applications, such as Salesforce, G Suite, or Slack. But it's inefficient for administrators to enter user information in all those environments. Provided the identity directory and the applications support a standards-based SCIM connector, users can be automatically provisioned to those enterprise apps.

SCIM also has security benefits. In many cases, when an employee is terminated or leaves a company, administrators often forget to deprovision the user's account for applications that contain sensitive data. According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks.

This is where SCIM really shines. When a user departs from your company, admins can terminate the user in your central directory with the knowledge that the user's account will also be suspended or deleted in your SCIM-enabled apps.

SCIM Adoption Is Surging
Many large SaaS vendors started supporting SCIM a few years ago, and today, some enterprise solutions are starting to enable it. Recently, I've seen a large surge in both the number of vendors supporting SCIM, and the number of customers who have happily adopted it.

When we analyzed our customer base at OneLogin, we found that our most widely used SCIM connector is Slack, followed by a top 10 list that includes the likes of well-known brands such as Lucidchart, Facebook Workplace, Github, Trello, Envoy, and Asana. Over the past few months, we've added over a dozen new SCIM connectors to Evernote, LastPass, and Wrike, with many more like Zscaler, Netskope, and RingCentral coming soon. It's getting to the point where enterprise-level companies are demanding that vendors support SCIM. As their complex web of interconnected apps continues to grow out of control, SCIM provides some relief in ensuring that user provisioning is taken care of and ghost user accounts aren't floating around all over the place.

Wrike, a cloud-based collaboration and project management software company, for example, identified an opportunity to strengthen its enterprise scalability story by adding a SCIM connector after a number of requests for SCIM from large prospects and customers. It has an interesting story that starts out implementing SCIM for enterprise customers and ends up with it also finding value internally. Wrike used SCIM to integrate its internal identity management system for employees and partners with its own software for project management and collaboration. The SCIM integration enabled it to automate user provisioning and deprovisioning between the two systems, which immediately took some of the load off the IT department. This also opened the door for more customization when company officials realized they could also sync custom attributes for things such as granting different privileges in Wrike based on an employee's department. It's still early days for Wrike on its SCIM journey, but indications are very positive so far.

I am excited about the future of SCIM as another building block in successful unified access management strategies. Companies can save time and effort by streamlining the onboarding/offboarding of employees, with the added benefit of improving security and standardized processes. If your cloud-based software vendors don't yet support SCIM, it's time to nudge them in that direction.

Related Content:

 

Rich Chetwynd is the head of developer experience at OneLogin, the leader in Unified Access Management. Chetwynd is responsible for all things developer at the company. Before OneLogin he started three companies including Litmos.com (acquired by CallidusCloud Inc), ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richchetwynd
50%
50%
richchetwynd,
User Rank: Author
6/4/2018 | 12:45:56 PM
Re: Minor correction
Thanks David. I agree the article doesnt mention this as a leading cause, I did have another source for that so will have to dig it up. However, it does mention that terminated employees still had access to systems which is what I think is most relevant when considering a benefit of implementing SCIM.
dmddd
50%
50%
dmddd,
User Rank: Apprentice
6/4/2018 | 1:20:30 AM
Minor correction
Hi Rich, Thanks for this interesting article. As a side note, I think your article contains an incorrect information. You state that According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks. and provide a link to a 2014 DHS public announcement. That announcement does not make in any way the above statement. It only states that disgruntled and former employees pose a significant cyber threat. From significant cyber threat to leading cause, theres a quite a semantic distance. From disgruntled and former employees to unprovisioned accounts as well. While I see your line of reasoning and desire to strengthen your argument, and admit that everyone (including me) makes mistakes, I think it is important for the credibility of our industry that we demand more rigor from ourselves. Best regards, David
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.