Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/31/2018
01:30 PM
Rich Chetwynd
Rich Chetwynd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Good News about Cross-Domain Identity Management

Adoption of the SCIM open source, standards-based approach for syncing user information between applications is ratcheting up among SaaS vendors as well as enterprises.

The System for Cross-domain Identity Management, or SCIM, has existed for a while, but adoption by solution providers had been sporadic and inconsistent ... that is, until recently. In recent months, this standards-based approach for syncing user information between applications is finally ratcheting up, and adoption rates are showing no signs of slowing down.

What exactly is SCIM? It's an open standard developed out of the need for a way to synchronize user information between multiple applications. SCIM is fantastic for streamlining processes while also reducing mistakes and data inconsistencies between identity ecosystems.

For example, while onboarding a new employee, it's common for companies to create a new user profile in a central identity directory. It's also likely that the user also needs access to other services or applications, such as Salesforce, G Suite, or Slack. But it's inefficient for administrators to enter user information in all those environments. Provided the identity directory and the applications support a standards-based SCIM connector, users can be automatically provisioned to those enterprise apps.

SCIM also has security benefits. In many cases, when an employee is terminated or leaves a company, administrators often forget to deprovision the user's account for applications that contain sensitive data. According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks.

This is where SCIM really shines. When a user departs from your company, admins can terminate the user in your central directory with the knowledge that the user's account will also be suspended or deleted in your SCIM-enabled apps.

SCIM Adoption Is Surging
Many large SaaS vendors started supporting SCIM a few years ago, and today, some enterprise solutions are starting to enable it. Recently, I've seen a large surge in both the number of vendors supporting SCIM, and the number of customers who have happily adopted it.

When we analyzed our customer base at OneLogin, we found that our most widely used SCIM connector is Slack, followed by a top 10 list that includes the likes of well-known brands such as Lucidchart, Facebook Workplace, Github, Trello, Envoy, and Asana. Over the past few months, we've added over a dozen new SCIM connectors to Evernote, LastPass, and Wrike, with many more like Zscaler, Netskope, and RingCentral coming soon. It's getting to the point where enterprise-level companies are demanding that vendors support SCIM. As their complex web of interconnected apps continues to grow out of control, SCIM provides some relief in ensuring that user provisioning is taken care of and ghost user accounts aren't floating around all over the place.

Wrike, a cloud-based collaboration and project management software company, for example, identified an opportunity to strengthen its enterprise scalability story by adding a SCIM connector after a number of requests for SCIM from large prospects and customers. It has an interesting story that starts out implementing SCIM for enterprise customers and ends up with it also finding value internally. Wrike used SCIM to integrate its internal identity management system for employees and partners with its own software for project management and collaboration. The SCIM integration enabled it to automate user provisioning and deprovisioning between the two systems, which immediately took some of the load off the IT department. This also opened the door for more customization when company officials realized they could also sync custom attributes for things such as granting different privileges in Wrike based on an employee's department. It's still early days for Wrike on its SCIM journey, but indications are very positive so far.

I am excited about the future of SCIM as another building block in successful unified access management strategies. Companies can save time and effort by streamlining the onboarding/offboarding of employees, with the added benefit of improving security and standardized processes. If your cloud-based software vendors don't yet support SCIM, it's time to nudge them in that direction.

Related Content:

 

Rich Chetwynd is the head of developer experience at OneLogin, the leader in Unified Access Management. Chetwynd is responsible for all things developer at the company. Before OneLogin he started three companies including Litmos.com (acquired by CallidusCloud Inc), ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richchetwynd
50%
50%
richchetwynd,
User Rank: Author
6/4/2018 | 12:45:56 PM
Re: Minor correction
Thanks David. I agree the article doesnt mention this as a leading cause, I did have another source for that so will have to dig it up. However, it does mention that terminated employees still had access to systems which is what I think is most relevant when considering a benefit of implementing SCIM.
dmddd
50%
50%
dmddd,
User Rank: Apprentice
6/4/2018 | 1:20:30 AM
Minor correction
Hi Rich, Thanks for this interesting article. As a side note, I think your article contains an incorrect information. You state that According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks. and provide a link to a 2014 DHS public announcement. That announcement does not make in any way the above statement. It only states that disgruntled and former employees pose a significant cyber threat. From significant cyber threat to leading cause, theres a quite a semantic distance. From disgruntled and former employees to unprovisioned accounts as well. While I see your line of reasoning and desire to strengthen your argument, and admit that everyone (including me) makes mistakes, I think it is important for the credibility of our industry that we demand more rigor from ourselves. Best regards, David
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.