Contributed / Technology /

One Standard to Rule Them All: A Common Language for the Cloud’s Identity Management Crisis

18 May 2017 11:00am, by

Jackson Shaw
Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

The movements of containerization, APIs and open source are more than just the hottest IT buzzwords — they speak to a shift in the way today’s savviest tech minds are getting ahead in the digital economy. Today’s companies are realizing that rather than reinvent the wheel with every new technology, they can innovate faster and better by tapping into the power of collaboration, integration and openness rather than DIY. Yet, despite the increasing pervasiveness of collaboration across the tech industry, one industry is still struggling with divides: the identity and access management (IAM) industry.

As it stands, most companies releasing applications and systems that deal with identities (and that is most, if not all, of them) roll out custom proprietary schemas and interfaces — meaning enterprises have to painstakingly integrate and manage identity in applications on a one-off, custom basis. In today’s world where an enterprise may deal with thousands of applications and identities moving in and out of the cloud — or on-premise systems — on a daily basis, this equates to dramatic drains on time and financial resources.

The industry has had more than two decades to sort out interoperability problems between most on-premise systems. But that is, unfortunately, not the case for cloud-based systems.

Yet, a solution exists for IAM’s identity crisis: SCIM (System for Cross-Domain Identity Management), an open standard and REST API that defines schema and protocol so that enterprises can now manage identities in a consistent and uniform way. Despite this, widespread adoption of SCIM by SaaS and IAM vendors has yet to occur, with many preferring to stick with the familiar and build their custom APIs — forcing the average enterprise to manage identities in their cloud applications with time-consuming custom coding.

In this article, I’ll discuss why the industry needs to discard the DIY mindset, embrace open standards, and the importance of interoperability and collaboration in the digital economy.

IAM: A Brief History

Since the early days of IAM, IT departments have been working to integrate their IAM solutions with a myriad of on-premise identity systems. These systems have included mainframes, email systems, physical access control systems, Unix/Linux servers and many, many business applications based on Oracle, Microsoft or other databases. While there seems to be a nearly endless number of these on-premise systems, there has been a significant amount of success integrating these systems with most IAM solutions. Why? Most on-premise systems or solutions have been in the market for many years or in fact, decades so that many interoperability problems have been solved for.

Consider Microsoft’s Active Directory or SQL; Oracle’s database solution and IBM’s Resource Access Control Facility (RACF) for mainframe access control. How is interoperability between these database systems achieved? That’s solved with Open Database Connectivity — ODBC, released in 1992. How is interoperability between on-premise directory services achieved? That’s solved with the Lightweight Directory Access Protocol — LDAP, released in 1993.

One of our customers managed to do an inventory across their company and found they have just over 1,200 cloud solutions being used.

Today, an identity management solution can use an LDAP connector to talk to any LDAP solution. Regardless of whether a solution was written by Microsoft, IBM, Oracle or any other vendor that supports LDAP you can easily interoperate with it and incorporate it into your identity solution with a single connector type.

What’s my point? The industry has had more than two decades to sort out interoperability problems between most on-premise systems. But that is, unfortunately, not the case for cloud-based systems.

Cloud Transformation – and Challenges

Cloud-based systems are a horse of a different color. Why? Over the last five or so years there has been a proliferation of new software and solutions that are offered in the cloud. That’s been transformative for many, many companies. All you have to do is think of solutions like Salesforce, Dropbox, Office 365, Workday, ServiceNow and you know what I mean.

So is there an equivalent to ODBC or LDAP for cloud-based systems? Yes, that’s where SCIM comes in.

However, the explosion of these cloud applications within the enterprises has also meant increased burdens for those in IT tasked with security — the sheer volume equates to hundreds more applications to manage and secure — all of which are likely using different mechanisms for exchanging identity data. Moreover, with the rise of SaaS solutions and the Bring Your Own App (BYOA) trend, it’s now very easy for individual employees and teams to purchase and bring solutions into their organization without IT’s involvement — meaning IT often believes they have certain number of cloud solutions being used, when in reality they might have 2-4X that number.

One of our customers managed to do an inventory across their company and found they have just over 1,200 cloud solutions being used. Can you imagine that? In my experience it has been very rare to find any customer that wants to integrate more than 100 on-premise systems with their IAM solution — usually it is 15-50 systems that need to be integrated. But with sensitive data being constantly distributed and exchanged in today’s SaaS-driven world from both within and outside an organization, it’s extremely important to retain control and visibility of where your identity data resides — which can be difficult to do when your applications and systems all speak different languages. So is there an equivalent to ODBC or LDAP for cloud-based systems? Yes, that’s where SCIM comes in.

Why SCIM Matters

Since 2015, SCIM has been an Internet Engineering Task Force standard — specifically RFC 7644. An open REST API based on JSON and XML, the standard automates the exchange of user identity information between IT systems by providing a common user schema, an extension model and a service protocol. In essence, SCIM was created as a powerful way to standardize — and therefore simplify — how identity data is exchanged between partners and systems.

Why is SCIM so important? As it stands, without a standard connection method, companies must write custom software connectors to join their applications/systems and their IAM systems. And with today’s large organizations having up to thousands of hosted applications, related servers, databases and file shares requiring user provisioning, this can equate to hundreds of hours of repetitive work.

With SCIM-enabled systems, organizations can easily interoperate between various cloud solutions using a single connector type — ultimately allowing these diverse systems to speak the same language. That’s a significant cost and time savings from a services perspective for any customer plus it’s a reduction in the complexity of your IAM system having to deal with one connector type versus multiple connectors.

Some use cases illustrating the power of SCIM: If an employee leaves your company, SCIM can be used to automatically delete accounts for that user in external systems in one swift click — rather than having to individually deprovision all of that user’s accounts in each application: Google Apps for Work, Salesforce, Slack, Office 365, the list goes on.

Another example: If you decide to switch vendors for your CRM system and it’s using SCIM, data in the old system can be migrated over to new system once connected via SCIM, easily. Without SCIM, all that data could otherwise be locked into a system’s proprietary identity store, making migrating that data difficult, if not impossible.

Therefore, the potential of SCIM to impact the digital economy is vast. With the ability to connect infrastructure speaking the common language of SCIM to each other without painstaking custom coding, IT teams can secure and synchronize data and identities better and faster while focusing their efforts on what matters: digital transformation and innovation. As a result, companies can achieve greater time and cost savings, faster.

Putting Differences to REST

With the explosion of cloud-based systems happening all around us, it is becoming increasingly critical that we can easily support and integrate these systems within our identity solutions. SCIM is the answer to this — allowing us to turn identity management into a universal platform, rather than a cumbersome step in cloud adoption.

Unfortunately, there are some issues with SCIM. Chiefly, there hasn’t been widespread adoption of SCIM by SaaS vendors. Unlike LDAP or ODBC, which have been adopted by hundreds of vendors, only a few vendors have adopted SCIM. So while we have a standard in place, we don’t have broad adoption and without broad adoption, we will continue to have interoperability issues in our increasingly SaaS-driven world.

Given the typically close-lipped nature of our industry, it’s not a surprise — openness can seem counterintuitive to those in the business of protecting data. Some SaaS vendors may also fear that using an interoperable standard also used by their competitors will benefit their competition. As such it can be tempting to want to lock data — and therefore customers — in with a proprietary approach.

My advice is that as customers, companies demand SCIM support from the various cloud/SaaS solutions they are purchasing.

However, as the saying goes, a rising tide lifts all boats. Embracing the cultures of co-opetition and collaboration will only allow us to better secure the sensitive identity data in today’s scattered SaaS environments, and focus our efforts on digital transformation — not unnecessary mechanics.

As security and privacy increasingly become hot button issues amidst today’s heightened data breaches, this is more critical than ever. My advice is that as customers, companies demand SCIM support from the various cloud/SaaS solutions they are purchasing. While some vendors may be content with locking you into their proprietary approach, others may simply be unaware that a standard like SCIM exists.

From the other side of the picture, my advice to the developers architecting the new solutions, infrastructures and apps of today is to consider using SCIM as your identity layer. You’ll save time while contributing to the openness and interoperability of the digital economy — win-win.  Only by advocating for one common language can we allow SCIM to reach the ubiquity it needs to transform — and unite — the digital ecosystem.  It’s time to put differences to REST.

Feature image: Third Avenue Railroad Company depot, William Schenck, New York Metropolitan Museum of Art.

A digest of the week’s most important stories & analyses.

View / Add Comments