What is SCIM / SCIM Provisioning?
System for Cross-domain Identity Management (SCIM) is a standard that defines how the identity and access management (IAM) and the applications/ systems operate and communicate with each other. SCIM exists in the Identity Governance (IG) realm that sits under the larger IAM umbrella.
The different systems used with SCIM include applications such as for CRM, productivity, social, telecommunications, security analytics, education, and the list goes on. SCIM provisions/de-provisions accounts for each user that requires access to the applications, each containing a specific application programming interface (API).
In this blog, we will explore why SCIM is needed, how it works, and the implications for privileged access.
Why SCIM Provisioning is Needed – Key Benefits
In the traditional identity management tools, a lack of a standard communication channel between IAM solutions and managed systems, and applications, resulted in an ecosystem of proprietary connectors. Industry players worked together to define a normalized, standard, and reusable interface that became System for Cross-domain Identity Management.
Productivity skyrockets when companies have proper SCIM in place. SCIM delivers on the idea of automated provisioning of accounts for each system and significantly reduces the manual effort typically required for configuring visibility and account provisioning. IT administrators and support team can focus on prioritized tasks, while not having to manually provision/deprovision users to multiple applications. With a SCIM connector, users are automatically provisioned/deprovisioned to their cloud-based apps.
Let’s consider a company that manually manages user access for its workforce. Imagine this company has just hired 40 new employees. Each employee requires access to 20 different applications, such as their CRM, productivity tools, telecoms, etc. That’s 800 accounts that must be created.
In this example, each application requires its own unique connection that is attached to a written code. The written code requires regulatory maintenance and management. Regulatory maintenance activities that are not automated can entail considerable manual labor hours and a scrupulous attention to detail (i.e. absence of human errors). Such a scenario reflects a world without the System for Cross-domain Identity Management.
In a world with SCIM, user access provisioning/de-provisioning and related activities become substantially more seamless, automatic, and error-free. SCIM automates the process of provisioning accounts for each system and its unique connection.
With SCIM provisioning, all accounts, groups, and permissions or entitlements, are automatically synchronized to all the unique systems from the company’s database, ready for use by the employees. The automatization significantly reduces the manual effort required for configuring access and getting ongoing visibility into the changes.
Use of SCIM also improves security, especially as cloud-based apps require proper management. Risks are mitigated when employees do not have to separately login to each app. Depending on the employee’s workflow, attack vectors can quickly add up when many apps come into play. Security compliance is strengthened when employees have unique passwords for each of their applications.
Finally, taking this all together, SCIM provisioning can significantly improve ROI and reduce total cost of ownership (TCO) of an organization’s IAM estate.
How does SCIM work?
Through SCIM REST API, endpoints can be easily managed at scale. Endpoints represent the Users and Groups at the company. For example, adding a new member to a specified group can be fulfilled with the POST request. Administrators add the data of the user’s identity, such as username and title. SCIM then uses the endpoints and data to create a schema where the cloud-based applications can transfer information between two or more security domains.
Implications of Unmanaged Privileged Accounts
A common scenario where privileged accounts can be at risk is when end users change job functions or leave the company. Many enterprises have orphaned accounts — those accounts of former employees that persist, sometimes even years after they have left the organization. These orphaned accounts can fly under the radar and are a prime target for threat actors since the accounts may possess high levels of privilege and may go unmonitored. To close such glaring security gaps, enterprises should quickly identify the privileged accounts, and limit or restrict the access of non-privileged identities across the environment. If SCIM automatically provisioned non-privileged accounts to top security clearance systems, sensitive information could easily fall into the hands of the users who should not have it
How does Privileged Access Management (PAM) relate to SCIM?
The management of privileged access and identities, called privileged access management (PAM), is arguably the most important identity governance domain, since privileged access can fast-track a threat actor’s route to sensitive data and resources. PAM itself is comprised of four solution areas: Privileged Password Management, Secure Remote Access, Endpoint Privilege Management, and Cloud Privilege Protection. Some organizations, such as BeyondTrust, provide a complete, integrated suite of PAM solutions.
BeyondTrust’s Password Safe, which is a Privileged Password Management solution, discovers, manages, audits, and monitors privileged accounts of all types. In many cases, these privileged accounts must be accessed by authorized individuals or groups.
Password Safe provides the visibility for the SCIM solutions to securely identify privileged accounts within its own directory, and it facilitates oversight and management of the identities who have access to those privileged accounts.
Benefits of the SCIM integration with Password Safe include:
- Automates changing of access of entitlements as users switch job roles or leave the company
- Centralizes management of accounts and visibility over standard and privileged accounts
- Simplifies user administration
- Enables privileged accounts, vaults, and associated entitlements to be visible and managed
With the SCIM integration with BeyondTrust Password Safe, you can have confidence that your privileged accounts aren’t being inappropriately exposed to unwanted access.
To start understanding if your organization has this under control, see if these questions can be answered:
- Who has access to what?
- Should they have that access?
- What are they doing with their access?
To learn more on taking the next steps for your SCIM & PAM integration, contact BeyondTrust today.
SailPoint Predictive Identity + BeyondTrust: Integrated Identity Governance & Privileged Access Management
Michel Bluteau, Sr. Technical Product Manager
Michel has been interfacing with many organizations in different verticals around the world, over the last decade, trying to capture Requirements and Use Cases in Identity Management, Compliance, and more recently Privileged Account Management. Michel’s expertise with various platforms including SAP, ServiceNow, .NET and Java, allows him to contribute to integration and share his experience and solutions. Recently, Michel has also been focusing on the User Experience and how to leverage Web Services API made available more and more for both on-premises and cloud based applications and platforms.