What is SCIM / SCIM Provisioning?
System for Cross-domain Identity Management (SCIM) is a standard that defines how the identity and access management (IAM), and the applications/ systems operate and communicate with each other. SCIM exists in the Identity Governance (IG) realm and sits under the larger IAM umbrella.
The different systems used with SCIM include applications such as for CRM, productivity, social, telecommunications, security analytics, education, and the list goes on. SCIM provisions/de-provisions accounts for each user that requires access to the applications, each containing a specific application programming interface (API).
In this blog, we will explore why you need SCIM, how it works, and the implications for privileged access.
3 Key Benefits of Using SCIM
In the traditional identity management tools, a lack of a standard communication channel between IAM solutions and managed systems, and applications, resulted in an ecosystem of proprietary connectors. Industry players worked together to define a normalized, standard, and reusable interface that became System for Cross-domain Identity Management.
Increase Your Productivity
Productivity skyrockets when companies have proper SCIM in place. SCIM delivers on the idea of automated provisioning of accounts for each system and significantly reduces the manual effort typically required for configuring visibility and account provisioning. IT administrators and support team can focus on prioritized tasks, while not having to manually provision/deprovision users to multiple applications. With a SCIM connector, users are automatically provisioned/deprovisioned to their cloud-based apps.
Let’s consider a company that manually manages user access for its workforce. Imagine this company has just hired 40 new employees. Each employee requires access to 20 different applications, such as their CRM, productivity tools, telecoms, etc. This is 800 accounts that must be created.
In this example, each application requires its own unique connection attached to a written code. The written code requires regulatory maintenance and management. Regulatory maintenance activities that are not automated can entail considerable manual labor hours and a scrupulous attention to detail (i.e., absence of human errors). Such a scenario reflects a world without the System for Cross-domain Identity Management.
Automate Your Provisioning/De-provisioning
In a world with SCIM, user access provisioning/de-provisioning and related activities become more seamless, automatic, and error-free. SCIM automates the process of provisioning accounts for each system and its unique connection.
SCIM provisioning automatically synchronizes, all accounts, groups, and permissions or entitlements to all the unique systems from the company’s database, ready for use by the employees. The automatization significantly reduces the manual effort required for configuring access and getting ongoing visibility into the changes.
Strengthen Your Security
Use of SCIM also improves security, especially as cloud-based apps require proper management. This mitigates risk when employees do not have to separately login to each app. Depending on the employee’s workflow, attack vectors can quickly add up when many apps come into play. You Strengthen Security compliance when employees have unique passwords for each of their applications.
Finally, taking this all together, SCIM provisioning can significantly improve ROI and reduce total cost of ownership (TCO) of an organization’s IAM estate.
How does SCIM work?
SCIM provides a Representational State Transfer (REST) API with a set of operations that translates into HTTP requests, such as GET, POST, PUT, PATCH, DELETE, which then translates into operations to complete. The responses retrieved from the requests is in the format of JavaScript Object Notation (JSON).
Through SCIM REST API, you can manage endpoints at scale. Endpoints represent the Users and Groups at the company. For example, you can use a POST request to add a new member to a specified group. Administrators add the data of the user’s identity, such as username and title. SCIM then uses the endpoints and data to create a schema where the cloud-based applications can transfer information between two or more security domains.
Implications of Unmanaged Privileged Accounts
A common scenario where privileged accounts can be at risk is when end users change job functions or leave the company. Many enterprises have orphaned accounts — those accounts of former employees persist, sometimes even years after they have left the organization. These orphaned accounts can fly under the radar and are a prime target for threat actors since the accounts may possess elevated levels of privilege and may go unmonitored. To close such glaring security gaps, enterprises should quickly identify the privileged accounts, and limit or restrict the access of non-privileged identities across the environment. If SCIM automatically provisioned non-privileged accounts to top security clearance systems, sensitive information could easily fall into the hands of the users who should not have it.
How does Privileged Access Management (PAM) relate to SCIM?
The management of privileged access and identities, called privileged access management (PAM), is the most important identity governance domain since privileged access can fast-track a threat actor’s route to sensitive data and resources. PAM itself is comprised of four solution areas: Privileged Password Management, Secure Remote Access, Endpoint Privilege Management, and Cloud Privilege Protection. Some organizations, such as BeyondTrust, provide a complete, integrated suite of PAM solutions.
BeyondTrust’s Password Safe, which is a Privileged Password Management solution, discovers, manages, audits, and monitors privileged accounts of all types. In many cases, these privileged accounts must be accessed by authorized individuals or groups.
Password Safe provides the visibility for the SCIM solutions to securely identify privileged accounts within its own directory, and it facilitates oversight and management of the identities who have access to those privileged accounts.
Benefits of the SCIM integration with Password Safe
- Automates changing of access of entitlements as users switch job roles or leave the company
- Centralizes management of accounts and visibility over standard and privileged accounts
- Simplifies user administration
- Enables privileged accounts, vaults, and associated entitlements to be visible and managed
- With the SCIM integration with BeyondTrust Password Safe, you can have confidence your privileged accounts aren’t being inappropriately exposed to unwanted access.
To start understanding if your organization has this under control, see if you can answer these questions:
- Who has access to what?
- Should they have access?
- What are they doing with their access?
To learn more on taking the next steps for your SCIM & PAM integration, contact BeyondTrust today.
Michel Bluteau, Sr. Technical Product Manager
Michel has been interfacing with many organizations in different verticals around the world, over the last decade, trying to capture Requirements and Use Cases in Identity Management, Compliance, and more recently Privileged Account Management. Michel’s expertise with various platforms including SAP, ServiceNow, .NET and Java, allows him to contribute to integration and share his experience and solutions. Recently, Michel has also been focusing on the User Experience and how to leverage Web Services API made available more and more for both on-premises and cloud based applications and platforms.
