Back in July, I wrote about a new RESTful API that cloud providers and provisioning vendors are working on for doing identity provisioning and synching: Simple Cloud Identity Management, or SCIM (like the milk). At last week's Internet Identity Workshop -- only five months after this draft spec made its formal debut! -- I had a chance to see the SCIM developers' live interop session in action. The interop saw successful participation by the likes of Cisco, Ping Identity, Sailpoint, salesforce.com, Technology Nexus, and UnboundID, with user accounts being securely created and torn down rapid-fire over the ether.
What's more, in talking with a more traditional on-premises identity vendor later in the week, I discovered that they loved how SCIM was shaping up, and planned to check it out ASAP as a way they could expose their own provisioning functionality.
In this Zero Trust world, with perimeters melting all over the place, I'm seeing signs that this lightweight API trend for IdM functionality is only going to accelerate. What do you think? If you're coming to Forrester Security Forum in a couple of weeks, I hope you'll grab me for a conversation about how this trend impacts your plans.
If anything exemplifies the extended enterprise, it's the notion of the "API economy": Unlocking value in your organization's unique data and services by publishing open APIs (application programming interfaces) for access by third parties. As Laura Koetzle notes, business leaders today are prioritizing growth above all -- and fostering a third-party developer ecosystem is becoming a great way to boost revenue. Best Buy, eBay, and USA Today are examples of companies with APIs and external developer communities.
But, but, but...just how secure is an open API? Especially if you, the security professional, can't fully control these external developers' actions? This is where it gets exciting, because security and identity-based access control are enablers of these new business opportunities. After all, an API of this sort is essentially a digital product whose use must be metered.
Many organizations in this position are turning to the OAuth technology to solve a host of security challenges that arise from opening up APIs. I'm excited to be bringing the latest in OAuth business cases, adoption news, and recommendations to my Forrester Security Forum track session on "Securing And Identity-Enabling Monster Mashups." Hope to see you at the Forum November 9-10 in Miami!
(Got a great API security story, or maybe some questions? Don't wait till November; feel free to share in a comment here, or ping me on Twitter using the #FSF11 hashtag.)