Posted by Eve Maler on December 20, 2011
I've blogged and published research before about the emerging Simple Cloud Identity Management (SCIM) standard. The SCIM group has just approved Version 1.0. No, it's not your imagination: important standards around loosely coupled identity management really are being developed, tested, and deployed at a faster rate than ever before.
What does this new pace mean for security pros? New identity protocols can be disruptive to large enterprises that have already deployed older solutions, but these new solutions will enable IT organizations to reduce costs and improve agility in managing access to/from smaller partners and customers that don't have the means to deploy the heavy stuff. That makes access control easier to achieve in a Zero Trust world. (Andras Cser and I touch on the theme of "leaner and cleaner" identity protocols in our just-published Identity And Access Management: 2012 Budget And Planning Guide, and I do a deeper dive, assessing the future of SAML and the business value of newer federation protocols, in OpenID Connect Heralds The "Identity Singularity".)
What does SCIM itself mean for security pros? It's allowing more IT organizations to synchronize identities automatically with their cloud service providers -- and others -- to manage joiners and leavers instead of manually synching, reducing the cost and risk of "authorization latency." Just this morning I talked with a small business SaaS provider about stepping up their authentication and authorization strategy, and they were excited to hear about SCIM because it could solve a big problem they have. In the larger picture, SCIM and its friends (OAuth, OpenID Connect, JWT) will help security pros in organizations of all sizes make federation versus synching choices based more on the business value of each approach than on the friction imposed by their respective technologies.