The History and Evolution
Development on the System for Cross Identity Management (SCIM) specifications has been an ongoing effort with contributions from industry experts across every aspect of security. Originally, SCIM technology was created to extend identity information associated with entities such as users and group membership across disparate systems, unifying a multi-domain environment. Now, this technology is showing potential to become much more standardized, extending support to access management solutions and other tools that require knowledge about “who” (users and applications) has access to “what” (credentials for target systems and devices, in the case of Privileged Access Security solutions).
Without a SCIM standard, every solution provider would have its own set of APIs, making it difficult for each of these different systems to share information with each other using a common “language.” Developing the SCIM specifications enables plug-and-play interoperability among vendors to become a natural capability of the systems involved, which also expands the kind of functionality that can be delivered when this data is harmonized across different systems.
Powered by an application-level HTTP-based protocol, leveraging SCIM enables organizations to create, modify, retrieve and discover core identity resources enabling multiple systems to “speak with each other.” Once enabled, these external systems can communicate without knowing exactly what’s going on with the other system – and they shouldn’t have that level of insight for obvious security reasons. This presents a considerable opportunity to seamlessly integrate security solutions, minimizing the need for professional services engagement or having to work with a vendor’s extensions team.
The Movement Towards SCIM Standardization
The SCIM protocol is expanding – providing support to privileged access security as well as cloud-based services and applications. As mentioned earlier, by leveraging this common standard, vendors can easily share and synchronize identity information to many third-party solutions and start interacting with the data on day one. This opportunity is not limited to vendors in the identity business.
Let’s say an organization is trying to scan a new environment to uncover potentially unknown vulnerabilities. Any industry standard scanner would require access to credentials for accounts with highly privileged permissions in order to perform authenticated scans on various target systems. These scanners would need to obtain said credentials at the exact moment in which they are needed to avoid both compliance and security risks. In theory (and in practice really), a vulnerability scanner can securely retrieve these necessary credentials and be treated as a “user” with rights and permissions to gain access to where the credentials are stored.
By leveraging SCIM, all the entitlements (who has access to what, and what kind of permissions) can flow directly back into any Identity and Access Management solution. With this information, Identity Access Certifications (attestations) and compliance controls can be managed, establishing the necessary permissions for privileged access based on the resulting provisioning/de-provisioning actions. Throughout this process the scanner then becomes just another identity under management – and powered by SCIM, we’ve seamlessly unified IAM, Privileged Access Security and vulnerability scanner solutions.
Through this evolutionary process, SCIM server technology and its associated specifications being developed will go beyond the identity space, enabling organizations to govern third-party applications access to credentials and beyond. The opportunity presented here has the potential to create an infinite number of tight integrations across the hundreds of security solutions available today. Additionally, it brings more value to existing security investments and more importantly, mitigates risk against today’s most advanced cyber threats.
The CyberArk and SailPoint integration, for example, leverages SCIM server technology. The CyberArk SCIM server is a Java application conforming to the SCIM standard. This allows SailPoint to query and modify Privileged Data (such as Users, Groups, Accounts, Safes, and Permissions) through a web services interface (REST API). The SCIM server uses PACLI (to query and update privileged data from the CyberArk Vault) and the AIM Credential Provider (to retrieve account and login information). Learn more about the CyberArk SailPoint integration on the CyberArk Marketplace and in this on-demand webinar.