What's your take on the new Simple Cloud identity Management (SCIM) standard? Now that version 1.0 is available, is it something we should make a part of all future cloud-related implementations in order to streamline provisioning?
Ask a question
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Like all frameworks, the Simple Cloud Identity Management (SCIM) standard provides a model for cloud vendors to review as they work with their corporate customers in moving identity management services outside the enterprise. For the past several years, virtually all organizations have been working to off-load their non-mission-critical activities to external providers in order to save on costs and improve efficiency. One important component of IT organizations that has eluded this deployment model is user identity management.
Due to the several factors, implementing this model within an enterprise environment is nearly impossible. Some roadblocks include the sensitive nature of the information these systems contain, the need to interconnect enterprise applications in order to consume this information, some of which is extremely proprietary, and the lack of Internet interconnection models of operations and standards. With identity management processes and systems being extremely costly to deploy, it’s been the dream of many CIOs to get these services off their books.
The SCIM identity management paradigm is a great starting point that cloud computing vendors should begin to embrace. However, SCIM isn’t the only standard. The Kantara Initiative’s Identity Assurance Working Group (IAWG) has also done extensive work with externalizing identity management. Furthermore, there’s a number of technical standards such as OAuth, SAML, XACML, OpenID Connect and JWT, that have their own models and configurations for external identity management interconnection. We are only at the starting block of Internet-initiated identity management and until these models and standards are consolidated, or abandoned, I’d be surprised to see any commercial services available in 2012. Although, with the high cost of maintaining this information at the enterprise level, and Internet-based business models being the norm, there’s definitely enough market demand and companies ready to pay for outsourcing identity management that it won’t be long before cloud-based identity management strategy will be a reality.
This was first published in March 2012