A specification already exists for Simple Cloud Identity Management (SCIM) that is supported by security software vendors including Cisco, Courion, Ping Identity, UnboundID and SailPoint. SCIM also has support from key cloud vendors, including Salesforce, Google and VMware.
At issue is whether SCIM will become an IETF-approved working group and eventually an industry standard.
The IETF is hosting a meeting to discuss the proposed SCIM working group on March 29. In January, the IETF created a mailing list to discuss SCIM.
Proponents of SCIM say the protocol will make it easier for companies to control access to data stored in popular cloud-based applications like Salesforce, Workday, Taleo, Box and others.
Gartner backs the idea of SCIM as a simpler method of provisioning and de-provisioning employees from cloud applications – a process that’s currently handled manually in most corporations. Mark Diodati, a research vice president with Gartner, wrote in late February “it appears that SCIM remains on track.”
One vendor that’s a strong proponent of SCIM is UnboundID, which sells identity management infrastructure software for service providers.
“There is no meaningful way to sling identities from cloud to cloud or from cloud to premises applications,” explained UnboundID’s CEO Steve Shoaff.
“UnboundID is one of the only vendors shipping a commercial version that allows you to broadcast SCIM events and receive SCIM events. It’s a modern protocol and a way to share identities between cloud providers. We’re building our entire portfolio around SCIM to really build the identity economy,” he added.
Proponents say that what’s good about SCIM compared with previous identity standards such as SPML is that SCIM is lightweight, it doesn’t try to do too many functions, and it uses a Web services approach.
The alternative to SCIM is the proliferation of proprietary APIs for each cloud application. This situation requires security software vendors like Courion and SailPoint to create custom connectors to provision each cloud-based application.
Instead, SCIM would provide a standard way to move identity data from premises-based to cloud applications and from one cloud application to another.
“We’re seeing a lot of interest” in SCIM. We haven’t had strong standards in that space. All the vendors developed their own APIs. That’s where we’ve been working for the last year with all the major [software-as-a-service] vendors to standardise on an API mechanism to automate the account management,” said Patrick Harding, CTO of Ping Identity.
Version 1.0 of the SCIM specification was approved in December.
Proponents expect a flood of security products and cloud applications to support SCIM 1.0 this year.
“Momentum for SCIM is going to be key. We’ve got Google, Webex, VMware all saying that they’ve got it ready to go. You’ll see a lot more of the smaller vendors, the middleware guys, build products with SCIM. Towards the end of 2012, we should start seeing implementations of SCIM within the enterprise,” Land said.
Harding says SCIM solves a critical problem for corporate CIOs, who have spent millions of dollars on their existing identity management infrastructures, including Microsoft Active Directory, authentication and compliance. They want to be able to extend their identity management functionality to cover cloud applications with minimal additional cost or effort.
CIOs “are still responsible for ensuring that [SaaS apps] are adhering to the security policies that all of their applications must adhere to, whether that’s policies for password management or access appropriate to role or certain compliance procedures,” Harding said. “CIOs are trying to figure out how to make that happen,” he added.
Harding says CIOs will appreciate the cost savings that come from having an industry standard such as SCIM.
“I think we’ll see much more adoption of SCIM in 2012. That will now allow people to much more cost effectively manage users in SaaS and cloud applications than building connectors to individual APIs or doing it manually,” Harding said.
The IETF is already working on a related Web authorisation protocol called OATH that could provide a single user authentication experience regardless of whether a user is trying to access a network or cloud-based application.