It’s about Provisioning, not provisioning

By   ISBuzz Team
Writer , Information Security Buzz | Sep 02, 2013 02:55 am PST

In 2010, I gave a (in retrospect somewhat optimistic) talk at the Catalyst conference in which I described a pull-based architecture for account provisioning. SAML was a central part of that architecture, especially in supporting Just-In-Time  (JIT) Provisioning, which I was sure was going to be important to the evolution of enterprise cloud applications.

In 2011, at the Cloud Identity Summit, I talked about the different account provisioning models emerging to handle cloud applications. Once again, SAML was a component of the cutting edge option (dubbed the “New Age Thinkers” choice). And I pointed out the main issues that needed to be resolved before this can become a practical choice, including introduction of capabilities like Change Notification into the standard.

This year, when many IDaaS vendors are claiming to do user provisioning based either on directory synchronization or SAML, I felt compelled to dispel some myths and clarify things during my portion of the Hitchhikers Guide to Identity workshop at CIS. I guess it would be accurate to frame the point I was trying to make as a ‘big P versus little p‘ issue, except that this time the topic is Provisioning, not PoliticsPlatforms or Privacy.

As I point out in my 2011 CIS talk, Provisioning is a business problem, which deals with the policies, rules, technology and user experience pertaining to the creation and management of user accounts, and often much more. Most IDaaS vendors claiming to solve enterprise ‘Provisioning’ needs are actually just offering ‘provisioning’, which mainly covers the technology part of the equation. That’s why directory synchronization ends up being offered as a solution, and SAML based provisioning is used without any of the issues with the model having been addressed. And because of the limitations inherent in the technology underpinnings, these end up being incomplete solutions.

This is a message we have heard loud and clear from many of the companies that have approached us about SCUID Lifecycle. A few of them tried to do Provisioning using IDaaS solutions that claimed to offer it, and quickly realized that they were not able to satisfy their business requirements, like supporting robust approval based access request, auditing access grants, and providing answers to the age-old (from an IAM perspective) questions of Who has What, and Why? And this point seemed to resonate with a lot of folks at CIS, and I got into some lively follow-up discussions with quite a few of them over the following days. As I point out in my talk, solving the Provisioning problem is still difficult, for many reasons. But it is getting easier and, most importantly, more accessible to companies outside the Fortune 100.