As part of the recent v3.11 release, Kion was pleased to introduce support of the System for Cross-Identity Management — also known as SCIM – which is an industry standard for automating the exchange of user identity information between identity providers and downstream IT services.
Support for the SCIM standard
By leveraging Kion’s new SCIM support, CloudOps teams are able to deliver a secure onboarding experience to users and ensure their Identity information in Kion stays up-to-date with the latest changes from downstream identity providers like Microsoft Entra or Okta.
SCIM provides an easy, secure, and automated way to provision, update, and de-provision users on Kion. When users leave an organization, SCIM can shorten the window of time a user has access to Kion by terminating any active sessions and reducing the window of exposure that user may have. This is due to the “push” nature of SCIM, whereby provisioning and deprovisioning instructions are immediately sent when changes are made in the Identity provider.
While SCIM has universal applicability to all types of organizations, the use case has become critical for cloud teams in Higher Education. For example, faculty, staff, students, and researchers are often in thousands of groups and can be categorized multiple ways while experiencing constant change. These user identities are also very fluid in Higher Education when graduating students move to alumni status, and when new students join the institution to participate in research projects or courses that require access to cloud resources. SCIM is essential in managing these groups and users without the overhead of having to provision and map groups and users in multiple systems. Kion’s ability to leverage SCIM reduces the time and effort required by short-staffed cloud teams in universities to streamline and govern cloud access.
How Kion automates least-privilege access
Kion creates a single place for users to assume roles and federate into different cloud accounts across cloud providers. Once a user is provisioned to Kion (using a standard like SCIM), and they are assigned to one or many cloud accounts or subscriptions, they will see a list of available Cloud Access Roles they have access to.
“ Cloud Access Roles (CAR): Cloud Access Roles map users and group memberships within your identity provider to roles and permissions across your CSPs to ensure appropriate end-user access. This simplifies the granting and managing of permissions compared to doing it within each cloud provider separately and ensures least-privilege. ”
– Kion Glossary
Cloud Access Roles (CARs) tend to be defined around specific personas in an organization (ex: developers, security engineers, etc.) and enforce a least-privileged approach for that role. The CAR includes the properly configured role and permissions for AWS, Azure, and GCP. When a user interacts with a CAR, they are granted least-privileged access to that cloud service provider (CSP) with only the permissions they need to do their job.
Kion also differentiates by taking an ‘administratively driven’ approach that organizes cloud accounts and subscriptions into a hierarchically driven Organization Chart (Org Chart). With this Org Chart, you can push down ‘non-negotiable’ policies via Kion Cloud Rules - i.e., these policies must be true for all users who access those accounts and act as additional boundaries. CARs can also be inherited via the Org Chart, enabling a consistent, least-privileged approach to granting the right access to CSPs to various users and user groups.
If you are interested in learning more about how Kion approaches secure cloud access and permissions, please read our blog here.