8. Security Considerations
This section preserves the RFC text for SCIM device schema extensions, including Device and EndpointApp resource types, BLE, DPP, Ethernet MAB, FDO, Zigbee, endpointAppsExt, JSON Schema, OpenAPI, IANA registrations, and security considerations.
8. Security Considerations
Because provisioning operations permit device access to a network,
each SCIM client MUST be appropriately authenticated.
8.1. SCIM Operations
An attacker that has authenticated to a trusted SCIM client could
manipulate portions of the SCIM database. To be clear on the risks,
we specify each operation below.
8.1.1. Unauthorized Object Creation
An attacker that is authenticated could attempt to add elements that
the enterprise would not normally permit on a network. For instance,
an enterprise may not wish specific devices that have well-known
vulnerabilities to be introduced to their environment. To mitigate
the attack, network administrators should layer additional policies
regarding what devices are permitted on the network.
An attacker that gains access to SCIM could attempt to add an IP-
based device that itself attempts unauthorized access, effectively
acting as a bot. Network administrators SHOULD establish appropriate
access-control policies that follow the principle of least privilege
to mitigate this attack.
8.2. Object Deletion
Once granted, even if the object is removed, the server may or may
not act on that removal. The deletion of the object is a signal of
intent by the application that it no longer expects the device to be
on the network. It is strictly up to the SCIM server and its back
end policy to decide whether or not to revoke access to the
infrastructure. It is RECOMMENDED that SCIM delete operations
trigger a workflow in accordance with local network policy.
8.3. Read Operations
Read operations are necessary in order for an application to sync its
state to know what devices it is expected to manage. An attacker
with access to SCIM objects may gain access to the devices
themselves. To prevent one SCIM client from interfering with devices
that it has no business managing, only clients that have created
objects or those they authorize SHOULD have the ability to read those
objects.
8.4. Update Operations
Update operations may be necessary if a device has been modified in
some way. Attackers with update access may be able to disable
network access to devices or device access to networks. To avoid
this, the same access control policy for read operations is
RECOMMENDED here.
8.5. Higher Level Protection for Certain Systems
Devices provisioned with this model may be completely controlled by
the administrator of the SCIM server, depending on how those systems
are defined. For instance, if BLE passkeys are provided, the device
can be connected to, and perhaps paired with. If the administrator
of the SCIM client does not wish the network to have complete access
to the device, the device itself MUST support finer levels of access
control and additional authentication mechanisms. Any additional
security must be provided at higher application layers. For example,
if client applications wish to keep private information to and from
the device, they should encrypt that information over-the-top.
8.6. Logging
An attacker could learn what devices are on a network by examining
SCIM logs. Due to the sensitive nature of SCIM operations, logs
SHOULD be encrypted both on the disk and in transit.