Baton: The Open Source Fabric Powering Identity Security


Baton is an open-source project we introduced about six months ago. Our initial goal for the project was to help security and identity engineers audit identity and permission data in any SaaS or infrastructure. Baton automated extracting and normalizing that data, making it dead simple to power internal access reviews or audit workflows. This was never the end goal for Baton though, it was just the start. Just like in a real relay race, there’s another leg, and we’ve maintained a clear vision for how we want to run this race. So, let’s dive into how we’ve been evolving Baton and what’s next.

But first: The goal of securing workforce identity will have to be achieved through the convergence of several existing categories, namely, Identity Threat Detection and Response (ITDR), Identity Access Management (IAM), Cloud Privileged Access Management (CPAM), and Identity Governance and Administration (IGA). In this digital age, where identity IS the security perimeter, companies must adopt one in each category to sufficiently enable and protect their employees. Baton is the underlying open source fabric that powers this ecosystem of products. Baton connectors provide the connective tissue to talk to and orchestrate identity security workflows to ANY technology: SaaS, IaaS, PaaS, databases, directories, on-prem systems, backoffice – you name it, Baton can support it.

What have we been up to?

Let’s look at what Baton has been up to in the recent months.

Service mode allows users to run Baton connectors as background services in their own infrastructure. Service mode maintains a connection to ConductorOne or your custom tooling, constantly syncing identity and permissions data and orchestrating access changes. By hosting connectors in your infrastructure, service mode enables support for on-prem systems and enables ConductorOne’s control plane to function without ever seeing your API keys or credentials.

Provisioning support allows users to orchestrate access changes via Baton connectors back to connected services. Imagine provisioning support as the next generation of SCIM, but without the restrictions and limitations of the SCIM protocol. Provisioning support also means that applications can support provisioning via Baton, even if the app itself does not support SCIM. Provisioning mode can create groups in LDAP or Active Directory, add user teams in GitHub, provision permissions to a user for a project in GCP, and so on.

Service mode and provisioning allow Baton to power new use cases, particularly for on-premises systems and hybrid environments. Connectors can be deployed to interface with complex on-premises systems such as LDAP, Active Directory, or even databases like Postgres and MySQL. But Baton’s capabilities extend beyond well-known systems. Baton is fundamentally an SDK and toolkit. And in as much, it can be implemented to support proprietary or in-house applications, such as your company’s back office support dashboard. These enhancements extend Baton’s reach, allowing it to integrate with a wider array of systems than just SaaS applications.

Lastly, we’ve significantly grown the number of connectors available to customers. We now have connectors for most major SaaS apps, all major directories (including Active Directory and LDAP), all major cloud infrastructure providers, and the list goes on. Expect to see this list continue to grow.

Where we’re going

We’ve laid out our vision for how identity needs a security layer. Baton is the glue that connects an identity security control plane to your environment. Naturally, you can expect to see us expand the number of Baton connectors and add additional depth within those connectors to cover more security and visibility use cases.

Additionally, we want to invest even more in the open source movement for Baton. Baton is fundamentally about creating the identity security protocol. That’s not ours to own. It belongs to the world. This is why we open sourced Baton from the get go. It’s why each of these connectors can provide standalone value and use cases. In the following months, you’ll see new use cases for the Baton CLI, more documentation and support, and more how-tos. We want every security and identity engineer in the world to reach for Baton when they have a tough identity problem to solve: regardless of whether they have a commercial relationship with ConductorOne or not.

How to get started

Getting started with Baton is straightforward. You deploy the connector, add the application credentials, and off you go! You have the source code at your disposal to audit behavior and data access for security purposes. And if you’re a developer, you have an SDK to build new connectors, available in Go language or any language using protocol buffers.