We are witnessing a shift in the reasons for considering single sign-on. Make no mistake, many single sign-on (SSO) purchases are still motivated by productivity concerns. Reducing the number of passwords that users must remember, lowering administration load, freeing the help desk from password reset tasks - these are all significant incentives.

But more and more, we find that being compliant with laws and regulations is a major reason for choosing a single sign-on solution. Although such regulations rarely if ever mandate single sign-on, many organizations find that these types of solutions can make compliance considerably easier. For instance:

• The organization’s security policy is easier to enforce, as there can be a single administration console. Moreover, it is considerably quicker to implement a change in that policy - compared to editing user lists in a large number of systems.
• As a result, documenting access management controls - a staple of laws such as Sarbanes-Oxley - is a simpler matter.
• Access logs can be centralized for all resources and applications. Every time the single sign-on system handles an access request, this results in a log entry being made centrally. Therefore, reporting is simplified.
• More generally, reporting on controls is much easier, as all data (access and administration logs, access rights, profiles) is available under a unified format. Not only does it speed up audit, it also makes it possible to regularly monitor the efficiency of controls and improve them.
• Single sign-on can provide several security improvements. For instance, it is now possible for users not to know their “real” passwords to your critical applications - they can’t be stolen. All accesses must go through the single sign-on system. And passwords are automatically created, so not only are they compliant with the password policy, but even administrators don’t know them.
• Critical resources (medical systems, financial applications) can be protected through strong authentication and mandatory re-authentication - even if they don’t provide these features natively.
• A comprehensive single sign-on system will ensure that even your mobile workers, who may access your applications from the Internet, comply with the security policy.

Of course, a single sign-on tool will never make you compliant all by itself. You still need to implement a project, redesign your controls and procedures and perform training. Consultants and systems integrators can help you there.

As well, there are a number of points that need to be checked in the single sign-on tool. For instance, if you must provide a report as evidence to an auditor, not just any single sign-on data will do. The single sign-on tool must generate data that is:

• Unadulterated - as much as possible, provide the data as it resides in its bases, without embellishments.
• Focused - you should give data that answers the auditor’s current concern, nothing more and nothing less.
• Verifiable - the auditor may request to check a sample of the report. Therefore, there must be documented procedures to do that.
• Flexible - it should be possible to use the data inside an existing compliance workflow. That workflow usually exists, and may manage financial data, patient records etc.

For an overview on using identity and access management for law and regulation compliance, we suggest you download our white paper.