Password Tools Lower Compliance Costs

Analysis: Single sign-on tools help keep track of passwords and also make compliance cheaper and easier.

Password management systems including single-sign-on tools such as RSA Sign-On Manager 4.5 can drastically reduce a number of IT costs, not the least of which are those associated with regulatory compliance. When single-sign-on tools are combined with two-factor authentication systems such as RSAs SecurID for Windows, compliance becomes almost a piece of cake.

/zimages/4/28571.gifClick here to read a review of Sign-On Manager 4.5.

In their recent book titled "Sarbanes-Oxley: IT Compliance Using COBIT and Open Source Tools" ($49.95, Syngress Publishing), authors Christian Lahti and Roderick Peterson outline a model password control policy. Many of their password suggestions can be handled by using a single-sign-on tool.

Further, single-sign-on software tools that are combined with two-factor authentication hardware tokens ensure that users cant write down all the information needed to access company systems because part of that information is constantly changing. During our tests of Sign-On Manager 4.5, we used SecurID for Windows tokens on which the passcode required at log-on time changed every minute.

One thing weve heard repeatedly from IT managers who have implemented user identity management systems—from federated identity tools to two-factor authentication systems—is that doing so drastically reduces the amount of paperwork needed to prove that the organization is always in control and able to account for user access to enterprise systems.

Instead of walking auditors through reams of change-request forms and showing how each of those forms is handled when an employee is hired, moved or fired, IT managers can instead show a relatively simple password enforcement policy. For savvy IT managers, this is a good way to demonstrate to the business side of the enterprise that IT not only can support business processes but also can reduce friction with auditors.

One other big advantage of using a password management system is a lessening of the threat of employee discipline. For example, the model compliance policy in "The Cost of Compliance" includes the hair-raising threat that "Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment."

Password management systems likely wont be of much help, at least in reducing compliance costs, if a consistently high value has been placed on organized preparation for external audits. Most financial institutions, which have been audited since time immemorial, will likely not see the same dramatic audit cost reductions as organizations such as hospitals, manufacturers or educational institutions.

And in cases where organizations do see password management systems having a big impact in reducing audit costs, it is likely that the very act of implementing the identity management tool will immediately suggest other cost-saving moves. For example, as soon as a password management project is even contemplated, the directory structure for user information comes to mind. Scrutinizing directories to see where they can be streamlined will likely lead in the direction of looking at the process whereby employees and consultants are onboarded and offboarded.

/zimages/4/28571.gifAre biometrics the answer to your password problems? Click here to read more.

By driving costs out of these areas, IT managers can show a commitment to keeping the cost of doing business low while demonstrating leadership in making the organization more agile and streamlined.

Technical Director Cameron Sturdevant can be reached at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.