At the recent SSO Summit I moderated a panel of single sign-on implementers. One of them, Christopher Paidhrin HIPAA & IT security officer for ACS Healthcare Solutions, was kind enough to let me share with you his "best practices" list which he calls: "To Do & Not To Do: SSO implementation lessons learned."

URL: http://www.networkworld.com/newsletters/dir/2008/081108id2.html 

Every time we think we've finally gotten a handle on the user provisioning/deprovisioning issue something comes along to disabuse us of that notion. In this case it's the results of a survey of attendees at last spring's Directory Experts Conference (DEC) put on by NetPro.

The state of Iowa recently became the 43rd state to pass a data breach law that requires a company to give its consumers notice should the company discover its consumer's personal information is compromised. In states with laws like Iowa, the primary concern is ensuring that data stored to tape is encrypted so in the event the tape is lost or stolen, the data is considered unrecoverable.

In order to properly secure confidential information -- everything from trade secrets to financial data and personal identity information -- corporations need policy-based e-mail encryption.

...one of the biggest problems facing any implementation of an identity federation is that all of the participants need to be using the same standards and protocols to achieve federation. Unfortunately, as time has progressed a number of different standards have emerged. This is not a big issue if you’re starting out from scratch and all of the applications that are being developed are being built in-house. As long as all of the participants within the federation can agree on a standard, integration issues are unlikely to arise.