Recently, we conducted a survey of BeyondTrust customers and asked them a simple question: What’s next? More than half of our customers said that enterprise password security (privileged password and privileged session management) and endpoint least privilege (Windows privilege management) are on their task list. And it’s no surprise – at last month’s Gartner Security & Risk Management Summit, they shared the CISO’s top ten list of new projects for security teams to explore in 2018 – privileged account management was #1. To help you tackle your privileged access management (PAM) evaluation, here are five tips for choosing the best solution for your organization:

1) Make it All About You – Focus on Use Cases, Not Features

Whether you’re implementing privileged password management for the first time or replacing an existing solution, focus on what problems you need to solve, instead of the feature set. The privileged password management market is maturing, so there’s a lot of similarities between solutions. The big differences often lie in how they approach the problem. As you outline your use cases, be sure to consider integrations with threat analytics, SIEM, identity and access management, and any other IT security solutions already deployed in your enterprise. These integrations should save your IT admins time, not add more administrative burden.

2) Flip Through That Reports Catalog

Reporting and analytics are often overlooked in the evaluation, but it’s one of the main outputs that you will need to share with your organization. Key questions to ask:
  • How many reports come standard?
  • What are the most common?
  • Can you integrate data from your other security solutions into your analytics and reporting?
  • How easy is it to customize reports to suit your organizations’ changing requirements?

3) See the Solution in Action: Use Proof of Concept and Bake-offs

When you’ve narrowed your solution vendor list to a manageable few options, ensure you know what you’re buying by scheduling proof of concept (POC) or bake-off sessions with the vendors. POC’s and bake-offs give you an opportunity to see the solution implemented in real-time. It also provides insight into the level of effort that your solution will require. Ask questions like:
  • How many professional services engineers does it take to get the solution up and running?
  • Can you make changes to parameters on the fly, or will you be forever reliant on the vendors’ professional services team?
Answers to those questions will help you determine longer-term support and services costs and will impact the true total cost of ownership for whichever solution your organization chooses. Make sure you get the commitment up front on deployment, expectations, and timelines.

4) Get Second Opinions from Trusted Advisors (Account Manager, Professional Services Engineer, Pre-Sales Engineer, Independent Industry Analysts)

Your sales rep, pre-sales, and professional services engineers from the vendor should give you a glimpse into what it’s like to do business with the vendor. Key questions to ask:
  • Are they knowledgeable and helpful?
  • Is there documentation to explain the questions you have?
  • If you’re working with a partner, what’s been their experience with the vendor?
Every research analyst firm has its own methodology for evaluating solutions. And many of them, like Gartner and Forrester, publish research every 12-24 months. Does their research include industry best practices that you can take into account with your evaluation?

5) Think About the Future – Request a Roadmap Discussion

Since your organization’s needs will likely change over time, it’s important to understand where the vendor’s solutions are headed. Asking for a roadmap will not only provide insight into their level of commitment to addressing your use cases today, but also help you gauge whether privileged password management is a top priority for their organization going forward. With all of the industry consolidation happening in the PAM market currently, this is very important. Every organization’s needs are unique, but the five tips I mentioned should apply to any buying situation. For more information on privileged access management, be sure to join us for our upcoming educational webinar: Migrating from Shared Accounts to the Dual Account Model to Manage Risk, Enforce Accountability and Facilitate Behavior Analytics for Privileged Account Activity. And, as always, contact us with any questions.