If you’ve been tasked with helping your organization choose its next (or first) privileged password management solution, you’re probably facing the unenviable task of wading through dozens of vendor websites, brochures, white papers, reports, and opinions about which solution is best.
We’ve taken the collective wisdom of customers and partners who’ve shared their experience with evaluating vendors and implementing privileged password management solutions, and distilled it into five tips to help you choose the best solution for your organization:
1) It’s About Your Use Cases, Not the Vendors’ Features
Whether you’re implementing privileged password management for the first time or replacing an existing solution, focus on what problems you need to solve, instead of the feature set. The privileged password management market is maturing, so there’s a lot of similarities between solutions. The big differences often lie in how they approach the problem. As you outline your use cases, be sure to consider integrations with threat analytics, SIEM, identity and access management, and any other IT security solutions already deployed in your enterprise. These integrations should save your IT admins time, not add more administrative burden.
2) Demos Are Good— but POCs and Bake-Offs Are Even Better
When you’ve narrowed your solution vendor list to a manageable few options, ensure you know what you’re buying by scheduling proof of concept (POC) or bake-off sessions with the vendors. POC’s and bake-offs give you an opportunity to see the solution implemented in real-time. It also provides insight into the level of effort that your solution will require. Ask questions like:
- How many professional services engineers does it take to get the solution up and running?
- Can you make changes to parameters on the fly, or will you be forever reliant on the vendors’ professional services team?
Answers to those questions will help you determine longer-term support and services costs and will impact the true total cost of ownership for whichever solution your organization chooses. Make sure you get commitment up front on deployment, expectations and timelines.
3) Rely on a Team of Trusted Advisors (Account Manager, Professional Services Engineer, Pre-Sales Engineer, Independent Industry Analysts)
Your sales rep, pre-sales and professional services engineers from the vendor should give you a glimpse into what it’s like to do business with the vendor. Key questions to ask:
- Are they knowledgeable and helpful?
- Is there documentation to explain questions you have?
- If you’re working with a partner, what’s been their experience with the vendor?
Special caveat: Watch out for “vendor-sponsored” “competitive reviews.” If the vendor is paying for a review of their competitor’ products, in whose favor do you think that review is going to work out? (Trust us, we’ve seen some weird ones!)
Instead, every research analyst firm has its own methodology for evaluating solutions. And many of them, like Gartner and Forrester, publish research every 12-24 months. Does their research include industry best practices that you can take into account with your evaluation?
4) You Can (And Will) Never Have Enough Reports
Reporting and analytics are often over-looked in the evaluation, but it’s one of the main outputs that you will need to share with your organization. Key questions to ask:
- How many reports come standard?
- What are the most common?
- Can you integrate data from your other security solutions into your analytics and reporting?
- How easy is it to customize reports to suit your organizations’ changing requirements?
5) Plan for Now, but Also Look to the Future – Ask for a Roadmap
Since your organization’s needs will likely change over time, it’s important to understand where the vendor’s solutions are headed. Asking for a roadmap will not only provide insight into their level of commitment to addressing your use cases today, but also help you gauge whether privileged password management is a top priority for their organization going forward. With all the industry churn and consolidation happening in the PAM market currently, this is very important.
Every organization’s use cases are unique to them, but the five tips I mentioned here should transcend any buying situation. Do an in-depth POC, get commitment on pricing to avoid the “gotchas”, accurately scope the deployment, and seek independent third-party comparisons of vendors in the space.
In addition to some of the links to the third-party analyst reports from Gartner and Forrester, be sure to rreview some of the common technical use cases in the white paper, A Technical Solutions Guide for Privileged Password and Session Management Use Cases. And, as always, contact us with any questions.