So, you want to bring on a Privileged Access Management (PAM) solution and you’re either selecting a vendor for the first time, or you may be “upgrading” from a typical password manager software product. In any case, you’re probably looking for several PAM capabilities, as well as how best to deploy your proposed PAM solution: on premise or PAM in the cloud.
This blog, written by Thycotic, will take a deep dive into how you can find the best match in a PAM solution for your particular organization. Even small businesses are recognizing that a robust PAM solution is quickly becoming a cyber security requirement. Gartner, for example, lists Privileged Access Management as number one in its top 10 security projects for 2019, saying, “Privileged accounts (or administrative or highly empowered accounts) are attractive targets for attackers. A PAM project will highlight necessary controls to apply to protect these accounts, which should be prioritized via a risk-based approach.”
Here are some of the key steps you’ll want to take in evaluating Privileged Access Management vendors for yourself.
How to put together your Privileged Access Management vendor short list
Many IT professionals put together a potential vendor short list for a simple reason. You don’t have the bandwidth to literally evaluate and compare all your vendor options. Begin by asking trusted friends and colleagues in your industry what their experience has been and who they might recommend. And while this may be an easy place to start, you’ll want to apply more rigor to your search by examining what industry experts such as analyst firms have to say.
The analyst firm Gartner provides “Gartner Peer Insights.” These insights include reviews by the actual users of specific PAM vendor products. Their web page includes a short definition of what PAM vendors should provide and a list of top rated vendor reviews.
Several leading analyst firms, including Gartner, Forrester, IDC and KuppingerCole frequently publish analyst reports focusing on Privileged Access Management. While these reports can be quite costly to purchase, a complimentary copy can usually be obtained from many of the leading privileged access management vendors.
Between colleague recommendations, user peer reviews and industry analyst reports, you should have a good idea of the four or five PAM vendors that you’ll want to look at more closely.
What to look for in your Privileged Access Management vendor’s software
With your short list in hand, examine and compare the capabilities of each PAM vendor’s software. Keep in mind vendors that offer both PAM on premise and PAM in the cloud solutions give you the option for how best to deploy your own solution. Just be sure the vendor’s cloud offering is as robust and full featured as its on premise product. PAM software basics are must-have, providing you with the ability to:
- Discover privileged accounts on systems, devices and applications for subsequent management.
- Automatically randomize, manage and vault passwords and other credentials for administrative, service and application accounts.
- Control access to privileged accounts, including shared and “break glass” (emergency access) accounts.
- Isolate, monitor, record and audit privileged access sessions, commands and actions.
It’s easy to get lost in reviewing loads of features and benefits. So, here’s a checklist of questions that you’ll want to ask when evaluating your pared-down list of PAM software vendors. They are essential in helping assure you and your staff will adopt and embrace the solution you choose.
Checklist: 10 PAM Vendor Software Evaluation Questions
- Can your team easily learn the software in days? Or will training be required before you’re up and running?
- Can your team manage the software without hiring staff? Or will you have to hire an extra employee or devote existing employee resources just to run the software?
- Does it offer a single integrated UI to manage all functionality in one place? Or will you need to switch between multiple UIs to perform common tasks, increasing your risk of misconfigurations?
- Are professional services available, but not required? So you can be self-sufficient when making patches, upgrades or changes when needed?
- Can you associate AD groups to PAM authority without manual control and oversight?
- Can you classify data and generate reports based on any criteria relevant to you, even sorting by info in the Notes field? Or are you limited to canned reports with only a pre-defined set of metadata for tagging available?
- Can you view reports and drill into data directly in your browser and share easily, to demonstrate compliance for auditors or generate reports for executives?
- Does the software have “failover” capability built into the architecture of the solution, for powering discovery and password changing? Can multiple engines share the workload, so if one goes down work proceeds?
- Can you customize your deployment with commonly used tech (PowerShell, SQL, SSH) that gives you direct control to create hooks, make script changes and account for dependencies?
- Is the PAM in the cloud option a true SaaS solution? That means no on-premise components need to be installed, no professional services are required, and no enterprise capabilities are lost. All updates must be made automatically.
Obviously, you’ll want to get a free trial of whatever software product you’re considering. And you’ll want to see what free tools you might get from the vendor. Free tools can give you a feel for the user experience their software offers, and can even help determine how serious your privileged account challenges are by discovering privileged accounts and weak passwords.
Other matters to consider when choosing a Privileged Access Management vendor
Once you’ve narrowed your list of potential vendors, and examined their solution offerings according to features, usability, and adoption criterion, you’re probably faced with at least a couple of viable alternatives. Now is the time to ask questions that reach beyond software capabilities, and don’t forget to communicate your organization’s unique industry requirements.
Does the company display leadership in the PAM space? Do they generate original PAM research, offer webinars, or speak at conferences? If they do, they’re more likely to be leading the way in product development too.
Is the vendor easily accessible once the sales pitch is over? Do you have their direct line and email address?
Have they addressed your concerns and thoroughly answered your questions?
What is the vendor’s reputation for fast, friendly customer support?
Don’t hesitate to ask for customer references. And make use of them. Call the vendor references with a short list of prepared questions to make sure you’ve covered what’s important to you.
Choosing the right Privileged Access Management vendor for you and your organization today will aid the efficacy of your cyber security program in the future. Hopefully Thycotic’s checklist will help make your search a bit easier and a lot smarter. If you would like to learn more about Thycotic, speak with a Lifeboat Distribution Sales Representative today!
This blog originally appeared on The Lockdown, Thycotic’s Cyber Security Publication.