7 Questions to Ask Prospective IAM and PAM Vendors

Bruce Macdonald

March 3, 2022

The list of cybersecurity hurdles in higher education is long, from department resources to cost to leadership approval. However, as ransomware attacks continue to rise, especially among colleges and universities, overcoming those challenges has never been more critical. 

To meet these attacks head-on, schools need to ensure they have the right technology in place. Your institution should inventory its business and technical infrastructures. Once all of your requirements have been defined, and your stakeholders have bought into the program, the focus should turn to selecting the right vendor for your identity and access and privileged access management solutions (IAM and PAM). It’s a crowded market with plenty of IAM vendors competing for your business, so this process can take time.

Today, many access management platforms are easy to install and implement while remaining affordable, but with so many options to choose from, cutting through the noise has become a stumbling block all its own. As you embark on your vendor selection process, asking the following questions is essential.

Was The Solution Developed Organically or Acquired?

Products that were all developed in one place, by one team, from a single source code, are consistent and fully integrated. This cohesion compares favorably with products from platform vendors who have made many acquisitions and must spend years integrating them. It is also preferable to products from specialist competitors who only offer a small subset of the same functionality and must build integrations with partners to provide comparable solutions.

How Is the Solution Deployed?

Understanding the implementation process is essential for multiple reasons. First, you need to discern where the IAM and PAM solutions are deployed. Do they work on-premises, in the cloud, or allow for a hybrid environment? Depending on your current architecture, some vendors may not be equipped to meet your needs. 

It’s also important to ask how long the deployment process will take. Although many solutions are more turnkey than they once were, creating a personalized solution can still take significant time. Knowing a rough timeline upfront will help you better evaluate vendors and plan ahead.

What Are the Direct (and Indirect) Costs?

Cost is always a crucial factor for any vendor selection, but when choosing an IAM and PAM program, be sure to look beyond the costs of the solution itself. Think through the cost of additional internal support that may be required and ask about additional support costs to stay ahead of any surprises later on. Finally, don’t lose sight of the return on the investment. Understanding the value of time saved and risk averted should be factored into the decision-making process. 

How Quickly Will the Implementation Decrease Your Attack Surface and Risk?

Just as important as the deployment timeline is the time-to-value. Once the solution is implemented, how quickly will you see a positive institutional impact (providing a seamless and efficient end-user experience, streamlining processes, enabling your organization to embrace new technologies and initiatives)? A vendor might not have an exact answer, but they should provide use cases and tie their solution to your end-game goals.

Will the Solution Scale to Meet Future Needs?

With the amount of time and resources going towards this essential technology, it’s crucial that it not only covers your cybersecurity needs today but well into the future. Does the solution scale both vertically as well as horizontally? As you uncover new threats or your roadmap evolves, you’ll need a platform that allows you to turn services on or off as needed, preferably without additional installations.

How Well Does It Integrate With the Rest of Your Security Ecosystem? 

An IAM or PAM solution that doesn’t securely connect with the rest of your technology ecosystem will cause more problems than it solves. Be sure to ask how it integrates with the rest of your IT (SIEM, service desk, analytics, e-mail). A complete understanding of available integrations can ensure your new solution seamlessly joins your existing environments allowing you to extend your current investments.

Can the Vendor Grow Your Cybersecurity Program?

Beyond just scalability, partnering with a vendor with offerings that can allow you to expand your cybersecurity beyond IAM and PAM to meet future needs will make sure you don’t stall out after implementation. Are the vendor and platform resource-ready and feature-rich to meet tomorrow's access management use cases? Whether that’s password management or predictive capabilities, the pros of working with a vendor with multiple offerings are many.

Does the Vendor Have a Completed HECVAT Analysis?

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a questionnaire framework specifically designed for higher education to measure vendor risk. Before committing to an IAM vendor solution, ensure they have completed a HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII.

Does the Vendor Have Experience With Higher Education Use Cases?

Finally, be sure to ask about their experience with higher education. While limited case studies may not be a dealbreaker, colleges and universities face unique challenges, and dealing with a learning curve while also navigating an implementation could significantly complicate deployment. Ask for higher education case studies and references and dig into what they offer specifically for schools. This experience can save significant amounts of time and budget in the long run.

Finding the Right Partner Matters

Higher education is no stranger to the importance of asking the right questions. Curiosity and persistence are vital ingredients in the world of academia. The same rings true of finding the right program to protect their data and identities. 

You will have the foundational requirements and understandings needed to inform your partner selection process by answering these questions. These questions are only the beginning; however – to successfully modernize your access management efforts, colleges and universities need a vendor that has deep knowledge of the challenges exclusive to higher education and experience addressing them. 

Learn more about finding the vendor for your cybersecurity needs in this free white paper: Choosing the Right Program Can Be A Game Changer.

Download the Whitepaper