Identity and privileged access security challenges aren’t anything new — the pages of history are filled with tales of deception and fraud. During the Trojan War, the Greeks disguised their soldiers by putting them in a wooden horse to successfully infiltrate the city of Troy. In 16th century France, a penniless imposter claimed the identity, sizable property and wife of a man named Martin Guerre — and got away with it until the real Martin Guerre showed back up in town several years later. In the early 1900s, American fraudster Frederick Emerson Peters bamboozled banks all over the country with bad checks, impersonating celebrities, authors and even presidents. And the list goes on and on.
Fast-forward to present day, and identity and privileged access issues in the enterprise have only grown in complexity thanks to pervasive digital technology, cloud migration, new ways of working and continued attacker innovation. In both random and targeted strikes, identity compromise and manipulation of privileged access have become key elements of modern cyber attacks. According to the Identity Defined Security Alliance (IDSA) 94% of organizations have experienced an identity-related breach at some point. To eliminate security gaps, many cybersecurity teams are evolving their programs by taking a least privilege view of identity-related risk, with Privileged Access Management at the core of their Identity Security strategy.
Your security team recognizes the need for technology solutions that can be flexibly deployed to help secure identities and protect high-risk privileged access across on-premises, cloud and hybrid environments. But if your business is like most, it’s evolving so rapidly that it can be difficult to articulate your exact technology requirements during the evaluation and procurement process (let alone anticipate future needs).
This list of key questions and considerations can help guide IT security decision-makers by simplifying the process of evaluating and selecting the right technology vendor and tools to help you accomplish your identity and Privileged Access Management goals.
Six Questions to Ask Your Potential Identity and Privileged Access Management Provider
1. Can it Support a Hybrid Infrastructure?
The right Privileged Access Management solution enables an evolving set of hybrid technologies that drive operational efficiencies across all identities, infrastructure and applications for hybrid, multi-cloud and SaaS workloads. To help ensure full coverage and compliance, ask if the solution can:
- Seamlessly connect users (both human and machine) to resources across on-premises, hybrid, multi-cloud and SaaS workloads in an efficient and cost-effective manner
- Help you conform with customer compliance and privacy expectations through tools and services that are recognized and trusted by regulators, auditors and authorizing officials
- Integrate with your existing applications, along with new and evolving infrastructure to maximize your IT investments
2. Can it Support Diverse Transactions and Align to Digital Transformation Objectives?
Businesses are embracing DevOps to transform software development and robotic process automation (RPA) to extend the power of automation into new realms. By integrating with automation, scripts and workflow-oriented application program interfaces (APIs), your Privileged Access Management solution can help you take full advantage of digital transformation’s efficiency and productivity benefits — without jeopardizing cybersecurity. Ask if it can:
- Consistently manage the many embedded credentials among DevSecOps, cloud and traditional applications
- Enable secure vaulting and management of privileged account credentials used by software robots and RPA administrators
- Support automated application lifecycle management to boost productivity and minimize IT delays
- Enable just-in-time privileged access through shared accounts and a break glass approach
3. Does it Prioritize the End-User Experience?
People are a critical part of securing the enterprise. Any process that adds complexity or burden to managing and protecting privileged access brings additional risk, reduces productivity and impedes effectiveness. To gauge the potential impact on users’ access experience, ask if the solution can:
- Make it easy for users to “do the right thing” when it comes to security by balancing intuitive, frictionless access and strong Identity Security controls
- Monitor and secure remote access to maximize effectiveness while enforcing least privilege requirements
- Support self-service capabilities and automated workflows to help users stay efficient and productive
- Be deployed through a cost-effective, flexible SaaS model to help minimize internal operational burden and cost
4. Can it Prepare You for Tomorrow’s Challenges Today?
Identity itself is evolving, as sensors and operational technology join microservices, software robots and virtual services. The most effective solution will help ensure continued alignment with both your security needs and digital business opportunities of tomorrow. Ask if the technology provider can:
- Demonstrate business acumen for strategic acquisitions and a strong R&D pipeline to address emerging threats and use cases
- Draw upon industry-leading threat researchers dedicated to examining emerging attack techniques to drive improvement for the security community
5. Can it Help Defend Against Advanced and Evolving Threats?
The U. S. National Security Agency recommends that organizations consciously operate and defend resources as if the adversary already has a presence within the environment. In this “assume breach” model, the right solution must assume every transaction is untrusted until verified. Ask if the provider and solution can:
- Apply least privilege practices through dynamic security policies to secure all identities – human and machine – from end-to-end
- Enable a Zero Trust approach that leverages adaptive authentication and authorization, supported by a tamper-proof audit trail of all activity
- Provide measurable risk reduction and reduced costs through a successful and continually improving program framework
6. Can it Support a Broad Ecosystem?
Because identity is the thread that binds every facet of an enterprise’s information and technology infrastructure, the right solution should demonstrate the ability to interoperate with a broad array of applications, services and providers. To help minimize future technical debt and stranded technologies, ask if the provider can:
- Demonstrate an alliance of third-party integrations to help preserve the value of your existing IT assets and services
- Support integration through an extensible platform for everything from homegrown applications to external services
- Easily integrate via trusted industry standards and protocols like SAML, REST and OAUTH
Your data is one of your business’s most critical assets — yet it’s likely dispersed across a complicated web of in‑house, online and external systems. The right Privileged Access Management solution must be able to consistently protect that data against identity-based threats to confidentiality, integrity and availability.
When you consider the importance of securing privileged access to that critical data, the experience of the technology vendor matters — and should be evaluated with the same rigor as the tool itself. The right partner must be able to demonstrate a solid product approach, proven execution track record, flexible deployment models, customer service excellence, consistent recognition by leading analysts and industry experts and a stable corporate presence.
Refer to these questions during your vendor evaluation process and again as you build out your strategy for managing privileged access, monitoring transactions and mitigating threats. And for a deeper dive into evaluation considerations, download “The Buyer’s Guide to Securing Privileged Access.”