Identity, Security Management, IAM Technologies

Key questions to ask when evaluating an identity and access security vendor

The increased reliance on identity-based attacks goes hand in hand with rising threats against cloud-based services and assets, according to a new report from CrowdStrike. (Image Credit: Dimitri Otis via Getty Images)

Gone are the days when usernames and passwords alone could protect an organizational network. Today's modern enterprises implement identity and access management (IAM) solutions, automated platforms that oversee and regulate individual user access to each segment of a company's assets, often as part of a zero-trust model.

Yet IAM solutions are not all the same. There are many discoveries and decisions to make before it's possible to settle on a specific vendor and product. Here's what you need to ask of your own organization, and of a potential vendor, as you consider adopting an IAM solution.

IAM questions to ask of your own organization

Before embarking on a search for the right IAM solution, or indeed any kind of information-security product or service, an organization must conduct a thorough self-assessment to firmly understand its own capabilities, deficiencies, requirements, and future plans. Only by truly knowing itself can an enterprise learn what it needs.

A team working under the CISO, CIO or similar top information-security manager must find the answers to these questions:

What is your existing identity and access tech stack?

If your organization is more than a few years old, it may have authorization and authentication software dating back a decade or more. But that doesn't mean the software must all be replaced. Many IAM solutions, especially cloud-based ones, can work with legacy software products. Likewise, if many of your assets are in the cloud, you'll want an IAM solution that can handle them well.

What are your immediate IAM needs? How about future needs?

If your existing authorization model grants a user access to the entire network with a single password login, you'll want to upgrade that model unless you're a very small organization. Many IAM vendors can assist you with that process during initial implementation, or further down the line as your company expands or restructures. You'll also need to assess your compliance requirements, including those that you may not encounter until you expand.

Do we need to upgrade or implement additional information-security solutions?

Some IAM software needs to reach out to other security solutions to properly do its job. But before you blow even more of your budget, see if what you already have might be compatible with the IAM solutions you're considering.

Should the IAM solution be point-based or full-fledged?

If you're a small organization, a point-based solution that solves only a few immediate issues might be the way to go, as it will be fairly quick and cheap to implement. But if you're a larger firm, or you have plans to become one, a full solution that can encompass all your needs and grow with you is the way to go.

Should the IAM solution be on-premises, cloud, or hybrid?

A cloud solution is more flexible, deploys faster, scales better and is often easier to update, upgrade and configure than an on-premises implementation. But you'll lose a lot of control over the environment. A possibly happy medium might be to run a hybrid deployment with the most sensitive data and functions on-prem and the rest in the cloud.

How much of a budget do you have, and has that been truly approved?

You can't do much without the wholehearted support of your organization's executive team, including a substantial budget that is flexible enough to allow for possible overruns.

What kind of IAM provider do you want to work with?

You don't want to be a minnow when your IAM provider's other clients are whales. On the other hand, choosing a young, hungry startup IAM provider may get you more dedication, but will that startup still be around in five years?

Which IAM vendors and products are other companies in your industry using? Can any of those companies make recommendations?

Reach out to acquaintances and former colleagues to see what their organizations use — and if they like what they're using. Also examine online reviews and ratings, as well as industry reports, to see which solutions might be a good fit for your organization.

What are your plans for expansion, overhaul, restructuring, etc.? Where do you see your company in five years' time?

You don't want to buy a solution just for today, but for the future as well. How will the IAM solution fit into your long-term plans? If your organization intends to get bigger quickly, make sure that the IAM solution you're considering can be easily scaled to match your potential growth.

What kind of known performance indicators (KPIs) can be used to demonstrate return on investment (ROI) after the implementation of an IAM solution?

The C-suite will want to know that your IAM budget was spent wisely. And it will want proof. Determine what your KPIs will be before you commit to a product or solution and stick to them.

Questions to ask potential IAM vendors

Before you query vendors about their IAM offerings, you must understand that you're not simply buying a product or service. Your organization is entering into a long-term relationship that could last three, five or even 20 years.

In an ideal situation, the vendor will become a trusted partner that helps your organization grow, as detailed in a recent CyberRisk Leadership Exchange meeting hosted by the Cybersecurity Collaboration Forum.

Regardless of what the future holds, you will need to get to know your eventual IAM vendor nearly as well as you know your own organization. The better you understand the vendor, the better you can implement its product and tailor it to the needs of your own organization.

How many kinds of authentication methods does the vendor's solution support?

Don't go with a solution that supports only usernames and passwords. A good IAM vendor should support many authentication media and standards, including hardware keys, app-based code generators, biometric identifiers such as fingerprint, retina and facial scans, and passwordless authentication such as the new passkey standard backed by Apple, Google, and Microsoft. The IAM solution should be able to combine two or more of these standards into multi-factor authentication scenarios.  

Does the vendor’s solution support single sign-on?

Single sign-on (SSO) solutions such as those offered by Okta, Microsoft, Duo or Ping are widely used by modern organizations because they simplify authorization and reduce password reuse and fatigue. Every good IAM vendor should support SSO.

Does the solution support decentralized identity?

Decentralized identity means that the user, not the services the user wants to access, "holds" the means of verifying credentials, often on a smartphone or other device. It's an idea that hasn't quite caught on, but if it does, any IAM solution that supports decentralized identity will have an advantage.

How easily will the vendor’s solution fit into your existing tech stack?

The less an IAM solution forces you to upgrade your hardware and software, the better. But don't let outmoded components of your tech stack hold you back from adopting today's best practices and methods.

How scalable and flexible is the vendor’s solution? Will it fit into your own company's expansion plans?

Pick a vendor that can quickly scale up if your own business suddenly takes off. If you have plans to move into new markets, make sure your vendor can be there with you.

Would the vendor be willing to provide a product demonstration or trial period?

You'll want to give the contenders on your shortlist a trial run to see how well each meshes with your organization. Any potential solution that doesn't offer a demo or trial period should be ruled out.

Will the solution improve the end-user experience?

Every authentication method creates some friction. The question is how much more friction your new solution creates. If it ends up making the user experience smoother and easier, that's obviously a bonus.

Does the vendor’s solution support BYOD devices?

Just letting your employees check workplace email from their personal smartphones constitutes BYOD. You may also let staffers use home PCs for remote access. If so, then make sure your IAM solution properly tracks, authenticates, and manages employee-owned devices that need network access.

Does the solution apply additional checks when being accessed from mobile or remote devices?

Ideally, the IAM solution should conduct dynamic risk assessments that take into consideration factors such as impossible travel, multiple logons, and new devices, and challenges users to provide additional authentication when necessary.

How much administrative training does the solution require? Will the vendor be able to provide that training?

Every new piece of software involves a learning curve, especially for administrators. See if the vendor is willing to educate your security team.

What is the total cost of ownership, including licensing/purchase, subscription fees, training, maintenance, upgrades, and support?

Don't consider the yearly license fee or one-time purchase price as the bottom line. You must also factor in the costs of implementation, staff training, maintenance, and possible additional hardware. Ask if the vendor provides free support and upgrades, and if not, how much those would cost.

Does the vendor offer a product bundle that might fulfill other needs beyond IAM?

Many security firms can provide multi-purpose solutions that can, for example, protect endpoints or cloud assets along with their core functions. See how such offerings might fit your needs, and if replacing multiple products with a bundled solution might save you money and reduce complexity.

What is the vendor's support policy? Is there someone who can mount an active response at any time of the day or night?

Not all vendors pick up the phone in the middle of the night or on weekends, although that might be exactly when you need an immediate response. See how ready and willing the support teams are.

Can the vendor guarantee constant availability?

You won't be able to afford a lot of downtime, especially with a software-as-a-service (SaaS) deployment. Ask the vendor what kind of backup systems and fallback servers they have.

Can the vendor help implement the solution? If so, how much will that assistance cost?

The IAM vendor will probably know how to set up its solutions better than your team will, unless you use a managed service provider (MSP) that has experience with that solution.

How long has the vendor been in the IAM business? Can the vendor provide a client list and client contacts? What does the vendor's typical client look like?

Ideally, you'll want a vendor that has been in business for at least five years and has a robust roster of satisfied clients. Contact some of those clients to see how they like working with the vendor and compare the vendor's average client with your own company. Does the vendor seem to pay attention to organizations of your size?

How much experience does the vendor have with servicing other companies in your industry? Is it familiar with your compliance obligations?

A vendor that understands your organization's needs is one that's likely to become a long-term partner.

Does the vendor allow third-party security audits of its own products?

Don't just take the vendor's word for how safe its products are. Ask for independent attestation. If there's none available, that should be a red flag.

What are the vendor's own plans? Does it plan to add any features or functions in the next six months? What about farther down the road?

The IAM industry is constantly growing and changing, and you'll want to make sure that the vendor you select can keep up with the latest developments.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.