1. Does the vendor have the track record and scalability your organization requires?
In a world where several big and small, service / product based companies are competing to get a piece of action in Identity and Access Management space, companies who have been around for a decade or so clearly have an edge in terms of market share, employee strength, intellectual properties such as tools and value adds. These companies are positioned well to leaders.
2. Is Identity their core business or a throwaway addition to secure a sale?
Many IT service firms provide a broad range of advisory and implementation services across various functional areas including Identity and Access Management. Many are successful in selling multi – year packaged deals which look good on paper, and pack a mean punch. Deploying cheap labor in a short span of time, these companies more often than not fail to deploy successful IAM programs due to the complexity and lack of specialized knowledge required. You want to partner with a vendor who specializes in IAM and provides IAM services as their core business.
3. Does the vendor provide services across multiple domains?
A specialized vendor can provide services across multiple domains like: Access Governance- reduces the risks associated with end users who have unnecessary access privileges; Identity Administration – automation of joiner, mover and leaver processes; Access Management & Federation – solutions like Single Sign-On (SSO), Multi Factor Authentication (MFA), Federated Identity Management (FIM) etc.; Privileged Identity Management (PIM) – How do organizations manage privileged identities having root or database access etc.; Core Directory Services – management of Active Directory (AD) / virtual directories; Security and Risk Intelligence -security and behavioral analytics for continuous risk monitoring; Data Security and Loss Prevention- Data Security & Loss Prevention solutions for big data and all types of databases; Cloud Security – Automated Cloud Security Administration- keeping access simple and keeping the bad guys out.
4. Who are they working with now? Are you comfortable adding your name to that list?
An established vendor will have a diverse customer base across verticals and industries. Any Fortune 500 logos under their belt is a testimony that these big companies have trusted the vendor. It is like handing the keys of the kingdom to the vendor to allow the management of identities. Vendors must have adequate certifications like ISO, SOC etc which proves stringent and robust processes.
5. What is their business model?
Is the vendor looking for staff augmentation, a short-term engagement, or are they keen to establish a long-term relationship by being a trusted advisor and a true partner? Many IAM implementations are long-term programs, the key differentiator is a vendor who can not only assess and implement IAM technologies, but also provide Managed Services to run the operations. It is important that the vendors supports updates, patches, upgrades, enhancements so the customers can have one true partner in the entire journey starting from planning, building, running and refreshing.
6. Is the vendor IAM product agnostic?
Many organizations have more than one security solution, and there is typically some overlap in the capabilities. The complexities associated to integrate, maintain and enhance these security solutions is a daunting and costly affair. Vendors who have implemented different solutions across domains understand common pit falls and can provide best practices with their extensive implementation knowledge. Established vendors have strategic relationships established with orginizations like Oracle, RSA, ForgeRock, CyberArk, Saviynt, RadiantLogic, BeyondTrust, IBM Security, CA Technologies, Bomgar etc. You should ask for what value adds and tools the IAM vendor provide with their specialized understanding of the space.
7. Does the company provide flexible hosting options?
Companies want flexibility with their infrastructure. It is critical vendors offer hosting options that meet your needs, whether on premise, cloud or hybrid options. This allows you to leverage your prior infrastructure investments and take the most cost effective option for your business.
8. How mature is their Managed Service offering?
As more and more companies move to “as a service model”, it is important to consider the factors like industry standard service level agreements, a good transition model framework, program governance structure , a comprehensive list of KPI’s across various domains, and a quality set of referential case studies to help make your final decision.