In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.
What are the top and emerging threats you are seeing?
This gives the vendor an opportunity to describe their research into cybersecurity. From this one can glean an understanding of how active their research programs are.
Do you publish and share threat information with others?
Many vendors and government agencies share IOC and threat information. Some also actively publish discovered threat information as soon as they discover it, for the betterment of the community. Vendors that are active in this way demonstrate cybersecurity innovation leadership.
Do you specialize in serving specific industries and sectors?
Large vendors will have customers across most industries. Some smaller vendors may focus on specific industries, such as aerospace, pharmaceuticals, health care, finance, etc. In some circumstances, vendors with industry-specific experience and focus may provide more value.
Does your solution support machine learning techniques?
Does your solution use machine learning? If so, which types: supervised, unsupervised, deep learning, etc.? Does your solution use machine learning to automate parts of the PAM process, for example, analytics and password management?
Does your solution support specialized activity? For example, DevOps?
Some PAM vendors are now developing special modules that provide privileged access to specific departments such as DevOps or CI/CD that rely on rapid and changing access to privileged accounts.
How does your solution integrate and interoperate with other tools?
Does the PAM solution integrate and/or interoperate with tools such as vulnerability management or incident management tools. Consider how PAM may integrate with other business IT tools such as ITSM, GRC and IGSA tools
Cloud vs. on-premises consoles
Some vendors now offer cloud-based management consoles. The main advantage to this approach is that the vendor handles the upkeep of the console. Some organizations still prefer to operate the console on-premises, due to security concerns.
What are the current and future authentication mechanisms supported?
Currently, most PAM solutions rely on passwords that are stored in an encrypted vault to automate access to privileged accounts. However, password have limitations especially when associated with shared accounts and some vendors are now offering passwordless and vaultless access using certificates and other ephemeral credentials.
What is your product roadmap?
What features are on the vendors’ roadmaps? If the PAM solution under consideration does not currently contain all the services and capabilities you need, find out how far down the line those may be offered, if at all.
Are there plans for mergers or buyouts? Companies with incomplete products but with advanced features are sometimes looking to be acquired by larger vendors, whose own products need such innovation. Establish as far as you can that you will not be left with an unsupported product.
Can I speak to some reference customers?
Finally, it is usually enlightening to speak to one or more reference customers. It is most helpful when the reference customer is in a similar industry and region.