Considerations

How Do You Assess AM Solutions?

Security leaders must assess what their organization really needs.

Security leaders need an AM solution baked into their security program.

But what exactly does that solution entail? How do you select the best partner?

Consider the following questions as you begin assessing AM solutions:

What do I need before I roll out an AM program?

Implementing an AM solution requires a layered strategy. Before selecting a solution provider, business leaders need to identify what data, applications, and assets to protect; classify identities; ensure device security; and then explore necessary privileges and permissions. While many AM vendors can help with these tasks, doing some work up front can ease potential integration difficulties or bottlenecks.

Which departments should I include when assessing AM vendors?

A successful AM program should encompass a unified vision, meet the needs of various teams, and balance an organization’s risk tolerance with its business needs. Consider leveraging a security champion to collaborate with other departments, identify the correct stakeholders from the varying lines of business, and align everyone with the program’s goals and objectives.

What are my technology requirements for an AM solution?

Assess the applications, networking components, operating systems, and software within your environment to understand the interoperability and integration capabilities you require from an AM provider. Focus mainly on balancing the need for security while ensuring a robust IT environment that enhances efficiency and enables the business.

Security leaders must assess what their organization really needs.

What are the risks associated with using an AM provider? How can I manage them?

Recently, attackers have leveraged weaknesses within third-party suppliers’ systems to access customer data or infrastructure. You can manage many of these risks during the vendor assessment stage, but organizations must know what to look for to do so properly. The best questions revolve around the vendor's tools and procedures, the degree of qualification of their operations staff, and their uptime or availability metrics, service level agreements (SLAs), and disaster recovery capabilities. 

What kind of delivery solution is the best fit for our organization?

Software-as-a-Service (SaaS)-delivered models have become the gold standard for AM solutions. However, some organizations have legacy applications that do not support modern security standards such as SSO. To determine which delivery method best fits your organization, consider evaluating the key business drivers for your vision in tandem with SaaS-delivered AM benefits. Your evaluation should include the prospective time to value, flexibility for new or legacy applications, and staffing resources.

Below are some factors to consider when comparing on-premises and SaaS-delivered AM models:

Modern AM Capabilities

Consider the business and strategic impacts of an AM solution.

According to Gartner, organizations are “seeking SaaS-delivered models for new AM purchases. This demonstrates a preference for agility, quicker time to new features, elimination of continual software upgrades, reduction of supported infrastructure, and other SaaS versus software benefits demonstrated in the market.”ⁱⁱ

SaaS can eliminate lots of headaches, but it’s not the best option for every organization. In addition to the type of solution delivery model your organization needs, security leaders should also consider the business and strategic impacts of other forward-thinking solution offerings that fall in line with their zero trust strategy. Leading vendors who offer AM services maintain capabilities such as: