By Published on

How to choose packaged security products?

There is no doubt that it is mainly the CISO who is responsible for defining the criteria and requirements for the security products and solutions, whether they are delivered externally or internally, developed within the organization.

If the products are "packaged" (OTC, Over-the-Counter) it does not mean we should accept things "as they are".

So how to go about this, correctly?

With OTC products, we often don't have many options to influence their security features, but it is always necessary to objectively compare and verify manufacturers' claims.

When selecting such products, beside costs per seat/year/etc. we assess topics such as access control, authorization, secure password storage, data encryptionjournaling, etc., depending on what security attributes we are interested in.

The main thing is to compare apples to apples, not apples to oranges. We always ask and verify the same questions for all products under review.

See also ISO/IEC 27036, ISO/IEC TR 6114:2023.

Probably the best way to see what we mean is to provide an example.

Selecting an online service to reset users passwords

atributeimportance (1-5)LogonBox EnterpriseManageEngine ADSelfService Plus, AD360N-able Passportal / Blink
price (400 users/year/EUR) subscription2176011955448+3000
price (400 users/EUR) perpetual344003900-
enrollment processyesnoyes?
pre-enrollment capabilities2  yes
automated enrollment2  yes
manual enrollment2  yes
enrollment reminders1  yes
easy and bulletproof enrollment process1???
reset from the web-browser1yesyesyes
reset from mobile app (via QR)1yes yes
offline reset (Windows desktop/local logon integration)2yesyes?yes
     
possibility to manage password for local accounts?    
user directory integration    
integration with Active Directory1yesyesyes
support for multiple directories besides AD (OpenLDAP, Linux, SQL db)4 yes 
enforcing password policy for accounts1yesyesyes
     
account activity including logons (not only changes)2yesyesyes
     
identity verification (authentication)    
security questions4yes  
second factor?1yesyesyes
DUO1yesyes?
GA2   
Yubi3yes  
SMS tokens2  yes
TOTP3   
push2   
QR-code-based2  yes
MS Auth3   
own 2FA (only)4   
dynamic authentication - require stricter or less strict authentication based on a context no yes
biometric verification prior to initiating a password reset request no? yes
device verification prior to initiation a password reset request no yes
image based authentication nonoyes
     
location of user data (enrollment data, user profile, passwords)    
credentials are not stored in SSPR1?no? (password vault only?)
on-premise1yesyesyes
cloud3yesyesyes
user interface in cloud, all data inside1yes?yesyes
     
     
sec/admin overview    
overall activities in SSPR (who did what when)    
locked accounts, coming passwords expiry, sessions and users, password reset by admin vs by users1yesyesyes
automatic alerting1yesyesyes
mail notification about any access to end-user and to admins1yesyesyes
automation of admin tasks1yesyesyes
webhooks - send real-time data from one application to another whenever a given event occurs, in H&P? perhaps sending data to Jira? like a relatively weak password was created...?    
message templates1yesyesyes
added value    
full site customization (even if in cloud)1 yes 
identity services - SAML support1 yes 
password management for end-users?3?yesyes
desktop integration for Windows 11 only - so that credentials are entered automatically?2 yesyes
HelpDesk action (verification of the user and the action); or HelpDesk is able to intervene if needed1   
reset possible via mobile phone app (both iOS and Android)2  yes
when locked out - immediate push notification (phone app)   yes
SIEM integration2   
AD attribute maintenance2   
password vault3yesno 
     
added value - complementary products of the same vendor    
AD management including GPOs2noyes 
AD auditing2noyes 
LogonBox VPN5yes-