Questions to Ask
Ask vendors the questions that matter.
In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.
What is your focus in PBAM?
With the diversity of solutions in the PBAM space, is it essential to understand the nature of these solutions and the use cases addressed. Thus, the initial focus must be on figuring out whether or not a solution supports the current focus area within a PBAM initiative, keeping in mind that an enterprise-wide approach will be executed as a multi-speed initiative across PBAM use cases.
Which integrations are provided?
With still few standards available for PBAM, integration becomes a focus area. Most solutions provide a range of out-of-the-box integrations to other solutions. Analyzing these as well as the effort required for building custom integrations is essential in the selection process.
Which deployment models are supported?
Authorization requests must be handled with high performance and scalability, given that there tend to be many, and delays will slow down applications. Flexible deployment models for both the central component, support for hybrid deployments, and flexible deployments of PEPs as well as support for running multiple distributed PDPs is required.
Which are your main roadmap items?
PBAM is evolving. Thus, it is essential to understand the roadmap of the vendor and its focus area, specifically when looking for solutions that take a central role in an enterprise-level PBAM concept for supporting a growing number of use cases.
Which governance capabilities are provided?
Governance is a key challenge in PBAM. Due to the need for implementing both policy governance and data governance, a well-thought-out governance approach including policy lifecycle management, certifications, and strong reporting capabilities are needed. Integration to Data Governance tools is appreciated, but currently rarely supported out-of-the-box.
Which approaches for managing policies are supported?
Depending on the use case, different parties will define policies. Specifically, business people contribute with their business-level policies. On the other hand, there also might arise a need for automation and thus API-based definition and management of policies. A wide range of options from natural language definition to REGO and API-based approaches is favored.
Which internal security and privacy-enhancing measures are supported?
Security of API management solutions is just as critical as the security of APIs themselves. Strong authentication methods, segregation of duties and role-based access, audit log for all administrative activities, as well as privacy-enhancing functions are important for overall security and compliance.
How does your solution achieve scalability and high availability?
API gateways should be considered parts of critical infrastructure, as a potential performance bottleneck or single point of failure might disrupt important business processes and lead to massive losses.
What are the upcoming features on your roadmap?
Discussing features that may become critical aspects of the solution in the future, their development and rollout timelines, and overall vision of the vendor will help assure that organizational goals are in alignment.
Can I speak to some reference customers?
It is usually helpful to speak to one or more reference customers, specifically when the reference customer is in a similar industry or region.
These are a sampling of the many possible questions to ask vendors. For further assistance, KuppingerCole Advisory Services helps clients in the vendor selection process. KuppingerCole Research Services provides additional information on vendors, such as in Market and Leadership Compass documents.