One Identity Safeguard Reviews

We started with administrative use cases and we were able to take control of all the local administrator accounts for endpoints and servers. We then started controlling privileged accounts for our domain administrators as well as for any kind of privileged account that had access to our switches, routers, and the like. 

This year we're looking at taking control of all of the servers and application accounts. But that's going to be a longer journey for us because there are a lot more of those accounts, and there is a lot more testing that needs to be done because of the nature of the accounts.

Another use case this year is integrating Safeguard into the SQL database, so we can start taking control of the SA accounts within SQL. 

Furthermore, we have a use case where we are using Safeguard to manage the account for our IIGA solution, which is our identity governance solution. When it creates new users or transfers or terminates users, it's using a privileged account that is being handled by Safeguard.

We have a lot more use cases but these are enough to give you an idea of how we use it.

We went from a state where privileged accounts were being used and not being monitored or even audited to our situation now where we are starting to monitor these privileged accounts more closely. That's where we show value in the product. Whenever a change is happening, we know because we find it in the logs. Our reporting and monitoring team is looking at it, and they are now starting to question changes that are associated with some kind of ticket or some kind CAB (change advisory board) request. It has improved our visibility for privileged access.

We have physical appliances for this solution. We went with that version of it because it was easier for us to deploy it and not have the IT engineers involved with our deployment. We wanted to control everything, from the deployment to the supportability to the usability of the product. I really enjoy the form factor of the appliance because it's definitely a change from the previous version, which was a bigger box. This one is a lot easier. It doesn't take up room on the rack, and it's very efficient as far as resources go.

The ease of use of the GUI is a really nice feature. It has a nice look and feel to it.

The actual checkout process is simple. You log into the portal and you're presented with accounts. That makes that so much easier because you don't have to go searching for stuff. It identifies what accounts you have, you click on it, and you go through the checkout process.

It's one of the best products we've seen. When you start looking at the functionality and use cases and usability of the product, it's straightforward. They designed this product with the end-user in mind, and they also had the sysadmin who is supporting the product in mind. They really did a nice job. Overall, it's a nice product to work with.

We use the Approval Anywhere feature and, through an app, it allows us to approve or deny requests. We don't have that turned on across the board, but we are turning it on slowly but surely. It adds an extra layer of security for critical passwords without adding time-consuming approval processes. That extra layer of security is our "belt and suspender" approach. It's making sure that you are approved to make a change, especially during production hours; it's approved by the person's manager.

From a usability perspective, what we are finding out is that our privileged domain admin users, in particular, want functionality for extending a checkout session. So we are working with One Identity support to see if there's an enhancement that can be made to the product. 

There is another area for improvement that I have sent over to One Identity. I said, "Whenever you check out a password, there should be a radio code associated with the password." That's something that we're trying to work on with them. It was submitted as a request for enhancement. Sometimes, you can't tell if an "O" is an "O" or a zero is a zero. If we had a radio code, the person could correctly read that password and make sure that they're not fat-fingering it.

We've been using One Identity Safeguard since the end of 2017, so it's a little over two years. I was also a user of the previous version, which was TPAM, for many more years in my previous role.

We have never had an issue with the software or even with the appliances.

It's very scalable. It doesn't matter what size of organization you have. If you have an organization of 1,000 or 100,000, the product is going to be scalable to your needs.

In our company, we have sporadic roles and we have about 55 users who are tuned into Safeguard. We're managing over 3,000 privileged accounts. Some of the users' roles are network administrators, IT administrators, help desk administrators, and InfoSec administrators. Our marketing team has users of the product, as they have applications whose passwords are being managed through Safeguard. We have a nice blend of users who are using the product daily. It has really done a good job of keeping up with the demand.

We definitely have plans to expand the usage of the product. Any area that's going to require some kind of privileged account, especially as we go through a digital transformation in deploying cloud services, Safeguard is going to be right there with us and will give us that flexibility to manage those kinds of accounts.

For deployment and maintenance of the solution we have a staff of one who reports directly to me. He's a senior cybersecurity engineer.

Safeguard's technical support is one of the better ones that I have worked with. There's always room for improvement, but every time that I do pick up the phone it's been fine. 

In my previous role I used Dell Quest TPAM, which was the previous version of Safeguard.

The initial setup was very straightforward because my team had the expertise in deploying a PAM solution, which was TPAM, in the past. This wasn't really that much different. We were able to deploy the full infrastructure, including DR redundancy, without Professional Services.

Because of scheduling conflicts, it took a few weeks to deploy. The main boxes were up within a week, but the full circle of deployment of the product was about a month or so because of those scheduling issues.

Standing up the appliance, plugging it in, and getting started was very straightforward. So kudos to One Identity for really listening to what the user population had to say about TPAM, because it is definitely reflected in the Safeguard product.

In terms of the effect on our privileged users, it's always going to be disruptive when you change something. People don't like change. We introduced this slowly but surely. We took a real "crawl, walk, run" type of methodology. We took the most basic use cases, and then we would update our support documentation to support the product. As we deployed it, we kept finding areas that we needed to document. It wasn't so easy to deploy something that was going to change somebody's workday process flow. But a year later, we're in a different state. It's been adopted and people are drinking from the same water hose.

We had in mind that we needed to handle the local administrator accounts and the privileged accounts, and we moved on from there. We knew that doing the local administrator account, which is really a non-human account, was going to give us the biggest bang for the buck. We knew that was something that we would achieve fairly quickly, and we did.

The training for end-users wasn't that bad. The product is straightforward. When you start working on a product with a lot of the features that you had suggested, in a previous version, be implemented, it's really nice to see that the company is listening to clients and the user population. That helped us in training our employees who use the product. The training was extremely straightforward, and people really caught onto it fairly quickly.

We absolutely see return on our investment. We're minimizing the risk of potential insider and external threats. We're managing all the privileged accounts, and we have minimized the risks of an account being hijacked and being used to compromise domains.

We are already seeing the return because we conduct annual penetration tests to see if we're able to compromise the network.

We evaluated CyberArk and BeyondTrust in addition to Safeguard. We went through a bake-off and Safeguard had one of the best sets of functionalities. It even had simple stuff for integration of a checkout proxy ID. You could check out the password and then it would just proxy to the endpoint. An example would an SSH session you needed for an account that was checked out.

CyberArk was going to require a lot of resources, both human and infrastructure resources, that we didn't have the bandwidth to take on. BeyondTrust fell short of some of the use cases that we had. One of the use cases was relationship. We had a core team that decided on the product and when the core team did its scoring, Safeguard came out just a little bit ahead of BeyondTrust and well ahead of CyberArk.

Start with your current state. That's what we did. Then, create a roadmap of where you are, where you need to be over the next five years. Once you're able to assess the current state and you have a plan in place, you can pick the product that's going to help you get to that future state.

The biggest lesson I have learned from using this product is to be open-minded in trying to figure out where we could use some enhancements. Just because you choose a product you don't have to be 100 percent, all-in on the product. There is always room for opportunities. Whenever there is feedback or challenges, take them and then see what you can do better. My focus is the end-user who is using the product. We have to make sure that using this product doesn't affect users' day-to-day operations.

We started using the solution's behavior analytics feature but it never really took off because we got overwhelmed with other areas that we needed to address. It's something that is on the roadmap for us to eventually take a look at, or at least refresh the project plan and commit some time and some resources to it.

We are looking to integrate Safeguard with RSA. RSA has a component and we're looking to streamline the metrics around that component. When a product is brought online, there's a way for us to go in and do a scan of that machine or that endpoint. Ideally what should happen is that we'll go to Safeguard, check out a password, push that password to the vulnerability management scanner, and scan it. When that scan is done, it actually checks in the password and rotates it. It's our vulnerability management solution that we're looking to integrate. We're doing a PoC on that right now.

Safeguard is a next-generation tool when it comes to privileged access management. They have done a nice job figuring out all the features that need to be available out-of-the-box. I do have high expectations for Safeguard. I continue to look forward to future releases because I know it's going to get even better.

On-premises

I am not a customer; I am a partner. Therefore, I assist clients in implementing One Identity Safeguard to manage privileged account access and their passwords. The primary aim is to reduce the attack surface of those accounts.

The best feature of One Identity Safeguard is its infrastructure simplicity compared to other solutions. Joining two clusters together makes it easy and robust at the same time. The interface is robust and secure, and with recent releases, it has become more stable. Implementation is straightforward, and user experience is simple.

There is room for improvement in integration between modules. The native integration between SPP and SPS, which is currently based on a plugin, could be enhanced. Customization for lookup passwords could also be made easier.

I have been working with One Identity Safeguard since 2019.

Most of my users have been using the on-premises solution. There was a customer who used the physical appliance, but most installations involved virtual appliances. Deployment for my clients takes from three to eight months.

In terms of stability, I rate One Identity Safeguard nine to ten out of ten. It is a fairly stable solution with improvements over time.

The scalability of One Identity Safeguard is perfect, scoring ten out of ten. It is suitable for medium to enterprise-level clients.

I rate customer support six out of ten. It needs improvement as it can significantly impact customer access. It would be beneficial to have a more direct route to second-level support from partners.

Neutral

I am aware of CyberArk. Compared to CyberArk, One Identity Safeguard could be more mature. However, it is a good solution in terms of cost-benefit.

The initial setup is relatively simple compared to other solutions. It is straightforward for most users.

While it does not directly reduce costs in terms of personnel, One Identity Safeguard offers increased security, especially in password management.

The pricing of One Identity Safeguard is fairly priced and cheaper than other solutions of the same enterprise level. It provides a good cost-benefit ratio.

I have knowledge of CyberArk as an alternative solution.

I recommend One Identity Safeguard because it is valuable in terms of cost-benefit. It is simple to implement, and its infrastructure costs are lower than other solutions. It provides a flexible approach, offering both on-premises and cloud solutions. Overall, I rate One Identity Safeguard eight out of ten.

We use this solution to control the access of privileged users, such as application administrators, to the internal network. This solution allows us to record and log user sessions.

We use virtual appliances on the VMware platform. The virtualization of such services allows us to flexibly scale our hardware configuration and gives significantly more opportunities for building a stable structure. 

This solution allowed us to provide remote access to the company's internal infrastructure in the context of the COVID-19 pandemic. It made this access more transparent and controlled for information security departments.

We easily integrated this product with our SIEM system for collecting events. Thanks to this integration, we were able to build convenient, regular reports on privileged user connections. Therefore, our information security units can better see who is connecting to the remote infrastructure.

The most valuable feature is the logging sessions with their visualization, which is video recording. This functionality allows us to restore the actions of a user in the event of any incidents.

The solution transparently integrates into the infrastructure and users do not notice it. I would give this feature the highest rating.

While the "transparent mode" feature did not affect the monitoring in any way, it led to an increase in the convenience of connecting users.

This solution visualizes RDP sessions and logs SSH sessions.

I would like to see support for RDP over HTTPS so this product can be used in conjunction with the Microsoft terminal.

I would like to visualize SSH sessions.

I would like built-in traffic balancing mechanisms with the built-in load balancing mechanism when using several instances.

About four years.

Over four years of use, we have not encountered a single system crash or failure. The product is stable.

When increasing the number of users, we can rather easily add to virtual appliances processors and memory, or disks for storing records, which is more difficult to do on a hardware (physical) appliance.

We have two administrators involved in the deployment, configuration, and maintenance of this solution. During the peak of the pandemic, we had up to 3,000 users connected through the solution and able to work from home.

We have used One Identity’s tech support. I would rate it as excellent. They answer all the questions asked of them quickly and efficiently.

We did not previously use a different solution.

The virtual appliance is deployed from the delivered image without any problems. The setup takes about 15 to 20 minutes, including initial setup and configuration. It also is available to any admin user with Unix competencies.

We use the “transparent mode” function to connect administrative users via SSH to the Unix servers. We did not encounter any problems when setting up this feature, as everything was easy. The solution is well-documented and quite understandable when setting up.

It took about one or two working days to administer the solution, read the documentation and settings, and test various configuration options. It was not very difficult. For our users, there were no special nuances since the connection is transparent. They do not understand nor see that they are connecting through the One Identity Safeguard space.

Our implementation strategy was to use this solution to control remote sessions of privileged users, first with our IT support staff. Now, we use the product for this purpose. In general, the strategy was a success.

There has been a lack of losses, since controlling the actions of privileged users is primarily to minimize risks and create an absence of losses.

Licensing and pricing are quite straightforward. The number of recording channel licenses depends on the needs of the customer. I would suggest estimating the number of concurrent sessions per unit of time and proceed from there when purchasing a license.

We evaluated Safeguard and another product. We ultimately chose Safeguard.

Safeguard is an external (in relation to controlled systems) solution which allows you to record sessions. Its competitor was an agent solution that was put on target servers. With the competitor's solution, there was a risk of disconnecting of a privileged user's recording.

Clearly assess your needs and formulate the necessary requirements, then proceed from there with the selection of an appropriate solution. In our case, One Identity Safeguard became this solution. However, this solution is not a panacea for all ills. It is possibly you’ll find that a different solution is more suitable.

I would rate the solution as a nine (out of 10). In order to rate it as a 10, it should have what I would like to see in its coming new releases.

Foreign Language: (Russian)

Как и для чего вы используете этот продукт?

Мы используем это решение для контроля доступа привилегированных пользователей, таких как администраторы приложений, к внутренней сети. Это решение позволяет нам записывать и регистрировать пользовательские сессии.

Мы используем виртуальные устройства на платформе VMware. Виртуализация таких сервисов позволяет нам гибко масштабировать конфигурацию нашего оборудования и предоставляет значительно больше возможностей для построения стабильной структуры.

Как это помогло моей организации?

Это решение позволило нам обеспечить удаленный доступ к внутренней инфраструктуре компании в контексте пандемии COVID-19. Это сделало этот доступ более прозрачным и контролируемым для отделов информационной безопасности.

Мы легко интегрировали этот продукт с нашей системой SIEM для сбора событий. Благодаря этой интеграции мы смогли создавать подходящие регулярные отчеты о привилегированных пользовательских соединениях. Поэтому наши подразделения информационной безопасности могут лучше видеть, кто подключается к удаленной инфраструктуре.

Какие функции вы нашли наиболее ценными?

Наиболее ценной функцией является регистрация сеансов с их визуализацией, то есть запись видео. Эта функциональность позволяет нам восстанавливать действия пользователя в случае каких-либо инцидентов.

Решение прозрачно интегрируется в инфраструктуру, и пользователи этого не замечают. Я бы дал этой функции самый высокий рейтинг.

Хотя функция «прозрачного режима» никак не повлияла на мониторинг, она привела к увеличению удобства подключения пользователей.

Это решение визуализирует сеансы RDP и регистрирует сеансы SSH.

Что нуждается в улучшении?

Я хотел бы видеть поддержку RDP через HTTPS, чтобы этот продукт можно было использовать вместе с терминалом Microsoft.

Я хотел бы визуализировать сессии SSH.

Я хотел бы использовать встроенные механизмы балансировки трафика со встроенным механизмом балансировки нагрузки при использовании нескольких экземпляров.

Как долго я использую этот продукт/решение?

Около четырех лет.

Что я думаю о стабильности этого продукта/решения?

За четыре года использования мы не встретили ни одного сбоя или сбоя системы. Продукт стабилен.

Что я думаю о масштабируемости решения?

Увеличивая количество пользователей, мы можем довольно легко добавить к виртуальным устройствам процессоры и память или диски для хранения записей, что труднее сделать на аппаратном (физическом) устройстве.

У нас есть два администратора, участвующих в развертывании, настройке и обслуживании этого решения. В разгар пандемии у нас было до 3000 пользователей, подключенных через решение и способных работать из дома.

Как бы вы оценили техническую поддержку этого продукта/решения?

Мы использовали техническую поддержку One Identity. Я бы оценил это как превосходное. Они отвечают на все заданные вопросы быстро и качественно.

Какое решение я использовал ранее и почему я переключился?

Ранее мы не использовали другое решение.

Как прошла начальная настройка?

Виртуальное устройство развертывается из доставленного образа без каких-либо проблем. Настройка занимает от 15 до 20 минут, включая первоначальную установку и настройку. Он также доступен для любого администратора с компетенцией Unix.

Мы используем функцию «прозрачного режима» для подключения административных пользователей через SSH к серверам Unix. При настройке этой функции проблем не возникало, так как все было просто. Решение хорошо документировано и вполне понятно при настройке.

Потребовалось около одного или двух рабочих дней для администрирования решения, ознакомления с документацией и настройками, а также для тестирования различных вариантов конфигурации. Это было не очень сложно. Для наших пользователей особых нюансов не было, так как подключение прозрачно. Они не понимают и не видят, что они соединяются через пространство One Identity Safeguard.

Наша стратегия внедрения заключалась в том, чтобы использовать это решение для управления удаленными сеансами привилегированных пользователей, в первую очередь с нашей службой поддержки Информационных Технологий. Теперь мы используем продукт для этой цели. В целом стратегия имела успех.

Какой была была ваша прибыль на инвестиции в One Identity Safeguard?

Мы не испытали никаких потерь, поскольку контроль действий привилегированных пользователей в первую очередь сводит к минимуму риска и создает отсутствие потерь.

Какой у меня опыт работы с ценами, стоимостью установки и лицензированием?

Лицензирование и ценообразование довольно просты. Количество каналов регистрации лицензий зависит от потребностей заказчика. Я бы посоветовал оценить количество одновременных сеансов за единицу времени и перейти оттуда к покупке лицензии.

Прежде чем выбрать этот продукт, вы оценивали другие варианты?

Мы оценили Safeguard и другой продукт. В конечном итоге мы выбрали Safeguard.

Safeguard - это внешнее (по отношению к управляемым системам) решение, которое позволяет вам записывать сессии. Его конкурентом было агентское решение, которое было размещено на целевых серверах. С решением конкурента был риск отключения записи привилегированного пользователя.

Какой еще у меня совет?

Четко оцените свои потребности и сформулируйте необходимые требования, а затем приступайте к выбору подходящего решения. В нашем случае One Identity Safeguard стал таким решением. Однако это решение не является панацеей от всех болезней. Возможно, вы обнаружите, что другое решение более подходит.

Я бы оценил решение как девять (из 10). Чтобы оценить его как 10, у него должно быть то, что я хотел бы видеть в его будущих новых выпусках.

Our company is regulated by the central bank in our country. There are about 4,000 employees in our organization. 

Our main need was to reduce the operational cost of our department by increasing the window of operations to 24-hour rather than have office unemployment. 

We are now digitizing the access control function through One Identity. Whoever forgets their password can reset it on their own rather than reaching out to the security desk. Whenever we have a new employee, we found that it was taking at least two days to get them a username or access to the system. Now, once they are logged into the organization and are registered on our ERP system, their complete access will be ready within five seconds. They will receive an SMS with their username and password so they can start working. This has increased efficiency and effectiveness of the access control function. It has reduced operational costs as well as providing services 24/7 with a platform that can be used anytime and anywhere for investigation in case we have a requirement. 

We use the physical appliances, as they are more reliable. Around the world, dedicated appliances are more reliable than having a virtual version/copy. We went with the physical appliances because they are dedicated and closed like a black box. However, we haven't reported any misses with the virtual version. 

We use the solution’s Approval Anywhere feature which enables us to add an extra layer of security for critical passwords without adding time-consuming approval processes. In the past, we were having problems when a user went on vacation. There were many recalled cases of password sharing. When we received this type of incidence and started to investigate, we found out the past setup had no solution. For example, if someone with a daily duty went on vacation, they still had to do it within the office. That is why sometimes people tried to justify the sharing of passwords by the importance of their duties. Now, by using this platform, if someone goes on a vacation, out of office, or needs urgent/planned leave, then our setup will select the functions tied to that person and automatically delegate them to the next person. That person can start performing that duty based on their access. No sharing of passwords is required.

The multilanguage functionality does not support the Arabic language, even though this solution is deployed in an Arabic region. However, it matches our criteria and requirements overall.

One Identity is using a third-party to create one-time passwords. Due to our security restrictions, we needed to build our own. When we discussed this with One Identity, "Why they don't provide a technology that can be hosted on our data center and be built by One Identity," they said they are using a third-party. This was their justification, so I think it's based on their strategy and there's no harm using a third party. However, we were having an issue using a third-party.

I have using this solution for about six months. The project started about one year back. We started product introduction through phases. We went full-fledged with One Identity using Cloud Access Manager, Password Manager, and Privileged Access Management along with identity and access management.

We have been trying to stabilize the system until now. We haven't had the chance to revisit the deployment to find out if there are any expansion plans, as we are working to sustain the set up. We want to increase end user awareness and start building the number of reports.

I didn't have a requirement to test the scalability of the solution. We did discuss the scalability with the system integrator at the beginning, and it's on the license level. I don't think we will have an issue once we come to the point of needing to scale.

We have 3,000 end users and 10 administrators.

I haven't had a chance to work the One Identity technical team. We work with the local partner instead.

None of my team has gone for training yet. However, they did have a handover for operation of the solution. It doesn't need that much training as long as you know the basics of access control functions. End users only need to have a tutorial to the portal. This is what we provide: a tutorial for how to use it and the know-how.

We previously were using a manual process. One Identity helped us to automate this process.

We integrated One Identity with our ERP system (Oracle) and also with our security operations center (Splunk). The integration went perfectly. It was an easy connection. We built the connectivity directly through the API. What we found time consuming: the setup and connecting One Identity. E.g., Oracle takes more time than Splunk to connect because Splunk's system is ready to send the security logs to the security operations centers. With Oracle, the integration depends on the business needs and there are a number of different requirements based on those business needs. The enhancement One Identity made is the historical part related to system access control goes through our SOC to this tool.

My team worked on the initial setup. I don't remember any critical escalations related to technicalities during their field deployments. The local system integrator helped us with any deployment challenges. There was zero disruption to privilege users during the deployment, which can be attributed to the work of the project management team. The deployment took about six months using two outsourced resources.

For the consultation services, we went with a well-known, famous system integration company (Exceed Gulf), who is local. They were cooperative, experienced, and professional. They have led many successful deployments in our region. Sometimes, they provide better advice when we are releasing an RFP to the market, e.g., when they got this RFP, they added value by doing a slight amendment to the deployment. This contributed a lot to the success of this project. Their advice comes based on their experience in the deployment for such a solution in our region. I strongly recommend working with Exceed Gulf and the same team that we worked with, as their technical skills were perfect.

We have not yet seen ROI. The benefit that we get from using One Identity is that it reduces operational costs.

We have a yearly license. The cost depends on how much a company wants to invest in technology. In our organization, we believe in modern digitization and automation processes so we found it affordable. One Identity was not that much less than other solutions and it is not a cheap solution. There were number of cheaper solutions. However, it's the most effective, according to our evaluation.

When we started thinking about approaching such a solution, there was an increased need to digitize or have a platform that helped to provided access control functions. There were a number of solutions in the market, like Oracle and Microsoft. One Identity (per our evaluation) was our selected solution. One Identity won when we match these criteria against other solutions in the market:

• Support
• The system integrator
• Strength of the solution
• Complexity of the solution (less complex than other solutions).

Make sure to always get the support. This solution could not be successfully implemented with no support of the HR and procurement system. You will need to mature all of your HR and procurement processes to do the deployment in a secure manner. This is a security solution, not an IT solution. If you want to deploy it as a security requirement, you need to ensure that the HR and procurement processes are correctly in place. You can use it as a technology solution, because not all the technology requires security, but all security requires technology.

We haven't activated the session recordings yet. We have tested it, and while it worked successfully, we didn't apply it fully because of internal technical issues.

All the logs in the system are recorded and sent to our security operations center (SOC) for analysis. In our SOC, we have end user behavior analysis, but do not depend directly on One Identity to provide this. However, I might ask to have a report for the user behavioral analysis going forward.

I can rate the solution as an eight (out of 10).

On-premises

We are using the virtual appliance. We are a cloud company working widely with virtualization. We provide virtual machine to our customers. When we deploy a new solution, we try to use our system to show our customers that it works for them. That is why we are using a virtual appliance which validates the usage.

For now, we are using it for traceability of access inside the platform because we are a certified company: ISO 27001, SecNumCloud, HDS... We use this solution to monitor the session of our administrator and also to capitalize on incidents. When you have an incident in the night and our Level 3 people are working on it, they don't have the time to document all they do on the platform. The main goal is to have the service up as fast as possible. We are now recording the session, and the morning after the incident, we can see the session and understand what has been done to resolve the incident.

We are using the latest version of Safeguard.

When we are asked to do an investigation for a server, we have all the information that we need. We never have any problems as all the information is available to us.

The transparent proxy is the most valuable feature. When you are connecting to a server inside the platform, the user doesn't need to change their habit. They just have to make small configurations to their workstation, then it is transparent for them. Our users like the solution because it's transparent. Users doesn't need to have interaction with 3DS OUTSCALE IT or security team to work as usual. It's interesting for the users because they don't have to think, "I have to note all that I've done during the incident to remember it".

We use the solution’s “transparent mode” feature for privileged sessions. It is very easy because it is only a simple configuration for our users. We don't have to modify our network. We install it, configure it, and it works. So, it is super easy. The rollout for our users is seamless.

The "transparent mode" allows for better visibility. With its monitoring, we can do investigations which are good for us and improve our system.

The interface is better now, but it still could be improved a lot. It needs more organization, menus, automatic refresh of information, and Web 2.0.

An official HashiCorp Vault connector would be very helpful inside the platform.

SSH implementation is not 100% compatible with standard SSH (openssh). For example : JumpHost.

As a result, some options require manual tunning, and complicated user-side configs, where it could be much simpler

We have been using it for a long time: six years.

It is very stable. We have never had incidents with it. When we lost a connection with our Active Directory, the system continued to work. When we lost the storage on the virtual appliance, we restarted it, then it was fine. Thus, the product is very stable. 

One or two people are needed for deployment and maintenance. For the deployment, it's done by the security team for now. However, in the near future, it will be managed by the operations team.

We upgrade about every two months the latest version.

We don't use the scalability. When we need a new appliance, we deploy it inside another network. We don't need scalability for now, but if we grow quickly, we will need to think about it.

We have about 50 users inside the company, including the security team, operations team, infrastructure team, and Level 1 support.

We are using 75 percent of the parallel session unless there is an incident, then we can use all the slots.

I used the technical support once. It was good. I had the answer to my question quickly. I have direct access to the pre-sales team and my account manager. So, I called in and my problem was solved.

Yes but we had to quit it because they didn't have what we needed and it was very expensive. 

In the beginning six years ago, we started with a small instance. We used it very simply and learned how to manage it. 

With the newest version that we massively deployed, we had one week to know how to install it and how it works. Now, we know how it works very well.

Install is fairly simple, with basic options.

Configuration requires a little explanation on the way it works but is straightforward too.

We deployed it ourselves.

We have seen ROI in terms of time. It's easier for us to investigate incidents, which is helpful. It has improved our performance with investigations. It used to take a month to write an incident. Now, it takes us a week, cutting the time down by a fourth.

Our licensing costs are on a yearly basis.

We evaluated CyberArk, which was pretty good, but it is very expensive. CyberArk's interface was better. Also, CyberArk's login was not so transparent. We chose One Identity because it has a transparent login in interruption in the network.

When you use Safeguard in production, it provides traceability and protection around your platform.

I would rate the solution as a seven (out of 10) because of the interface.

I have seen the future of analytics, and it's very interesting. I hope to have the time to try and learn something about that.

We are using One Identity Safeguard for our data protection.

We are utilizing the virtual appliance solution because it is slightly more cost-effective and allows us to manage it remotely.

Secure Remote Access feature is being utilized by non-technical users, primarily for multi-factor authentications. We are implementing MFA; however, some users in our branch are not yet connected. Consequently, we are resorting to using a VPN in our access control measures. At times, we have also employed remote branches for auditing and monitoring any potentially suspicious activities. Our endpoint security is consistently updated and ensures encryption for all the internet services we utilize.

It is important that the Secure Remote Access feature does not rely on a VPN. One Identity Safeguard provides us with the ability to manage access to the system network and data from our remote branches through the Secure Remote Access feature, ensuring a secure and confidential connection on the backend.

We have integrated One Identity Safeguard with our DevOps processes to assist in managing the parameters. Prior to the integration, we used to wait for certain automation related to security, either already completed or sometimes people would proceed without reporting. However, after the implementation, it has proven to be highly effective for security testing through automation at various stages, particularly in the pipeline, and for conducting critical analysis. This has significantly improved our understanding. 

There are numerous valuable data protection features, including the content and information that offer us more scalable protection as needed.

We also have access to immediate support for situations that we are unable to handle.

Some of our users find the functionality a bit complex, and it could be made more user-friendly.

The integration of automation, security monitoring, and secure configuration can be enhanced. We can integrate these elements using Ansible or any other necessary tools. This would be advantageous in terms of time and effort saved during implementation, especially when dealing with merged branches. This approach will guarantee that the code is approved, tested, and verified, potentially resulting in substantial time savings.

I have been using One Identity Safeguard for ten years.

Premier Support is valuable because it enables us to receive prompt assistance whenever we encounter any type of issue.

Positive

The time to deploy varies from a few minutes to several hours depending on the scenario.

We integrate security tests into our CI/CD pipeline for privileged users to ensure that these users are not affected.

We also assessed CyberArk, which is a more robust Privileged Access Management solution compared to One Identity Safeguard. However, it comes with a significantly higher cost.

I would rate One Identity Safeguard an eight out of ten.

We conducted training sessions for all employees and managers in our company. The training was tailored to each person's skills in order to streamline the training process and facilitate the deployment procedures.

With Safeguard, there are two virtual appliances. There is one that helps you manage passwords and then there is another one that helps you record the sessions. You can configure it to record whatever you do when you make the remote calls.  

We use this solution for a bank. My current project is to onboard all the bank's security assets onto Safeguard. It will be used for admins to have secure access to the server.  

The part of this product that I like the most is the transparent mode. That is the number one advantage of the product. I also like the ease-of-use. That is what Quest is known for. The interface is interactive, relatively easy-to-use.  

I like the fact that we are using a proxy server. Also, I like the fact that it is integrated in such a way that I can connect to my Linux and Unix resources using my AD credentials. They map the AD credentials to Linux accounts. So, when I am connected to my AD accounts, it acts as a sort of proxy to convert it to the Unix account that it is configured for. That is quite useful.  

The only part of the Safeguard solution that I think could be a problem over time is the amount of storage it takes in the sessions. For example, because it records in real-time video it takes a lot of resources. So, it has not been a problem yet, but we are looking at a solution where we allocate the cost of that additional capacity differently. Then there will be enough resources to compensate for whatever the storage needs are. It just takes a large amount of storage for each current session.  

Another thing that I would like to see them improve is that I would like them to make the transparent board a little bit more transparent. The transparent mode is something I use often and it is the best feature of the product but that is also why I see how it can be improved. It might just be a little bit easier to use.  

We are a long-time Quest partner and have only been using the product for the past five months. We just got onboarded to the One Identity product. This is my first project with One Identity.  

One of the things I really like about the One Identity solution is the fact that it can be configured in active-active cluster mode. It is just a little pricey because you have to purchase the additional licensing just to be able to do an active-active configuration.  

But I like it also because it is a virtual appliance. This means I can configure a high-availability cluster anyhow I want. If I have it on a VMware cluster, I can enable high-availability or any virtual cluster solution that makes sure it is highly available. I would do that using VMware storage. This makes it a more stable and flexible solution.  

The fact that I do not have to worry about other incidental things is good. I am not connected to an external database server. So all the dependencies, patching, and additional setup is something I do not have to do on the One Identity appliance. Everything is on a hardware appliance. In other words, I do not really even have to worry about securing my security device. It may not be the first thing to think about, but because you deployed a security device, now you have to worry about securing it. As it is all-in-one as a hardware appliance, I do not have to worry about all that.  

We have not had any issues with scalability to this point and it is handling our capacity and needs. The only potential issue would be budgeting for additional licensing, which would not be a problem in our case, and handling the resource usage. These are not really limiting.  

Between the banking client and our company, not everyone has been onboarded yet to the One Identity Safeguard. But in the end, we are looking at probably about 500 servers and I think a total of about 180 admins. This seems realistic using this product.  

My impression of support is that the guys there are very helpful. They are eager to jump in and to help you out. Yes, I think it is a great service.  

I think that the initial setup was very straight forward. Pretty much a piece of cake, actually. With our implementation strategy, the deployment actually took only about two hours. That is including the discovery of the assets. It is a relatively large enterprise network, so discovery can potentially take some time. This was very reasonable.  

The approximate cost on a yearly basis is in the ballpark of about 80 grand, $80,000. That is for about 100 servers. That is the standard license fee. There are not really any additional costs once you purchase that. Sometimes you can have professional services included with it. For example, if you take a week of professional services or if you need them to do the install. That is the only additional charge.  

As a long-time Quest partner, this was an easy choice to make. Because we were already partners it made sense to work with their other solutions.  

The advice I would give to organizations considering this solution would be that before they make a commitment they need to try to find a local support resource. They will want to be able to get local support because that can be critical. But otherwise, I think it is a good product and a good buy. I would buy it again. As a partner, I would also sell it again because I am confident in it as a product and a solution.  

On a scale from one to ten, where one is the worst and ten is the best, I would rate the One Identity Safeguard solution as a nine-point-five out of ten. I'm very happy. If I have to choose an integer, it would have to be a nine. Ten would mean it is perfect and there are things I think can be improved.  

On-premises

The three main use cases that we have are:

1. Ensure our human and non-human privilege accounts are locked up in a password vault. 
2. Have workflows to handle the major types of usage, such as break glass and business as usual. 
3. Changes in usage of the credentials are tied into approved change requests. 

These drive our first goal to take all our privileged users on the help desk, our local accounts on our desktops, our servers (web servers, app servers, or database servers), and individuals in our network group who do our firewalls, then migrate all these human accounts into Safeguard Password Vault. Last Fall, we went group by group and revised their accounts. We took away any type of privilege account that they had, ensuring that all of these accounts were then migrated to the Vault. They could then check out passwords to facilitate any type of privilege activities they needed to do on behalf of the bank.

We use virtual appliances for this solution, which made sense for us, especially if we will plan to perhaps migrate to the cloud. Right now, it's all virtualized on-premise.

Anytime new tools and technologies are being brought into the bank, the biggest impact is to the process, procedures, and culture. There is a culture change when any new technology gets rolled out. This solution changes the way we have done the business for many years. We're taking a very controlled, conservative approach in how we roll the technology out.

It is working as it's supposed to work. We had a lot of good support from the One Identity team who helped us build it and do a test. 

We are able to log and get reporting on all privileged activity that is being performed. We like the fact that we can leverage the session recording feature, which is especially valuable when we're dealing with third-party vendors that have to remote into our our boxes and servers to do any work on behalf of the bank. Now, we can record everything they are doing to ensure that they're only doing the changes that were needed. In addition, we use it to leverage knowledge transfer with our internal staff.

We use the solution’s Approval Anywhere feature. We do have the Starling 2FA app on our mobile devices. We haven't rolled out the request and approval yet. We want to get people to use it in their daily functions, whether it's business as usual work, break glass, or any changes that they need to make tied into an approved formal change request. Starting in April, we will be rolling out the request and approval phase. Based on the type of change being requested, break glass will need to be approved, especially if they're doing it during the daytime or off-hours. Then, we will have change requests tied into our change-advisory board. Once there's a change that's approved via our CAB process, then that person will be allowed to check out the credentials they need and tie it back into the ServiceNow ticket that was created. This gives us the audibility between when that change was being made and ensuring that it's being performed for its intended purposes. We are taking a crawl-walk-run approach.

Some of the out-of-the-box reporting isn't that rich. We spoke to our Safeguard reps who have acknowledged that some of the reporting features can certainly be improved and that we're not the only customer who has cited this. There are very little out-of-the-box reporting capabilities. You have to build the queries and the report. I believe in the next release they're going to be addressing this.

We have been using Safeguard in a production capacity for about nine months now.

We haven't had any problems at all. 

There was one issue where we had to put a certain fix on and were able to work with the One Identity people. We downloaded the fix and put it onto our dev environment. After it was baked into our dev environment for a day or so, we then scheduled that change to go live into our production environment. That went very smoothly.

Two people are needed for deployment and maintenance. They're both in the cybersecurity area. There's a manager along with a senior cyber security analyst who runs the platform.

The tool does everything that it is designed to do. It is one of the leading privileged access management products out on the market. They rebuilt the whole product, giving it a nice brand a new clean user interface, which is very user-friendly and easy to use. One Identity has done a very good job taking the old product, TPAM, and doing a whole refresh of that tool. We're very happy with the Safeguard product.

We have approximately 50 to 60 human privilege accounts whose roles are everything, everywhere. From the information security department to the desktop people, there are about 12 users in that area. There are about 20 people who comprise our IT engineering group and another 15 or so who comprise our network team. Then, there are the third-party users who have to login on behalf of the bank to do changes for us, which is another 10 or so privileged accounts which have been setup for a one-time usage when a third-party vendor needs to remote into our system. Crawl-walk-run impacts about 30 percent of all the changes being made. Most changes are made to the production environment and need to be done with a privilege account.

I would rate the technical support as very good and strong. We're happy with the support we get from our One Identity team. We see it as something that will be accepted more as the culture changes at the bank. We did the human accounts first because with the non-human service accounts there have been challenges this year. You have to tread water very slowly since you have to do a good analysis and understand what these non-human service accounts are used for. It's not just a simple lock them up in a vault type of scenario. It will take us a bit more time to put a plan together beginning in the second quarter to address the onboarding of these non-human service accounts into the password vault.

There wasn't much training required for those who manage the product. It was pretty straightforward. We did do training though. We had a training manual as well as a hour training class with various user groups. Our hour training, manual, and how-to guide along with being able to support issues/concerns via our cybersecurity team was beneficial to the success of the implementation.

We did not use another solution previously.

Prior to this Safeguard implementation, we did not know when somebody was using their elevated privileges to do certain features or functions. We only hoped that it was according to whomever the change request was associated. Now that we're able to audit log and record what is being done, we can play back all the sessions to make sure no type of unattended usage of the privilege or elevated credentials were being used. From securing the bank standpoint, it has helped tremendously.

The team shared with us that the initial setup was pretty straightforward.

The deployment took no more time from when we got the servers brought in to when got the software installed. This took a few weeks to get it up, configured, and customized for our needs. Then, there was some sandbox testing which was done, then we started the pilots within the first three months of having the solution stood up.

Anytime you are putting in a deployment change that affects privilege users, it's going to create some problems. That's why we took a very slow approach of taking one user from all of our various groups. We had one person from each of our teams: desktop, network, and IT engineering. We worked with them for about a month. We tried to shake out any bugs and issues that they would have before we gradually rolled it out to others. 

People are very adverse to change. When you have this type of a solution, the technical capabilities of the product along with all the process change creates some issues. However, we expected that.

My role was as head of identity and access management to work in concert with our cybersecurity manager. It is his team who owned and rolled out the technology to the bank. My responsibility was making sure from an identity and access management process that the procedures had been in place and they satisfied our internal and external audit requirements. I'm more of the process guy, not the technician.

Being in information security, anytime you can sit down with the board of directors, and say "We now have a more secure bank," there is ROI. The reason: The biggest threat to any bank is an insider threat. Now, with our privileged access, we have them logged, recorded, and locked up in a password vault so we know who's making changes, when they're making change, and why they're making changes. This helps greatly improve the security posture of the bank. That's what we use to sell and justify that it was a good investment for the bank.

In addition to Safeguard, we looked at a product by the name of CyberArk and one by the name of BeyondTrust. These were the three products that we brought in for a proof of concept. In the summer of 2018, we made the decision to go with Safeguard. Then, between June and July 2019, we had it up and running, starting pilots and rolling it out accordingly.

When we did our scoring criteria on the three products, all the products were very close. What it came down to was price. We had individuals on the cyber team who had previous experience with the One Identity Privileged Access Management product at that time, which was called TPAM back then. Those individuals had a very good relationship and understanding of that tool. This weighed into our decision as well as cost to go with the One Identity Safeguard solution. It was definitely cheaper than the other two products that we evaluated.

The solution is part of our identity and access management product. We use Saviynt as our identity, governance and administrative tool. We certify all privilege accounts on a schedule basis. There is some integration with our identity and access management platform/program at the bank. It allows us to be in a position where we can identify and detect as well as prevent any type of privilege act that's being used as a threat at the bank. The integration was easy. It didn't pose any problems.

We have had a mixed bag regarding the solution’s usability and functionality. We have had some people who said that the tools worked nicely. They checked out their credentials every morning, use them for the better part of the day. We set the duration for eight hours. Once somebody checks out something in the morning, they pretty much use that password for the entire day. For some groups, this created a problem because of the type of work that they do, such as long running processes. We've had some issues where their password expired while a process was still running. We had to work with our IT engineering group to come up with a different type of the duration for their needs. One Identity has been very good at working with us to help us through these use cases. 

Understand each use case very carefully and thoroughly. This changes the way someone conducts their business. We had to be cognizant of the impact to our day-to-day operations. If I could do it all over again, I would spend more time understanding the impact of a security tool, such as a privileged access management solution. I think we could have done somethings better than we did.

We haven't started to use the solution’s behavior analytics feature, but as we start building up some data, then that puts us in a position to be able to identify any type of exception or anomalous behavior. We haven't built up enough trending data to leverage that functionality at this time.

We are very happy with the tool. I would rate the solution as an eight (out of 10).

On-premises