I have hands-on experience with One Identity Safeguard and attended the foundation course in the end of last year. My primary goal is to make use of the cross-product capabilities joining IGA (Identity Manager) and Safeguard (PAM) to achieve Privilege Access Governance (PAG) since lots of customers are asking for this. The trend show consolidation within the IAM market and cross-product solutions is becoming the new standard.
Most important, very easy to setup.
Safeguard for Privileged Passwords (SPP)
I have been using asset and account discovery. This means the product will assist in identifying privileged accounts across hosts, directories, and networks.
Other features include workflow and access requests. Typically time-based, which is best practice to restrict access. Workflows can have one or several approvers.
The "activity center" where I can place my custom queries and get automated reports. This will collect over time and you can see what has happened for a certain user.
I like that the upgrades are not complicated, if the appliance is clustered this is handled automatically.
Great variety of support for different platforms and protocols.
Safeguard for Privileged Sessions (SPS)
I have used something called centralized policy enforcement. You can set up a gateway proxy for privileged sessions where you are applying authentication, access controls, and security policies. This is for endpoints such as SSH, RDP, and telnet.
Then I have used session recording and audit trails. When the recording is being made, it actually records at the protocol level, meaning it can capture keystrokes, mouse input, and the GUI. The recordings can be digitally signed.
Real-time monitoring alerts. It can detect violations according to a policy. If there is a destructive command that is dangerous, it can look for those and can trigger an alert. If we want, it can also automatically terminate the session that is ongoing. Everything is indexed and searchable. It is like a forensics investigation and you can do searchable playback.
User behavior analytics. This is some kind of integration where in real time, it can detect anomalies, something that is not normal, and do some deeper insights on that matter.
I have successfully connected Identity Manager (IGA) to Safeguard to achieve Privilege Access Governance. This is being possible by using an OOTB connector in Identity Manager to talk to the Safeguard system. I can govern the data from Safeguard and provision PAM accounts from Identity Manager to achieve a complete lifecycle.
Documentation can be much better and they should provide typical use cases to get started more easily.
SPP and SPS has separate portals (even if they are joined). SPP seems to be a more mature product and the SPS seems to be less updated in its UI and has more technical depth when configuring.
I have been working with it for a couple of months.
Straighforward.
Using the virtual appliance is quite easy. You download the hypervisor file, everything is already included. There is one appliance for the SPP and one for the SPS. SPP requires a Windows license and to activate it you must have internet access. It was a little headache to get it working.
I'm rating the product 8 of 10 out of what I have seen so far, I'm satisfied by the features OOTB and the integration with the Identity Manager. Also the usage of Remote Access (SRA) and Cloud assistant should not be missed.