One Identity Safeguard Reviews

We use it to handle secure access to our Windows and Linux servers and also to manage some of our user accounts. This includes password rotation, JIT, and disabling accounts when they are not in use.

We use their physical appliance.

I look after the backend, but I am also a user of it. In general, users do not love it because there are extra steps to what they are used to, but it is an intuitive service. The approval workflows work particularly well with their integration into Teams. From a backend point of view, it is not too bad. There are a few places where the interface could be slightly different, but mostly, it is fairly intuitive.

The Approval Anywhere feature provides an approval process. We use it for our external contractors. It is nice and easy once things are set up from their point of view, and it provides the university with an additional layer or multiple layers of security, which we did not have before.

We have integrated it with Identity Manager, which is another One Identity product. We have not integrated it with anything else. We thought about integrating it with ServiceNow to have a one-stop shop from ServiceNow to make API calls and requests from there. However, we wanted to keep things a bit simpler at this point. The interface is pretty nice. Asking users to go via the Safeguard method works well.

It provides secure and centralized access to both on-prem and cloud servers, which we did not have before. Previously, there were myriad ways to access our servers, so this centralizing feature is beneficial. 

The auditing and approval mechanisms are features we did not have before and are greatly appreciated.

I do not have any integrations at the moment, and I also do not use the API to automate this. I have to set up user accounts, then privilege accounts, and then linked accounts, and do some association there. There are many steps. We are still in the onboarding phase, and it seems very manual. Ideally, a single interface to integrate all these processes would be useful.

A couple of missing features that I have seen are about to come out, and I am happy they are addressing customer feedback with exactly what I wanted.

I have used the solution for probably about 18 months to 2 years.

We have not had any issues with the core product itself, but there is an add-on called SCALUS, which is quite critical to the user experience, and that does not work. They have been having issues with that for quite a long time, like months. That is not great at all.

Scalability is fine. We have a cluster of SPPs and a cluster of SPSs, and we can add a node to that cluster without much fuss. We did it on one of the clusters, so it is all good.

They are quick to acknowledge a call or case, possibly due to SLA requirements. Overall, it is a hit-and-miss. Sometimes, I get a very helpful response and they address issues on a call. Other times, I am politely informed they cannot help.

Neutral

I did not use any similar solution previously.

It was a little bit of stop-and-start. Quite a few people were involved, but we had One Identity's professional service's help as well. We had something working within a week.

It does require maintenance. It is not a SaaS service. It is not a hosted service, so I have to resolve any issues that come along. I have to deal with any feature enhancements and patching.

We had One Identity's professional service. We had probably four people from our side.

We bought their other products, so it was not that expensive. It is one of those where the more you buy, the cheaper it is.

I would rate One Identity Safeguard an eight out of ten.

On-premises

Our main use case for One Identity Safeguard is to integrate it to clients that need the SPP functionality, which stands for Safeguard for Privileged Passwords. They do say that we could utilize One Identity Safeguard to its full extent for now, but we're getting there.

A quick specific example of how we use One Identity Safeguard with a client is that our latest client needed a password vault, so at first, we integrated One Identity Safeguard for Privileged Passwords, and then they asked for a personal vault so they could store their passwords and secrets, much like KeePass, so we integrated One Identity Safeguard Personal Vault as well. Lastly, they figured at some point down the line that they needed SPS as well, but only the primitive version of it, so we just decided to integrate SPS as well and form it into a cluster with SPP, but they don't use any third-party plugins as of now.

The best feature One Identity Safeguard offers is that it is a pretty new, modern tool that makes extensive use of its API. In general, it's easier than other tools to just perform maintenance work or perform work using the API of One Identity Safeguard. Also, the way that the access requests are structured—with entitlements and access request policies—makes it easier to govern data and identities. CyberArk, which is essentially the industry standard right now, is doing a very primitive job of helping the administrator with the task, and One Identity Safeguard is a lot better at this.

These features help my team day-to-day by making onboarding new users easier, and they also make it easier to create existing teams that are complete with their own password management, their own password profiles and rotations, password requirements, and who gets access to what, so it all makes it easier and faster.

One Identity Safeguard has positively impacted my organization by being another tool that we have in our arsenal to be able to get other clients as well, because we also sell One Identity IAM, and we can just bundle One Identity Safeguard with it. It also has a nice feature called remote access, which a lot of people want to use for externals in their organization, coupled with its just-in-time requisition, so it makes selling it much easier because One Identity is a company that's been in the field for ages.

One Identity Safeguard can be improved by fixing the documentation, which is very convoluted as of now, and addressing versioning, as some major bugs and issues are not documented well enough in the documentation, along with some patches and fixes. Custom plugins need to be introduced as soon as possible.

I give it an eight because it's a nice tool and it's a modern tool, but there are still some issues, not necessarily pertaining to the tool itself, but to the whole philosophy of One Identity and how they have structured their workflows and their knowledge base, which essentially has no knowledge base, just like CyberArk. There are some issues that need to be fixed, plus it does not have a custom option, and a lot of clients are using in-house made applications that also need to be onboarded to One Identity Safeguard to be able to launch a browser session to that application, which One Identity Safeguard has not had any capabilities that could assist with that.

I have been using One Identity Safeguard for two and a half years, ever since we pivoted from CyberArk, as we wanted to be more tool-agnostic, and we decided that One Identity Safeguard was our best option because we had a past with One Identity, with us being in an IAM team.

One Identity Safeguard is stable.

So far, we haven't had any issues with One Identity Safeguard's scalability; it's been fine, but we generally target smaller to mid-sized implementations.

The customer support for One Identity Safeguard is fine for what it is, even though everything needs to be run through them and there are no knowledge bases, so we have to wait for a response from the One Identity Safeguard company, and they also keep a lot of information, requiring us to make a request and then they would need to reply, but it's acceptable overall. It's not the worst I've seen.

Positive

I previously used CyberArk before switching to One Identity Safeguard.

The deployment of the solution takes about two to four weeks, give or take, but that's not counting waiting for the client to respond and all that.

About a month of training is required for end-users, and for us, it was four months to understand One Identity Safeguard, but that was because we already had experience in other PAM tools like CyberArk.

We are partners, executive partners, and resellers with this vendor.

My experience with pricing, setup cost, and licensing has been a good experience overall, as the back and forth with One Identity is something that is acceptable; other tools have options to do this automatically, and they have it, but pricing, presales, and sales is acceptable overall.

Before choosing One Identity Safeguard, I evaluated Zero Trust and Delinea, but they were for smaller organizations, so we decided to adopt One Identity Safeguard.

My advice to others looking into using One Identity Safeguard is to get familiar with the concepts of entitlements and access request policies, the keywords One Identity Safeguard uses, and also get familiar with the way that it handles session management and recording because it's a tool that needs a lot of time to get accustomed to. I give One Identity Safeguard an overall rating of eight out of ten.

My main use case for One Identity Safeguard is using only one module for privileged session, which we use for admins and contractors.

A quick specific example of how my team uses One Identity Safeguard day-to-day is that we use only the second part for our contractors, not for admins in our company, but for companies that help us perform admin work and support our system.

The best features One Identity Safeguard offers include video recordings to help us control our support risks.

Accessing and reviewing those recordings when needed is easy, and there are no problems with recording or reviewing.

One Identity Safeguard has positively impacted my organization by helping us manage risk. We have this product as Balabit, which is a good product that is very light and helps us check or assist with our needs.

One Identity Safeguard could be improved with a password manager and an identity manager as one big access management system.

I believe improvements could be made around integrating with other tools.

I have been using One Identity Safeguard for eight years.

I rated One Identity Safeguard nine out of 10 because the stability and control could be better, as there are some problems with stability and errors when we use it.

As my organization grows or my needs increase, it is easy to add more users or expand the use of One Identity Safeguard, and that experience has been good.

I would rate the customer support for One Identity Safeguard as eight on a scale of one to ten.

Positive

I did not previously use a different solution before One Identity Safeguard.

The deployment of One Identity Safeguard solution took one or two days.

The deployment affected my privileged users in a way that was pretty smooth.

Before choosing One Identity Safeguard, I evaluated other options based on simplicity, price, and functionality.

Feedback from users regarding One Identity Safeguard's usability and functionality is that it is a good product and very simple to use.

My advice for others looking into using One Identity Safeguard is that it is a great solution for simple tasks, with a good price and good functionality.

My company does not have a business relationship with One Identity Safeguard vendor other than being a customer.

I rated this review nine out of ten.

On-premises

Other

I am not a customer; I am a partner. Therefore, I assist clients in implementing One Identity Safeguard to manage privileged account access and their passwords. The primary aim is to reduce the attack surface of those accounts.

The best feature of One Identity Safeguard is its infrastructure simplicity compared to other solutions. Joining two clusters together makes it easy and robust at the same time. The interface is robust and secure, and with recent releases, it has become more stable. Implementation is straightforward, and user experience is simple.

There is room for improvement in integration between modules. The native integration between SPP and SPS, which is currently based on a plugin, could be enhanced. Customization for lookup passwords could also be made easier.

I have been working with One Identity Safeguard since 2019.

Most of my users have been using the on-premises solution. There was a customer who used the physical appliance, but most installations involved virtual appliances. Deployment for my clients takes from three to eight months.

In terms of stability, I rate One Identity Safeguard nine to ten out of ten. It is a fairly stable solution with improvements over time.

The scalability of One Identity Safeguard is perfect, scoring ten out of ten. It is suitable for medium to enterprise-level clients.

I rate customer support six out of ten. It needs improvement as it can significantly impact customer access. It would be beneficial to have a more direct route to second-level support from partners.

Neutral

I am aware of CyberArk. Compared to CyberArk, One Identity Safeguard could be more mature. However, it is a good solution in terms of cost-benefit.

The initial setup is relatively simple compared to other solutions. It is straightforward for most users.

While it does not directly reduce costs in terms of personnel, One Identity Safeguard offers increased security, especially in password management.

The pricing of One Identity Safeguard is fairly priced and cheaper than other solutions of the same enterprise level. It provides a good cost-benefit ratio.

I have knowledge of CyberArk as an alternative solution.

I recommend One Identity Safeguard because it is valuable in terms of cost-benefit. It is simple to implement, and its infrastructure costs are lower than other solutions. It provides a flexible approach, offering both on-premises and cloud solutions. Overall, I rate One Identity Safeguard eight out of ten.

My main use cases include LDAP, SSH, and some utilization of HTTPS. My primary uses are LDAP and SSH.

From my experience, the features are best for monitoring and the usage of LDAP and SSH. I think One Identity should improve its documentation because it is vast and not clear, and clear documentation on implementing the solution would be advantageous for consultants. I find clear documentation helpful for clients and customers to achieve what they want.

I find it complicated to implement HTTPS monitoring because the documentation is unclear. The disaster recovery process is complicated for me. For some configurations on the SPS side, if I need to make changes, such as for DNS servers, I must redeploy the machine. Transparent Mode can be improved in newer versions, and the failover process is the most complicated for me.

I have been working with this solution for the last two years.

The stability is consistent for me until a problem arises; then it becomes difficult. I encounter problems primarily with the failover procedure.

Scalability is acceptable for me. If customer usage increases, I can add new appliances, but this incurs costs.

I find the support good, but not excellent. When I open a ticket, resolutions can take a long time, and I sometimes need escalations to reach expertise.

Negative

I always compare this solution with CyberArk. I feel CyberArk is not like a black box; it allows a lot of customization.

The initial setup is not complex for me; it's straightforward. I would rate it a seven, as it takes me thirty to forty minutes per machine for deployment.

I install the solution and offer the services to the end-users.

Any PAM solution, when I deploy it well and customers use it, leads to a return on investment. This is applicable not just to One Identity or CyberArk, but to any PAM solution that provides what customers need to achieve.

It's about controlling what people are doing in their infrastructure. Overall, I would rate the product six out of ten.

We are a One Identity partner, and our clients use One Identity Safeguard for password vaults, session management for Linux and Windows servers, and network appliances.

One Identity Safeguard now prevents unauthorized access to servers by eliminating privileged passwords and requiring all connections to go through a PAM-authorized process. This means no one, including hackers, can access servers without explicit approval, significantly enhancing overall security.

One Identity Safeguard is easy to use with a good partner to support you, and it can be up and running within a few days.

We have successfully integrated One Identity Safeguard with cloud targets, and the process was straightforward.

One Identity Safeguard has improved our incident response time by 300 percent.

The most valuable feature of One Identity Safeguard is the user-friendly interface.

The password vault feature has proven to be most effective for managing privileged access. Recycling passwords has been critical. The environment is on lockdown with the One Identity privileged access management solution. No hacker can get in.

One Identity's support is not appropriately structured, and it has a lot of room to improve.

I have been using One Identity Safeguard for three years. 

One Identity Safeguard is exceptionally stable.

One Identity Safeguard is highly scalable.

We have plans to increase the use of One Identity Safeguard.

Technical support is all right, but they will not offer support until we have One Identity running. If we have issues during the deployment, they will not provide support unless we pay for professional services.

Negative

The initial setup was straightforward and took three months because the client had a problematic environment.

Our strategy was to deploy this on a single VM appliance and replicate it to an offline data site public setup.

One Identity Safeguard provides a significant return on investment.

One Identity Safeguard is expensive. The license is around $3,000 per month.

We evaluated CyberArk but found One Identity Safeguard easier to use, deploy, and administer.

I would rate One Identity Safeguard five out of ten.

Do not deploy One Identity Safeguard unless you have extensive training, classroom training, and infrastructure experience.

We have around 100 administrators; our clients are medium and enterprise businesses.

Minimal maintenance is required because it is a virtual appliance, and everything is preconfigured.

One Identity Safeguard is a good solution, and I recommend it.

Our customer is a public service organization with about 800 privileged accounts and 8,000 functional accounts. The client already has a relatively unadvanced identity management implementation. It's a request-based identity management solution. What we're doing now is getting better control of the privileged accounts and getting rid of the old technology.

The end users don't know of an alternative. They are still subject to identity management through what is quite a large, manual process instead of process automation. For instance, the users do not have a self-service port where they can automatically get privileges they don't have today. Everything goes via the ITSM manual control workflow.

It's the manual processing our client currently has that is what we are thinking of improving. The installation was not set up by my team, but our job is to focus on the most sensitive information assets and secure insights into how service and other infrastructure are managed through privileged accounts. After that, we will work on simplifying the everyday user experience.

We work with just the physical appliances. It wasn't my decision. It was what the client already had. Regarding the form factor, just put it in a rack and it works. It's not an issue.

We're introducing the solution's transparent mode for privileged sessions. This is part of what the client hasn't used before. It will simplify their administrative situation greatly. So far, the rollout of this feature has been a seamless process, but we're still in the midst of rolling it out. The benefits will be on the risk side.

Right now, the way accounts are managed, you don't necessarily know who is using an account. There's a shared admin account, and that's not a good thing. And those accounts are shared in wallets by several people. One of the real benefits of safeguarding here is that the client will have an absolute audit of who is using an administrative interface, whether it's server or network.

The identity discovery is good, and the performance is pretty good value.

Something for One Identity to look at is having integration guidelines for how to logically group accounts. This is always something you need people to do. It would be especially helpful when you have thousands of servers, and within each and every one there are between two and five admin accounts.

I have been working with One Identity Safeguard for about six years. I'm a consultant, and I work with various technologies. When One Identity came out with it about six years ago, I was one of the first to engage with it.

We haven't had any issues with the stability of Safeguard.

It's scalable, at least in this environment. I haven't worked in a very large-scale environment with this technology. At least you don't have bottlenecks in your operating system or external virtualization. For this organization with 10,000 people, it seems to be working.

We have a specialist who is super-deep in One Identity and has done a couple of the most complex installations of the solution in Norway. He is better than any support organization you could come up with. He's really special.

Setting it up is not complex. The complex bit is migrating from the various wallet types into Safeguard because users have to be trained in a new methodology of how to use Safeguard. We need to shut down the old access as Safeguard becomes the only way in. That is the tricky part. It's not Safeguard in and of itself which is tricky. On the contrary, Safeguard is simple to use.

We haven't finished the deployment yet, but the plan is to do it over two months. We have six people on our team who are involved with the client.

We have created the training material, and each user gets online training, documentation, and a facilitated meeting. Each user gets a full eight hours of training. The training is distributed over a couple of weeks.

We've been able to manage disruption so far. That is because we provide the users with a semi-automatic tool that makes them responsible for transferring their own accounts from the wallet to Safeguard instead of us doing it for them. And that gives the end user the control they need to not mess up their own secrets. They have access and all the means to make it as non-disruptive for them as possible. I wouldn't call it a custom build, but we've created a process that they have to follow. It partly gives them something that extracts all the secrets from the current wallet and populates them into a Safeguard. But they have to do it themselves and validate that they have done it.

Letting the users have control over their own migration is a key part of the strategy because big bangs usually end up with a big bang. What I mean is that you can end with a big disaster if the users don't feel that they are able to use Safeguard on time, or if they don't know whether their accounts are still in the old process or the new one. The key strategy is to not rearrange privileged groups before the migration. Even though most admin users have too much access, we're not fixing that right now. We will do that after the migration. We want the migration process to be as smooth as possible.

It's not difficult to maintain. Compared to the One Identity software, there is less maintenance. That's why one chooses appliances, to have less maintenance. Just give it power and it works.

Because we're talking about a digital world now, very few organizations question the need for some sort of identity management solution. One Identity makes sense for organizations that have some of their own infrastructure and cannot go fully to the cloud. For organizations that have everything in Azure cloud, it may not make sense to use this solution. For an organization like that, One Identity does not provide any ROI. But for any organization with more than 10,000 people and its own local infrastructure, One Identity makes sense and provides a good ROI.

They have comparable pricing. All identity products are essentially priced in a similar way. It's a per-user base. Usually, they start at one price, and when you start pricing the competition, you typically get a bit of a discount or more favorable payment terms. For example, you might not have to pay until you've enrolled all the users. You don't have to pay upfront for all people in the organization until they've been enrolled.

There are also integration costs and migration costs. That's the big one.

One Identity is the simplest to work with and has the best discovery function. There's very little kludge in the software. It's probably the quickest for going from zero to operational of all the alternatives in the marketplace.

What it lacks, compared to some, is specific SAP integration for clients that have that. Our current client doesn't have SAP, so it's not an issue for them. And potentially, SailPoint has more pre-made connectors. That means if you have a large number of systems you want to provision into, then SailPoint is the way to go. 

As for privileged access management, if you have an abnormal number of servers—more than 10,000—a whole lot of network elements, and several types of platforms, you might have to go for CyberArk.

But One Identity is a very good package for most organizations. It's one of the simplest to use. CyberArk is the leader in the marketplace, but typically, it is too complex and too big for Norwegian organizations. One Identity PAM has the simplicity to fit Norwegian businesses. It has enough features for any medium-sized business under 50,000 people and under 10,000 servers. For those organizations, One Identity is a safe pick.

I would absolutely recommend One Identity.

Very large organizations with complex technologies and a very large number of devices can consider other options. But One Identity has a very good suite of technologies.

I am an independent consultant who assists end users in deploying One Identity Safeguard correctly and creating all necessary workflows within the product. I then ensure its effective utilization in the production environment. I have been working with Safeguard since the beginning and continue to use it presently. Based on my experience, the majority of projects, around ninety-nine percent, involve virtual appliances. While I have performed some hardware appliance installations, I lack extensive experience with them. Therefore, I cannot definitively state whether they are good or bad. However, I can affirm that they function properly.

When we discuss the situation at the beginning of my journey, it serves as a safeguard. So, seven years ago, it primarily revolved around RDP and SSH session control. However, nowadays, I observe that customers are shifting their focus primarily toward password rotation and password management functionality. Moreover, they are increasingly utilizing the permanent analytics capabilities of Safeguard, such as user entity and behavioral analytics. Currently, we utilize all the functionality offered by One Identity Safeguard, including password rotation, password management, session management, and possibly session harmonics as well.

In most cases, we are referring to active directory environments and the safeguards implemented in such environments. This implies a close integration with the domain controllers, which serve as a source of identity information. However, the customers I work with as an independent consultant often utilize password management solutions. This indicates their desire to replace passwords, which may already be in use on certain devices. Sometimes, it involves scheduled password rotation. Additionally, session management has evolved. Nowadays, some customers are not only using RDP and SSH control but also MSS. Furthermore, I have worked on several projects involving HTTPS special control.

The situation as it was seven years ago, the usability and functionality of Safeguard were like three key questions in the case of Safeguard. Unfortunately, several years ago, they still had a sync client, which means a desktop application for one part of the product, while another part of the product was managed through the web UI. Of course, it was not so convenient. But nowadays, all the functionality is managed from the same console, meaning via the web UI, 100 percent. So, from this perspective, I can say that customers are quite happy with the current user interface of the solution.

The most important benefit is that when we talk about the deployment of any PAM solution, it serves as a centralized point for privileged access connections. This includes internal users, such as administrators or individuals with special privileges, like an accountant with additional access to the company's ERP system. This is in contrast to the standard situation where users have a direct connection to the target system, which lacks control. Firstly, a single point is created to enable full control over connections. Additionally, automation allows for quick response in case of any malicious activity. For instance, if the system detects abnormal behavior, such as in an SSH session, it can instantly terminate the session without requiring the involvement of cybersecurity personnel. The advantage of this approach is that it eliminates the need to involve humans in the process, which would take time. With a PAM solution like Safeguard, these actions can be executed within seconds, preventing any negative impact on the target system.

From my perspective, using the transparent mode is quite easy. However, from the customer's point of view, they should take the time to understand how it works properly. Once they grasp the concept of how this mode operates, which is made possible by the unique technology at the core of Safeguard's privileged session module, it becomes a significant benefit. Some customers may find it necessary to review this aspect carefully. Nevertheless, once they comprehend the intended functionality, everything else becomes straightforward.

I did not observe any issues concerning the rollout of the transparent mode for our users.

Monitoring privileged accounts using transparent mode is much easier from a user perspective, as it is almost invisible to them. What we are discussing is the deployment of Safeguard in transparent mode. From a monitoring standpoint, unfortunately, it does not prevent the injection of certain credentials. However, in terms of monitoring functionality, it is almost the same. Therefore, I cannot say that there is a significant negative impact from that perspective.

We utilize the secure remote access feature for privileged users. The majority of my projects involve contractors and third parties rather than direct employees.

Without One Identity Safeguard, managing remote access would be significantly more challenging. Safeguard is the tool that, from my perspective and based on my project experience, enables customers to have complete and effective control over remote access for both their contractors and internal infrastructure. It is remarkably user-friendly. Therefore, there is no distinction between deploying Safeguard for securing our internal network and implementing it for managing remote access from third-party networks and beyond.

It is nice that the Secure Remote Access feature does not rely on VPN; however, all of my customers continue to use VPN and utilize a VPN panel to manage remote access via Safeguard.

A dealbreaker for customers is the capabilities of the privileged analytics module, which can be extremely useful in certain cases. From a functionality standpoint, I would like to emphasize One Identity Safeguard architecture itself is quite mature. It offers high availability and enables end users to deploy the solution with 99.999 percent uptime, which is crucial in an enterprise environment with a large number of endpoints.

The main point regarding the user experience is that Safeguard has two separate management consoles. Both are web-based user interfaces, specifically HTML-based. However, they are completely distinct consoles. It would be preferable to have a single management console or tool instead. This would allow for a unified point of connection to all nodes, enabling the management and creation of policies, connection requests, and other related tasks.

What I saw and heard from the customers is the control functionality of the HTTP session. Nowadays, there are numerous blind spots in the current organization of HTTP session control functionality. It should be addressed in the latest version, as some competitors already offer unrestricted functionality.

I have been using One Identity Safeguard for almost seven years.

From a technical perspective, Safeguard has two distinct development lines, let's say. The first one is Long-Term Support, which can be considered quite stable. However, when we discuss the non-LTS branch with new functionalities, I must admit there have been a few instances where we encountered some rather strange and interesting bugs. While the non-LTS branch is less stable, it still qualifies as a production-grade solution. In most cases, any bugs that arise do not automatically affect the user experience, overall system functionality, or the ability to control the privileged environment. Nevertheless, there are occasions where these bugs can be quite amusing, requiring us to reach out to technical support and submit a new ticket to have them resolved.

Safeguard is highly scalable due to its architecture. From my perspective, it is one of the most scalable solutions on the market among other Privileged Access Management solutions.

During many projects, we contacted standard support. I mean, even without the premier support contract, we simply created some tickets. We had several video calls with the One Identity team, and I can confidently say that they are highly supportive. Sometimes, for non-critical issues, they may take a long time to respond. However, when it comes to physical issues, they are extremely prompt in their responses, prioritizing them based on the defined priority during ticket creation. They strive to be fully engaged and invested in resolving the problem.

Positive

I previously used WALLIX Bastion, CyberArk Privileged Access Manager, and senhasegura.

CyberArk is a great solution from a functionality standpoint. It offers interesting features in certain cases, which unfortunately are absent in Safeguard. However, from a customer perspective, there are some issues. At times, I wasn't involved in the evaluation procedure when our customers wanted to determine the ideal solution for their use cases. CyberArk can be overly complex in this regard, with numerous different modules, each requiring a separate license. Consequently, the overall cost of the project and solution would be much higher compared to Safeguard. Nevertheless, from a technical standpoint, CyberArk is quite impressive. Yet, it remains overly complex for end users, both in the business and technical teams, and the pricing is not the most competitive.

Regarding WALLIX, I must say that it sometimes has certain peculiarities that are difficult to describe. The way they create the management console and the principles for managing their solution is rather strange. Understanding their approach fully requires reading the documentation several times. Senhasegura is also a decent solution in my opinion, but it is not yet mature enough. They offer a wide range of functionality and modules, but the lack of separate licensing, as in CyberArk, is a plus. However, during deployment and setup, we may encounter some issues. In general, they claim to provide a lot of functionality, but it is not as detailed as Safeguard.

The initial setup is straightforward. Based on the experience of some of my customers, they didn't involve me during the initial deployment phase, but later on, during some kind of policy setup phase, and so on. I can say that even inexperienced users, customers who saw Safeguard for the first time, were able to fully deploy Safeguard by following the official documentation, which is detailed and helpful. They were able to deploy all the necessary components, at least four SAP and one SPS. So, it's a basic deployment process that my customers were able to complete within a couple of days without any issues.

To deploy virtual appliances, in my case, it will take a couple of hours, or perhaps several hours for complex deployments involving geographical distribution between different customer sites, among other factors. However, when considering the entire project, it includes not only the initial deployment phase but also connecting to the active directory, creating necessary policies within the products, and setting up integrations with third-party solutions such as SIM. I've heard that the longest projects with Safeguard lasted around four and a half months.

The number of people required for deployment varies based on the size of the deployment, but typically, between one and two people are needed.

We help our customers with their implementation.

The pricing depends on our perspective, our budget, and, of course, the competitors we are taking into account. For instance, when comparing it to CyberArk, Safeguard is considerably more expensive initially. However, from my viewpoint, the pricing of Safeguard, in comparison to CyberArk, is quite straightforward and logical. What I mean is that we have dedicated licenses for each appliance, as well as licenses for premium users or target systems, and that's all. There are no additional modules. Therefore, in some cases, it may be relatively expensive, but on the other hand, it is logical and straightforward.

I give One Identity Safeguard a nine out of ten.

Privileged users continue to utilize their connection to the target systems, thus remaining unaffected during the deployment process.

Normally, reading the documentation would be sufficient to start using Safeguard for both those who manage the solution and the end-users. However, in real life, I conducted some technical training sessions for Safeguard administrators and Safeguard end users. For end users, in most cases, a two to three-hour training session was enough to familiarize them with the management console. This console is used to request extensions to target systems and perform other related tasks. On the other hand, administrators usually required six to eight hours of training. However, the duration can vary depending on the specific project. For instance, a standard deployment with four nodes would differ from a non-standard deployment with twelve nodes distributed across an entire continent. In such cases, customers may need additional training to ensure business continuity in the event of issues occurring at a specific site. This training would focus on the technical aspects of implementing a business continuity plan.

When preparing to deploy Safeguard, our first step is to engage in a comprehensive discussion with the customer regarding their project goals. We inquire about the specific reasons behind their need to incorporate a PAM solution. Once we have a clear understanding of their use cases, we proceed to address the technical aspects. From a technical perspective, one of the most crucial questions is to define the scope of the target systems, including the types of operating systems and protocols that will be utilized to establish connections, such as RDP, SSH, HTTP, or MSS. After establishing the scope of the target systems, we then proceed to define the scope of the end users who will utilize Safeguard. These users will establish privileged sessions with the target systems. Additionally, we determine the source of identity information for privileged users, which is typically the active directory, although, in some instances, a DAP service deployed in the customer's infrastructure may be utilized. Once these preliminary steps are completed, we have all the necessary tools and information to proceed with the deployment process itself.