One Identity Safeguard Reviews

My main use case for One Identity Safeguard is using only one module for privileged session, which we use for admins and contractors.

A quick specific example of how my team uses One Identity Safeguard day-to-day is that we use only the second part for our contractors, not for admins in our company, but for companies that help us perform admin work and support our system.

The best features One Identity Safeguard offers include video recordings to help us control our support risks.

Accessing and reviewing those recordings when needed is easy, and there are no problems with recording or reviewing.

One Identity Safeguard has positively impacted my organization by helping us manage risk. We have this product as Balabit, which is a good product that is very light and helps us check or assist with our needs.

One Identity Safeguard could be improved with a password manager and an identity manager as one big access management system.

I believe improvements could be made around integrating with other tools.

I have been using One Identity Safeguard for eight years.

I rated One Identity Safeguard nine out of 10 because the stability and control could be better, as there are some problems with stability and errors when we use it.

As my organization grows or my needs increase, it is easy to add more users or expand the use of One Identity Safeguard, and that experience has been good.

I would rate the customer support for One Identity Safeguard as eight on a scale of one to ten.

Positive

I did not previously use a different solution before One Identity Safeguard.

The deployment of One Identity Safeguard solution took one or two days.

The deployment affected my privileged users in a way that was pretty smooth.

Before choosing One Identity Safeguard, I evaluated other options based on simplicity, price, and functionality.

Feedback from users regarding One Identity Safeguard's usability and functionality is that it is a good product and very simple to use.

My advice for others looking into using One Identity Safeguard is that it is a great solution for simple tasks, with a good price and good functionality.

My company does not have a business relationship with One Identity Safeguard vendor other than being a customer.

I rated this review nine out of ten.

On-premises

Other

I am not a customer; I am a partner. Therefore, I assist clients in implementing One Identity Safeguard to manage privileged account access and their passwords. The primary aim is to reduce the attack surface of those accounts.

The best feature of One Identity Safeguard is its infrastructure simplicity compared to other solutions. Joining two clusters together makes it easy and robust at the same time. The interface is robust and secure, and with recent releases, it has become more stable. Implementation is straightforward, and user experience is simple.

There is room for improvement in integration between modules. The native integration between SPP and SPS, which is currently based on a plugin, could be enhanced. Customization for lookup passwords could also be made easier.

I have been working with One Identity Safeguard since 2019.

Most of my users have been using the on-premises solution. There was a customer who used the physical appliance, but most installations involved virtual appliances. Deployment for my clients takes from three to eight months.

In terms of stability, I rate One Identity Safeguard nine to ten out of ten. It is a fairly stable solution with improvements over time.

The scalability of One Identity Safeguard is perfect, scoring ten out of ten. It is suitable for medium to enterprise-level clients.

I rate customer support six out of ten. It needs improvement as it can significantly impact customer access. It would be beneficial to have a more direct route to second-level support from partners.

Neutral

I am aware of CyberArk. Compared to CyberArk, One Identity Safeguard could be more mature. However, it is a good solution in terms of cost-benefit.

The initial setup is relatively simple compared to other solutions. It is straightforward for most users.

While it does not directly reduce costs in terms of personnel, One Identity Safeguard offers increased security, especially in password management.

The pricing of One Identity Safeguard is fairly priced and cheaper than other solutions of the same enterprise level. It provides a good cost-benefit ratio.

I have knowledge of CyberArk as an alternative solution.

I recommend One Identity Safeguard because it is valuable in terms of cost-benefit. It is simple to implement, and its infrastructure costs are lower than other solutions. It provides a flexible approach, offering both on-premises and cloud solutions. Overall, I rate One Identity Safeguard eight out of ten.

My main use cases include LDAP, SSH, and some utilization of HTTPS. My primary uses are LDAP and SSH.

From my experience, the features are best for monitoring and the usage of LDAP and SSH. I think One Identity should improve its documentation because it is vast and not clear, and clear documentation on implementing the solution would be advantageous for consultants. I find clear documentation helpful for clients and customers to achieve what they want.

I find it complicated to implement HTTPS monitoring because the documentation is unclear. The disaster recovery process is complicated for me. For some configurations on the SPS side, if I need to make changes, such as for DNS servers, I must redeploy the machine. Transparent Mode can be improved in newer versions, and the failover process is the most complicated for me.

I have been working with this solution for the last two years.

The stability is consistent for me until a problem arises; then it becomes difficult. I encounter problems primarily with the failover procedure.

Scalability is acceptable for me. If customer usage increases, I can add new appliances, but this incurs costs.

I find the support good, but not excellent. When I open a ticket, resolutions can take a long time, and I sometimes need escalations to reach expertise.

Negative

I always compare this solution with CyberArk. I feel CyberArk is not like a black box; it allows a lot of customization.

The initial setup is not complex for me; it's straightforward. I would rate it a seven, as it takes me thirty to forty minutes per machine for deployment.

I install the solution and offer the services to the end-users.

Any PAM solution, when I deploy it well and customers use it, leads to a return on investment. This is applicable not just to One Identity or CyberArk, but to any PAM solution that provides what customers need to achieve.

It's about controlling what people are doing in their infrastructure. Overall, I would rate the product six out of ten.

We are a One Identity partner, and our clients use One Identity Safeguard for password vaults, session management for Linux and Windows servers, and network appliances.

One Identity Safeguard now prevents unauthorized access to servers by eliminating privileged passwords and requiring all connections to go through a PAM-authorized process. This means no one, including hackers, can access servers without explicit approval, significantly enhancing overall security.

One Identity Safeguard is easy to use with a good partner to support you, and it can be up and running within a few days.

We have successfully integrated One Identity Safeguard with cloud targets, and the process was straightforward.

One Identity Safeguard has improved our incident response time by 300 percent.

The most valuable feature of One Identity Safeguard is the user-friendly interface.

The password vault feature has proven to be most effective for managing privileged access. Recycling passwords has been critical. The environment is on lockdown with the One Identity privileged access management solution. No hacker can get in.

One Identity's support is not appropriately structured, and it has a lot of room to improve.

I have been using One Identity Safeguard for three years. 

One Identity Safeguard is exceptionally stable.

One Identity Safeguard is highly scalable.

We have plans to increase the use of One Identity Safeguard.

Technical support is all right, but they will not offer support until we have One Identity running. If we have issues during the deployment, they will not provide support unless we pay for professional services.

Negative

The initial setup was straightforward and took three months because the client had a problematic environment.

Our strategy was to deploy this on a single VM appliance and replicate it to an offline data site public setup.

One Identity Safeguard provides a significant return on investment.

One Identity Safeguard is expensive. The license is around $3,000 per month.

We evaluated CyberArk but found One Identity Safeguard easier to use, deploy, and administer.

I would rate One Identity Safeguard five out of ten.

Do not deploy One Identity Safeguard unless you have extensive training, classroom training, and infrastructure experience.

We have around 100 administrators; our clients are medium and enterprise businesses.

Minimal maintenance is required because it is a virtual appliance, and everything is preconfigured.

One Identity Safeguard is a good solution, and I recommend it.

Our customer is a public service organization with about 800 privileged accounts and 8,000 functional accounts. The client already has a relatively unadvanced identity management implementation. It's a request-based identity management solution. What we're doing now is getting better control of the privileged accounts and getting rid of the old technology.

The end users don't know of an alternative. They are still subject to identity management through what is quite a large, manual process instead of process automation. For instance, the users do not have a self-service port where they can automatically get privileges they don't have today. Everything goes via the ITSM manual control workflow.

It's the manual processing our client currently has that is what we are thinking of improving. The installation was not set up by my team, but our job is to focus on the most sensitive information assets and secure insights into how service and other infrastructure are managed through privileged accounts. After that, we will work on simplifying the everyday user experience.

We work with just the physical appliances. It wasn't my decision. It was what the client already had. Regarding the form factor, just put it in a rack and it works. It's not an issue.

We're introducing the solution's transparent mode for privileged sessions. This is part of what the client hasn't used before. It will simplify their administrative situation greatly. So far, the rollout of this feature has been a seamless process, but we're still in the midst of rolling it out. The benefits will be on the risk side.

Right now, the way accounts are managed, you don't necessarily know who is using an account. There's a shared admin account, and that's not a good thing. And those accounts are shared in wallets by several people. One of the real benefits of safeguarding here is that the client will have an absolute audit of who is using an administrative interface, whether it's server or network.

The identity discovery is good, and the performance is pretty good value.

Something for One Identity to look at is having integration guidelines for how to logically group accounts. This is always something you need people to do. It would be especially helpful when you have thousands of servers, and within each and every one there are between two and five admin accounts.

I have been working with One Identity Safeguard for about six years. I'm a consultant, and I work with various technologies. When One Identity came out with it about six years ago, I was one of the first to engage with it.

We haven't had any issues with the stability of Safeguard.

It's scalable, at least in this environment. I haven't worked in a very large-scale environment with this technology. At least you don't have bottlenecks in your operating system or external virtualization. For this organization with 10,000 people, it seems to be working.

We have a specialist who is super-deep in One Identity and has done a couple of the most complex installations of the solution in Norway. He is better than any support organization you could come up with. He's really special.

Setting it up is not complex. The complex bit is migrating from the various wallet types into Safeguard because users have to be trained in a new methodology of how to use Safeguard. We need to shut down the old access as Safeguard becomes the only way in. That is the tricky part. It's not Safeguard in and of itself which is tricky. On the contrary, Safeguard is simple to use.

We haven't finished the deployment yet, but the plan is to do it over two months. We have six people on our team who are involved with the client.

We have created the training material, and each user gets online training, documentation, and a facilitated meeting. Each user gets a full eight hours of training. The training is distributed over a couple of weeks.

We've been able to manage disruption so far. That is because we provide the users with a semi-automatic tool that makes them responsible for transferring their own accounts from the wallet to Safeguard instead of us doing it for them. And that gives the end user the control they need to not mess up their own secrets. They have access and all the means to make it as non-disruptive for them as possible. I wouldn't call it a custom build, but we've created a process that they have to follow. It partly gives them something that extracts all the secrets from the current wallet and populates them into a Safeguard. But they have to do it themselves and validate that they have done it.

Letting the users have control over their own migration is a key part of the strategy because big bangs usually end up with a big bang. What I mean is that you can end with a big disaster if the users don't feel that they are able to use Safeguard on time, or if they don't know whether their accounts are still in the old process or the new one. The key strategy is to not rearrange privileged groups before the migration. Even though most admin users have too much access, we're not fixing that right now. We will do that after the migration. We want the migration process to be as smooth as possible.

It's not difficult to maintain. Compared to the One Identity software, there is less maintenance. That's why one chooses appliances, to have less maintenance. Just give it power and it works.

Because we're talking about a digital world now, very few organizations question the need for some sort of identity management solution. One Identity makes sense for organizations that have some of their own infrastructure and cannot go fully to the cloud. For organizations that have everything in Azure cloud, it may not make sense to use this solution. For an organization like that, One Identity does not provide any ROI. But for any organization with more than 10,000 people and its own local infrastructure, One Identity makes sense and provides a good ROI.

They have comparable pricing. All identity products are essentially priced in a similar way. It's a per-user base. Usually, they start at one price, and when you start pricing the competition, you typically get a bit of a discount or more favorable payment terms. For example, you might not have to pay until you've enrolled all the users. You don't have to pay upfront for all people in the organization until they've been enrolled.

There are also integration costs and migration costs. That's the big one.

One Identity is the simplest to work with and has the best discovery function. There's very little kludge in the software. It's probably the quickest for going from zero to operational of all the alternatives in the marketplace.

What it lacks, compared to some, is specific SAP integration for clients that have that. Our current client doesn't have SAP, so it's not an issue for them. And potentially, SailPoint has more pre-made connectors. That means if you have a large number of systems you want to provision into, then SailPoint is the way to go. 

As for privileged access management, if you have an abnormal number of servers—more than 10,000—a whole lot of network elements, and several types of platforms, you might have to go for CyberArk.

But One Identity is a very good package for most organizations. It's one of the simplest to use. CyberArk is the leader in the marketplace, but typically, it is too complex and too big for Norwegian organizations. One Identity PAM has the simplicity to fit Norwegian businesses. It has enough features for any medium-sized business under 50,000 people and under 10,000 servers. For those organizations, One Identity is a safe pick.

I would absolutely recommend One Identity.

Very large organizations with complex technologies and a very large number of devices can consider other options. But One Identity has a very good suite of technologies.

I am an independent consultant who assists end users in deploying One Identity Safeguard correctly and creating all necessary workflows within the product. I then ensure its effective utilization in the production environment. I have been working with Safeguard since the beginning and continue to use it presently. Based on my experience, the majority of projects, around ninety-nine percent, involve virtual appliances. While I have performed some hardware appliance installations, I lack extensive experience with them. Therefore, I cannot definitively state whether they are good or bad. However, I can affirm that they function properly.

When we discuss the situation at the beginning of my journey, it serves as a safeguard. So, seven years ago, it primarily revolved around RDP and SSH session control. However, nowadays, I observe that customers are shifting their focus primarily toward password rotation and password management functionality. Moreover, they are increasingly utilizing the permanent analytics capabilities of Safeguard, such as user entity and behavioral analytics. Currently, we utilize all the functionality offered by One Identity Safeguard, including password rotation, password management, session management, and possibly session harmonics as well.

In most cases, we are referring to active directory environments and the safeguards implemented in such environments. This implies a close integration with the domain controllers, which serve as a source of identity information. However, the customers I work with as an independent consultant often utilize password management solutions. This indicates their desire to replace passwords, which may already be in use on certain devices. Sometimes, it involves scheduled password rotation. Additionally, session management has evolved. Nowadays, some customers are not only using RDP and SSH control but also MSS. Furthermore, I have worked on several projects involving HTTPS special control.

The situation as it was seven years ago, the usability and functionality of Safeguard were like three key questions in the case of Safeguard. Unfortunately, several years ago, they still had a sync client, which means a desktop application for one part of the product, while another part of the product was managed through the web UI. Of course, it was not so convenient. But nowadays, all the functionality is managed from the same console, meaning via the web UI, 100 percent. So, from this perspective, I can say that customers are quite happy with the current user interface of the solution.

The most important benefit is that when we talk about the deployment of any PAM solution, it serves as a centralized point for privileged access connections. This includes internal users, such as administrators or individuals with special privileges, like an accountant with additional access to the company's ERP system. This is in contrast to the standard situation where users have a direct connection to the target system, which lacks control. Firstly, a single point is created to enable full control over connections. Additionally, automation allows for quick response in case of any malicious activity. For instance, if the system detects abnormal behavior, such as in an SSH session, it can instantly terminate the session without requiring the involvement of cybersecurity personnel. The advantage of this approach is that it eliminates the need to involve humans in the process, which would take time. With a PAM solution like Safeguard, these actions can be executed within seconds, preventing any negative impact on the target system.

From my perspective, using the transparent mode is quite easy. However, from the customer's point of view, they should take the time to understand how it works properly. Once they grasp the concept of how this mode operates, which is made possible by the unique technology at the core of Safeguard's privileged session module, it becomes a significant benefit. Some customers may find it necessary to review this aspect carefully. Nevertheless, once they comprehend the intended functionality, everything else becomes straightforward.

I did not observe any issues concerning the rollout of the transparent mode for our users.

Monitoring privileged accounts using transparent mode is much easier from a user perspective, as it is almost invisible to them. What we are discussing is the deployment of Safeguard in transparent mode. From a monitoring standpoint, unfortunately, it does not prevent the injection of certain credentials. However, in terms of monitoring functionality, it is almost the same. Therefore, I cannot say that there is a significant negative impact from that perspective.

We utilize the secure remote access feature for privileged users. The majority of my projects involve contractors and third parties rather than direct employees.

Without One Identity Safeguard, managing remote access would be significantly more challenging. Safeguard is the tool that, from my perspective and based on my project experience, enables customers to have complete and effective control over remote access for both their contractors and internal infrastructure. It is remarkably user-friendly. Therefore, there is no distinction between deploying Safeguard for securing our internal network and implementing it for managing remote access from third-party networks and beyond.

It is nice that the Secure Remote Access feature does not rely on VPN; however, all of my customers continue to use VPN and utilize a VPN panel to manage remote access via Safeguard.

A dealbreaker for customers is the capabilities of the privileged analytics module, which can be extremely useful in certain cases. From a functionality standpoint, I would like to emphasize One Identity Safeguard architecture itself is quite mature. It offers high availability and enables end users to deploy the solution with 99.999 percent uptime, which is crucial in an enterprise environment with a large number of endpoints.

The main point regarding the user experience is that Safeguard has two separate management consoles. Both are web-based user interfaces, specifically HTML-based. However, they are completely distinct consoles. It would be preferable to have a single management console or tool instead. This would allow for a unified point of connection to all nodes, enabling the management and creation of policies, connection requests, and other related tasks.

What I saw and heard from the customers is the control functionality of the HTTP session. Nowadays, there are numerous blind spots in the current organization of HTTP session control functionality. It should be addressed in the latest version, as some competitors already offer unrestricted functionality.

I have been using One Identity Safeguard for almost seven years.

From a technical perspective, Safeguard has two distinct development lines, let's say. The first one is Long-Term Support, which can be considered quite stable. However, when we discuss the non-LTS branch with new functionalities, I must admit there have been a few instances where we encountered some rather strange and interesting bugs. While the non-LTS branch is less stable, it still qualifies as a production-grade solution. In most cases, any bugs that arise do not automatically affect the user experience, overall system functionality, or the ability to control the privileged environment. Nevertheless, there are occasions where these bugs can be quite amusing, requiring us to reach out to technical support and submit a new ticket to have them resolved.

Safeguard is highly scalable due to its architecture. From my perspective, it is one of the most scalable solutions on the market among other Privileged Access Management solutions.

During many projects, we contacted standard support. I mean, even without the premier support contract, we simply created some tickets. We had several video calls with the One Identity team, and I can confidently say that they are highly supportive. Sometimes, for non-critical issues, they may take a long time to respond. However, when it comes to physical issues, they are extremely prompt in their responses, prioritizing them based on the defined priority during ticket creation. They strive to be fully engaged and invested in resolving the problem.

Positive

I previously used WALLIX Bastion, CyberArk Privileged Access Manager, and senhasegura.

CyberArk is a great solution from a functionality standpoint. It offers interesting features in certain cases, which unfortunately are absent in Safeguard. However, from a customer perspective, there are some issues. At times, I wasn't involved in the evaluation procedure when our customers wanted to determine the ideal solution for their use cases. CyberArk can be overly complex in this regard, with numerous different modules, each requiring a separate license. Consequently, the overall cost of the project and solution would be much higher compared to Safeguard. Nevertheless, from a technical standpoint, CyberArk is quite impressive. Yet, it remains overly complex for end users, both in the business and technical teams, and the pricing is not the most competitive.

Regarding WALLIX, I must say that it sometimes has certain peculiarities that are difficult to describe. The way they create the management console and the principles for managing their solution is rather strange. Understanding their approach fully requires reading the documentation several times. Senhasegura is also a decent solution in my opinion, but it is not yet mature enough. They offer a wide range of functionality and modules, but the lack of separate licensing, as in CyberArk, is a plus. However, during deployment and setup, we may encounter some issues. In general, they claim to provide a lot of functionality, but it is not as detailed as Safeguard.

The initial setup is straightforward. Based on the experience of some of my customers, they didn't involve me during the initial deployment phase, but later on, during some kind of policy setup phase, and so on. I can say that even inexperienced users, customers who saw Safeguard for the first time, were able to fully deploy Safeguard by following the official documentation, which is detailed and helpful. They were able to deploy all the necessary components, at least four SAP and one SPS. So, it's a basic deployment process that my customers were able to complete within a couple of days without any issues.

To deploy virtual appliances, in my case, it will take a couple of hours, or perhaps several hours for complex deployments involving geographical distribution between different customer sites, among other factors. However, when considering the entire project, it includes not only the initial deployment phase but also connecting to the active directory, creating necessary policies within the products, and setting up integrations with third-party solutions such as SIM. I've heard that the longest projects with Safeguard lasted around four and a half months.

The number of people required for deployment varies based on the size of the deployment, but typically, between one and two people are needed.

We help our customers with their implementation.

The pricing depends on our perspective, our budget, and, of course, the competitors we are taking into account. For instance, when comparing it to CyberArk, Safeguard is considerably more expensive initially. However, from my viewpoint, the pricing of Safeguard, in comparison to CyberArk, is quite straightforward and logical. What I mean is that we have dedicated licenses for each appliance, as well as licenses for premium users or target systems, and that's all. There are no additional modules. Therefore, in some cases, it may be relatively expensive, but on the other hand, it is logical and straightforward.

I give One Identity Safeguard a nine out of ten.

Privileged users continue to utilize their connection to the target systems, thus remaining unaffected during the deployment process.

Normally, reading the documentation would be sufficient to start using Safeguard for both those who manage the solution and the end-users. However, in real life, I conducted some technical training sessions for Safeguard administrators and Safeguard end users. For end users, in most cases, a two to three-hour training session was enough to familiarize them with the management console. This console is used to request extensions to target systems and perform other related tasks. On the other hand, administrators usually required six to eight hours of training. However, the duration can vary depending on the specific project. For instance, a standard deployment with four nodes would differ from a non-standard deployment with twelve nodes distributed across an entire continent. In such cases, customers may need additional training to ensure business continuity in the event of issues occurring at a specific site. This training would focus on the technical aspects of implementing a business continuity plan.

When preparing to deploy Safeguard, our first step is to engage in a comprehensive discussion with the customer regarding their project goals. We inquire about the specific reasons behind their need to incorporate a PAM solution. Once we have a clear understanding of their use cases, we proceed to address the technical aspects. From a technical perspective, one of the most crucial questions is to define the scope of the target systems, including the types of operating systems and protocols that will be utilized to establish connections, such as RDP, SSH, HTTP, or MSS. After establishing the scope of the target systems, we then proceed to define the scope of the end users who will utilize Safeguard. These users will establish privileged sessions with the target systems. Additionally, we determine the source of identity information for privileged users, which is typically the active directory, although, in some instances, a DAP service deployed in the customer's infrastructure may be utilized. Once these preliminary steps are completed, we have all the necessary tools and information to proceed with the deployment process itself.

Our administrators mainly use it to protect their different packages and access secrets through Safeguard, either by checking out credentials, using encrypted sessions, or utilizing the product's API.

We are using a virtual appliance deployed in the cloud and on-premises.

The centralized storage of secrets and credentials prevents them from spreading throughout the organization. We know who has control over them and who has access. Before Safeguard, there might have been a few Post-Its stuck on screens, which isn't secure.

We have also gained visibility into the use of privileged access. It's way easier for us to see what, when, how, where, and why. We now have a good way to provide justification for doing things, instead of relying upon people to remember. Now we can demand that. 

And the rich level of logging, including visual logs with video recordings of sessions, has given us more confidence in our security posture, where we have onboarded the system.

The whole product solves the privileged access management challenge for our company. We have a secure tunnel, a secure session manager, and automatic logging of sessions, which is good for forensic purposes. We have a rich level of logs and can trace what happened on which machine and see who did what.

Feedback from our users on the usability is positive regarding the UI experience. Instead of keeping their credentials on them somewhere, they now have a very easy-to-use portal with a nice GUI. There has been some feedback from people saying, "Couldn't it do this," or "Now I have to do that". But that's basically change management and not a real problem. There is some getting used to the UI, but I think the UI is very easy to understand and to use. The usability is very good and that's one of the main ways Safeguard stands out from the competition.

Safeguard, the way I see it, has two different parts: vaulting and sessions. And those two are running on different platforms. The vault itself is a locked-down Windows box, which isn't really causing any trouble. The session part is on a Linux box. They sell them separately, but together, they need to be more unified, at least from a UI perspective when you're using it as an administrator. There are some "legacy-level" menus and ways of using it that I don't really appreciate. 

We are using it completely web-based, not through a fat client. The browser experience of administrating SPS (Safeguard for Privileged Sessions) needs a lot of attention from an administrative perspective to make it easier. The readability of the system itself is quite poor. 

A user never really engages with that part. It's only the administrator, and maybe an auditor, who are subjected to using those menus and tools. 

So the SPS could be a lot easier to administrate and the parts should be unified, from a design perspective, so that I can recognize the systems as being part of the same package. They feel like they have been forced together.

We started implementing One Identity Safeguard about one and a half years ago.

It's very robust. We haven't had any issues with Safeguard's stability. 

We have done a few things that have "annoyed" it, but it has always come back. We tried to upgrade one of the session nodes, and we did it in the wrong order, but it pulled through anyway. That was quite impressive. If you deploy it on virtual servers as we have, with a virtual appliance, if you have that under control, Safeguard itself is not an issue, at least for the time being.

I believe we may have done a bigger deployment than we actually need. We were advised to use a node and another node to have a little bit of a cluster function. We went even bigger than that, so we are using the biggest version of what they recommend. 

But I don't see scalability as an issue. I don't think it's something that Safeguard does particularly worse or better than anyone else. It's easy to deploy another node for the same function that you already have. Or if you want to replace something that doesn't work the way you want it to, you can switch it. It is very scalable. We haven't touched the limits of what it's capable of and I don't think we ever will.

We have about 150 users at the moment.

I don't think we are using One Identity's Premier Support. We are using some level of support from them, but that support is handled by our partner. If we raise an issue, our partner coordinates between us and One Identity. 

We did not have a previous solution.

There are different kinds of solutions that Microsoft provides, called PIM, instead of PAM. It's for cloud-based roles and privileged access. We were using that before Safeguard and we are still using it for that specific use case. But we didn't have another privileged access management solution, other than human administrators. It was surely needed.

Just getting a PAM solution is many steps better than what we had before.

The initial setup wasn't really complex. We are using the virtual client, so it was fairly easy. We didn't really have to do any setup. We just had to start a virtual machine and run the appliance, following their documentation, which is very good. It was quite easy. 

We are utilizing a partner for getting started so I didn't find it hard to start. 

Among the things that you need to look out for, and this applies to every product, is how it fits into the network that you are going to put it in. There are a lot of specific ports that it needs to be accessed through, and you should probably keep it as locked down as possible because this system shouldn't be exposed to any other environment. That is a hard task to complete. That is not a fault of the product itself, but it comes with that can of worms. 

And, of course, you have the certificate questions, the different certificates that it needs to validate sessions and keep them secure. That's quite tricky as well. Again, it's not really a Safeguard issue, but your organization needs to know that these are considerations when you start.

Our technical go-live with the solution took three or four months. That was mostly related to our network issues and finding all the different ports that needed to be opened and closed. But starting the application and using it, running the GUI itself, is a matter of days. It depends on your organization and how well-equipped it is for this type of change.

We didn't force any big changes. We were debating if we should onboard our current privileged users and then force them, from day one, to use the system. Instead, we did a side-by-side solution where we started alternative users on it and then told our previous users to use it instead. And if that, somehow, was not satisfactory, they could still use their old account to complete the work. That way, we didn't jeopardize production. Every time we received feedback such as, "I need to use my old account because I cannot use this new Safeguard version," we needed to adapt and improve. 

Once there were no more complaints, we started shutting down the old users who had not been onboarded to Safeguard. We didn't want to bring major change in an instant. We led them to the Safeguard solution and let them try it out, give us feedback. Generally, they found it easier to use Safeguard compared to their old ways and they started preferring it. When we saw we had no risks left, we disabled the accounts that they were using before.

In terms of training, for the admins we had a five-day course, which covered the basics. I did not receive that course, but I didn't really need it. The right partner can explain enough to you, in small sessions, about what you need to accomplish. And the user experience itself is so intuitive that you understand what you're doing. And their documentation is very easy to search and use. You don't really need much training. Of course, you need to understand how you affect different systems if you connect them to Safeguard but that depends more on your own organization than on what Safeguard is.

End-users just need a basic introduction to tell them, "Please go here, use this." They log in with known credentials and the same password as everything is under MFA. It's nothing new to them. And the user experience is very simple for them to check out the privileges that they need for the moment that they need them. That's quite self-explanatory.

We had a partner called Intragen International that helped us understand the best practices for deployment and what not to do. We had them as an adviser, but we performed every step in-house. They didn't have any access to our system. They were more of an adviser.

I believe we have a five-year deal in place, and it's an all-you-can-eat license. It's not user-based.

We also pay our implementation partner. We have a support deal set up with them, so that's a cost we have added on. But it's not applied to the Safeguard bill. The advisory role that they provide us is something that we decided we need.

We looked at the product from BeyondTrust. And we looked at CyberArk because that's what you need to do when you start this process. We also looked at a couple of other products, market leaders, according to review sites. But we mainly looked at CyberArk.

We, as an organization, realized quite early that privileged management access is hard. There were solutions that, like CyberArk, were very advanced and had huge legacy support with every type of system known to man. That was very interesting because you never know what you might have. But when we looked into CyberArk, we also felt that the system was a leader because they were first, not because they were the best. It seemed to be quite complex to deploy. Knowing our limits, we felt the Safeguard solution was more of a fit for us, and the user experience was way more intuitive than the CyberArk version. 

Looking at the other competitors, they were more leaning toward a cloud-based solution or were going that way. Of course, we are always trying to get to the cloud—you never get there, but you always talk about it—and we felt that if we were going to keep all of the secrets of the company anywhere other than in our own environment, it would almost be irresponsible to have it on a vendor that always puts things in the cloud. That essentially meant we wouldn't know where they would be.

By deploying it ourselves, at least we know where the keys to the kingdom are, and we control them. The other vendors were not selected because they were too cloud-oriented for such an important part of our company. We needed to keep it ourselves and keep the responsibility in-house, and not put it anywhere else.

Safeguard had the same philosophy, allowing us to do a virtual appliance that we deployed ourselves in our own data centers, keeping every bit of information inside our walls instead of putting it on the cloud. With CyberArk, we could do that as well, but it sure seemed way harder, so we skipped that.

To prepare for Safeguard you need to know your network, and if you think you do, you don't. You need to have network personnel available during the deployment to maintain tempo in the deployment. If you don't have access to people who are able to change things in the firewalls and the like, you will stall. 

The documentation, what you need to do, is very clear, but every network is different, and you really need to know where you put your Safeguard solution and that you have access to people that can help you fit it into your existing network. That's a very important step.

You also need to know what "high privilege" means to you because it's not defined in Wikipedia. You cannot go there and see what applies to your systems. You need to know that yourself. Be sure about what you want to protect and what levels of protection you want, beforehand. 

And, as I mentioned, there is the issue with certificates, which is an issue for every company. It's quite a hard thing to know. Not everyone is a professional when it comes to certificates. You may need to know the certificate chain, and you might have to update it with new information and roll that out to your organization. That might not be your first thought when implementing it in your system. 

But the main focus is the network, especially if you're also going to deploy Safeguard in your own cloud. That creates a little bit more of a challenge.

We use their product called Active Roles as well. We haven't really done any integration with other parts of our business. We have just given administrators and people with high privilege a secure way to access their systems through RDP and SSH. But we have not integrated any robots or development flow as of now. We are too young in this journey.

We are using One Identity Safeguard for our data protection.

We are utilizing the virtual appliance solution because it is slightly more cost-effective and allows us to manage it remotely.

Secure Remote Access feature is being utilized by non-technical users, primarily for multi-factor authentications. We are implementing MFA; however, some users in our branch are not yet connected. Consequently, we are resorting to using a VPN in our access control measures. At times, we have also employed remote branches for auditing and monitoring any potentially suspicious activities. Our endpoint security is consistently updated and ensures encryption for all the internet services we utilize.

It is important that the Secure Remote Access feature does not rely on a VPN. One Identity Safeguard provides us with the ability to manage access to the system network and data from our remote branches through the Secure Remote Access feature, ensuring a secure and confidential connection on the backend.

We have integrated One Identity Safeguard with our DevOps processes to assist in managing the parameters. Prior to the integration, we used to wait for certain automation related to security, either already completed or sometimes people would proceed without reporting. However, after the implementation, it has proven to be highly effective for security testing through automation at various stages, particularly in the pipeline, and for conducting critical analysis. This has significantly improved our understanding. 

There are numerous valuable data protection features, including the content and information that offer us more scalable protection as needed.

We also have access to immediate support for situations that we are unable to handle.

Some of our users find the functionality a bit complex, and it could be made more user-friendly.

The integration of automation, security monitoring, and secure configuration can be enhanced. We can integrate these elements using Ansible or any other necessary tools. This would be advantageous in terms of time and effort saved during implementation, especially when dealing with merged branches. This approach will guarantee that the code is approved, tested, and verified, potentially resulting in substantial time savings.

I have been using One Identity Safeguard for ten years.

Premier Support is valuable because it enables us to receive prompt assistance whenever we encounter any type of issue.

Positive

The time to deploy varies from a few minutes to several hours depending on the scenario.

We integrate security tests into our CI/CD pipeline for privileged users to ensure that these users are not affected.

We also assessed CyberArk, which is a more robust Privileged Access Management solution compared to One Identity Safeguard. However, it comes with a significantly higher cost.

I would rate One Identity Safeguard an eight out of ten.

We conducted training sessions for all employees and managers in our company. The training was tailored to each person's skills in order to streamline the training process and facilitate the deployment procedures.