One Identity Safeguard Reviews

I have hands-on experience with One Identity Safeguard and attended the foundation course in the end of last year. My primary goal is to make use of the cross-product capabilities joining IGA (Identity Manager) and Safeguard (PAM) to achieve Privilege Access Governance (PAG) since lots of customers are asking for this. The trend show consolidation within the IAM market and cross-product solutions is becoming the new standard.

Most important, very easy to setup.

Safeguard for Privileged Passwords (SPP)

I have been using asset and account discovery. This means the product will assist in identifying privileged accounts across hosts, directories, and networks.

Other features include workflow and access requests. Typically time-based, which is best practice to restrict access. Workflows can have one or several approvers.

The "activity center" where I can place my custom queries and get automated reports. This will collect over time and you can see what has happened for a certain user.

I like that the upgrades are not complicated, if the appliance is clustered this is handled automatically.

Great variety of support for different platforms and protocols.

Safeguard for Privileged Sessions (SPS)

I have used something called centralized policy enforcement. You can set up a gateway proxy for privileged sessions where you are applying authentication, access controls, and security policies. This is for endpoints such as SSH, RDP, and telnet.

Then I have used session recording and audit trails. When the recording is being made, it actually records at the protocol level, meaning it can capture keystrokes, mouse input, and the GUI. The recordings can be digitally signed.

Real-time monitoring alerts. It can detect violations according to a policy. If there is a destructive command that is dangerous, it can look for those and can trigger an alert. If we want, it can also automatically terminate the session that is ongoing. Everything is indexed and searchable. It is like a forensics investigation and you can do searchable playback.

User behavior analytics. This is some kind of integration where in real time, it can detect anomalies, something that is not normal, and do some deeper insights on that matter.

I have successfully connected Identity Manager (IGA) to Safeguard to achieve Privilege Access Governance. This is being possible by using an OOTB connector in Identity Manager to talk to the Safeguard system. I can govern the data from Safeguard and provision PAM accounts from Identity Manager to achieve a complete lifecycle.

Documentation can be much better and they should provide typical use cases to get started more easily.

SPP and SPS has separate portals (even if they are joined). SPP seems to be a more mature product and the SPS seems to be less updated in its UI and has more technical depth when configuring.

I have been working with it for a couple of months.

Straighforward.

Using the virtual appliance is quite easy. You download the hypervisor file, everything is already included. There is one appliance for the SPP and one for the SPS. SPP requires a Windows license and to activate it you must have internet access. It was a little headache to get it working.

I'm rating the product 8 of 10 out of what I have seen so far, I'm satisfied by the features OOTB and the integration with the Identity Manager. Also the usage of Remote Access (SRA) and Cloud assistant should not be missed.

My main use case for One Identity Safeguard in day-to-day work is to provide identity across all user accounts and domains, and it improves security across the enterprise by providing enhanced features with respect to this identity solution.

I primarily use One Identity Safeguard for protecting security across all user accounts, enterprise data accounts, assets, as well as privileged access, domain user, and admin accounts, giving SSO features and providing security across all user accounts.

One Identity Safeguard offers the ability to identify and revoke access easily for terminated accounts, which reduces risk and simplifies control of access in case of detected threats.

It reduces a lot of risk and saves time; every account is synced, and it can grant access with role-based permissions across all users quickly, alerting us if any threat is detected.

I find that the deployment of One Identity Safeguard is very easy, with good integration and scalability of user accounts, enhancing feature capabilities and providing strong product support.

The user interface can be improved for better searching of user accounts, and if One Identity enhances its support in that area, it would be very helpful.

If One Identity improves integration during migration from other platforms, it will definitely enhance the overall experience.

If the integration and connectivity can be improved during deployment, it would greatly aid the overall experience.

I have been using One Identity Safeguard for more than two years.

As of now, I have not experienced any downtime or reliability issues with One Identity Safeguard.

One Identity Safeguard's scalability features are good, allowing me to improve the scale in terms of resources and user accounts.

For small issues, I have raised support cases with One Identity, and the team has been very cooperative and responsive in providing support and documentation.

I previously used SailPoint, but One Identity Safeguard is better in terms of product features.

The deployment took three phases: first, I got support from the vendor for integration, second, I deployed across all users, and finally, I identified any associated risks.

I performed the deployment in different stages for not all users, ensuring that privileged user accounts transitioned smoothly onto One Identity Safeguard.

I had some formal sessions from the vendor that provided visibility into improved features, capability, enhanced security control, user accessibility, and granting access, and the team is very comfortable now.

I saved both money and time as a result of using One Identity Safeguard.

I did not face any challenges with pricing, setup costs, and licensing, but for improved features, I need to address licensing.

Before choosing One Identity Safeguard, I evaluated Saviynt, Delinea, and Octa, finding One Identity Safeguard to be the most suitable.

In the context of increasing cyber threats across organizations, I would advise others that using One Identity Safeguard is crucial for protection. I would rate this review a 9 out of 10.

Our main use case for One Identity Safeguard is for business development activities by understanding and communicating platform security features to clients.

We generally use One Identity Safeguard for managing privileged accounts and session monitoring because we have mass emailing, which requires privilege IDs and sensitive data management. The HR department focuses on this, along with the main manager, to utilize platform controls and limit data access for security and compliance. Session monitoring ensures that all our work in the mail marketing system is detected, and if any suspicious activity is identified, it is reported to management.

One Identity Safeguard is also used for audit logs and reporting features, helping to reduce the time and efforts needed for audits.

The best features One Identity Safeguard offers include session monitoring, secure remote access, a security-focused approach, and privileged access control, which stand out to me the most.

Session monitoring and strong security features allow real-time control where the manager can watch live sessions and review recordings, providing a strong layer of security. The interface is friendly, and there is strong protection that builds trust, knowing that the manager has confidence in the system.

One Identity Safeguard provides very clear and detailed records of privileged access and user activities, making compliance with requirements easier, and the reports are customizable as I usually work upon them.

One Identity Safeguard has saved us security time, improved security, better compliance, increased trust in employees, and reduced risk since the tools provided by the company are now in safer hands. Security incidents have decreased significantly according to my seniors, and faster detection of unauthorized privileged access has become easier due to quick responses when someone uses an account without proper authority.

There is a need for user training, as we had about a week of training for all employees on how to use One Identity Safeguard. The integration part seems a bit challenging because some tools cannot be integrated properly with it.

There should be support for non-technical users as well.

One Identity Safeguard has strong security which is great, but there is a bit of complexity for interns and others, and documentation and training are crucial. I believe there should be training, especially for non-technical users and interns. A week of training is beneficial, but even a day would be sufficient since I learned a lot about using the product in just one day. However, special guidance is necessary to avoid future difficulties.

I have been using it for around eleven months.

One Identity Safeguard is a good product, but if your organization plans to adopt it, they should conduct training for a day for the management before proceeding. I rate this product an eight out of ten.

My main use case for One Identity Safeguard is using only one module for privileged session, which we use for admins and contractors.

A quick specific example of how my team uses One Identity Safeguard day-to-day is that we use only the second part for our contractors, not for admins in our company, but for companies that help us perform admin work and support our system.

The best features One Identity Safeguard offers include video recordings to help us control our support risks.

Accessing and reviewing those recordings when needed is easy, and there are no problems with recording or reviewing.

One Identity Safeguard has positively impacted my organization by helping us manage risk. We have this product as Balabit, which is a good product that is very light and helps us check or assist with our needs.

One Identity Safeguard could be improved with a password manager and an identity manager as one big access management system.

I believe improvements could be made around integrating with other tools.

I have been using One Identity Safeguard for eight years.

I rated One Identity Safeguard nine out of 10 because the stability and control could be better, as there are some problems with stability and errors when we use it.

As my organization grows or my needs increase, it is easy to add more users or expand the use of One Identity Safeguard, and that experience has been good.

I would rate the customer support for One Identity Safeguard as eight on a scale of one to ten.

Positive

I did not previously use a different solution before One Identity Safeguard.

The deployment of One Identity Safeguard solution took one or two days.

The deployment affected my privileged users in a way that was pretty smooth.

Before choosing One Identity Safeguard, I evaluated other options based on simplicity, price, and functionality.

Feedback from users regarding One Identity Safeguard's usability and functionality is that it is a good product and very simple to use.

My advice for others looking into using One Identity Safeguard is that it is a great solution for simple tasks, with a good price and good functionality.

My company does not have a business relationship with One Identity Safeguard vendor other than being a customer.

I rated this review nine out of ten.

We are using it internally because I work in a consultancy company. I use it both for our internal privileged accounts. We have different systems like Google Cloud, some internal servers, data centers, etc. To secure those privileged accounts, like the administrator accounts and root accounts, I use One Identity Safeguard to rotate passwords, authorize sessions, and more. The second use case is that we also implement One Identity Safeguard for different customers.

The most significant benefit is that in the past, we saved passwords in Notepad files or Excel files. Now, we do not, and we have more security. We do not have saved passwords or plain text passwords in different places within the organization. That is probably the most significant benefit regarding security.

In terms of integrations, we have basic integrations for our Windows and Unix servers. We do the transparent connection for LDP and SSH, and that is all. The integration is simple overall for this kind of connection. However, if we want to integrate different consoles or different systems, it is a bit more complex because it is not so much out of the box, but for our current systems, it was very easy.

End-users require just a couple of training sessions and some documentation, and they are ready to go. They can start using the tool as an end user in a week or less. Managers or administrators require a technical specialist training workshop, which is a full-week course. After that, they need one to three months of training with laboratories and documentation. They would need at least three months to work well with the platform.

There is ease of implementation. Compared to other PAM solutions, it is easy to implement and use from an administrator's point of view. That is the most important benefit. It is very simple to implement and use.

We should be able to create customized connectors in a better way. For ad hoc or special use cases, I sometimes find we have limitations. Improving the way we develop new connectors for non-typical systems would be beneficial. 

Another area for improvement could be the threat detection capabilities, like those seen in other PAM vendors. The ability to detect strange behaviors during a transparent connection or detect risky sessions and respond immediately would also be a good improvement.

We have had good feedback about One Identity Safeguard, but for LDP and SSH sessions, when we have to connect to a different console, such as a web console, the customers sometimes complain about the efficiency of the sessions. It takes extra time, and the user experience is not so good when you are using different connectors than normal ones.

I have been using it since 2020, so about five years now.

I would rate it a nine out of ten for stability. It is like a black box. It is an appliance. It is difficult for things to go wrong.

It is scalable. I would rate it a nine out of ten for scalability. It is easy if you need to implement resources.

In our organization, we have 15-20 people working with this solution. Our clients are medium enterprises.

We use their partner support. It is usually okay. When I have day-to-day incidents and problems, the response is good enough in terms of time and quality. However, with complex problems, the response is not as fast.

Neutral

I have experience with CyberArk. I would say CyberArk is a more complex solution in terms of implementation, day-to-day administration, and maintenance. It is more complex and difficult in some ways, but for advanced or difficult connectors, CyberArk has more capabilities to develop customized connectors. It can cover more special or ad hoc use cases, but at the price of more complexity overall.

One Identity Safeguard is at the top level because it covers almost all the general PAM use cases. It covers password rotation, transparent connections, threat detection, isolation, etc. It can cover the needs of most organizations. We have also been able to better cover more complex use cases with One Identity Safeguard than with other PAM solutions.

We have a virtual appliance. We chose the virtual appliance because we were already using a virtual machine infrastructure, so it was easy for us. Our implementation is not complex. We do not have a lot of regulations. It does not matter if we lose connectivity. It is not the end of the world, so for us, a virtual appliance was good enough. It was easier to implement. We do not need to rely on physical devices.

To implement and be functional, it takes days, probably one week, but when I go to a customer and need to do all the configuration and integrate systems, it can take a couple of months overall. It takes days to implement, but configuring and integrating everything can take some months.

In terms of maintenance, it requires less maintenance compared to other PAM solutions. There is not much maintenance regarding the infrastructure. They are, black boxes or appliances, but they do require maintenance in terms of day-to-day configuration, permissions, and connectors.

We did not cover many use cases regarding efficiency and cost reduction, so we did not see ROI directly. However, being more secure makes it less probable that we will suffer an attack or data loss, which is a cost reduction, but I did not see much time reduction. There is about 10% savings.

It is cheaper than CyberArk. Its price is fair.

We use the solution’s transparent mode feature for privileged sessions. There was an impact on the users with the roll-out of this feature because we changed the way people were connecting to systems and faced some problems like communication and networking problems. People did not have the correct permissions at the time. That was a bit of a problem, but we now have a seamless integration. It took us a couple of months to have everything working.

I will recommend it to some customers because it is easy to deploy, administer, and configure. The price is fair. The scalability is also good.

Overall, I would rate it an eight out of ten. It covers pretty much all use cases, but sometimes there is a lack of customization.

Our main use case for One Identity Safeguard is to manage and secure privileged accounts, session monitoring, and recording for audit purposes while also providing controlled access to vendors or our internal team, and enforcing least privilege access.

The best feature of One Identity Safeguard, in my opinion, is its session monitoring, which includes full visibility with session recording, user-friendly access control, and helps in a compliance-ready environment.

The session monitoring feature of One Identity Safeguard stands out because it provides full visibility on which user is accessing which servers at what time, collecting all these logs and also providing data that can be used for audit purposes.

One Identity Safeguard has positively impacted our organization by providing strong security, compliance, and the data required for audits, making it really helpful.

One Identity Safeguard is working perfectly for our organization. The initial setup could be simplified, and more documentation would be needed for faster implementation.

I have been using One Identity Safeguard for more than two years.

One Identity Safeguard is stable.

One Identity Safeguard is excellent regarding scalability.

Customer support is good; they are technical experts and efficiently resolve issues.

The deployment of One Identity Safeguard took less than two weeks to fully implement and use.

We have integrated One Identity Safeguard with Active Directory.

The integration with Active Directory was straightforward.

The integration with Active Directory has simplified our work for managing user data.

There is a very good return on investment from One Identity Safeguard, as we are saving time along with money.

I advise anyone looking for a solution for security audits, session monitoring, or access control to consider One Identity Safeguard as one of the best solutions available in the market, so it is highly recommended.

One Identity Safeguard's main use case for us is securing and controlling privileged access to critical systems.

A common scenario with One Identity Safeguard is when a system administrator needs to access a production server for troubleshooting. Instead of logging in directly with a shared admin credential, the request is first routed through One Identity Safeguard for approval, which helps us with fine-grained control and accountability for high-risk administrative tasks.

The best features of One Identity Safeguard in my experience are its session recording and live monitoring capabilities, which give us visibility into what administrators are doing during privileged access.

Session recording in One Identity Safeguard has been especially useful for troubleshooting and audit purposes, adding a strong layer of accountability and making investigation much faster and more accurate.

The implementation of One Identity Safeguard has had a noticeably positive impact on our security posture and daily IT operations, helping us tighten security and gain operational visibility.

The positive outcomes from One Identity Safeguard have been quite clear for our team. From a security perspective, it has significantly reduced the risk of uncontrolled privileged access by enforcing approvals and session tracking, improving security visibility and operational efficiency at the same time.

I have been using One Identity Safeguard for around two years now, and my experience with it so far has been exceptional and reliable.

One Identity Safeguard is very much stable in my experience.

One Identity Safeguard's scalability is nice and it handles growth or increased users well.

The customer support for One Identity Safeguard was good, and the process was smooth.

We did not use any other solution before choosing One Identity Safeguard.

The deployment of One Identity Safeguard in our environment took roughly a day's involvement.

The deployment of One Identity Safeguard had an initial adjustment phase for privileged users, but overall the transition was fairly smooth.

The training required to start using One Identity Safeguard was straightforward for both those who manage it and for end users.

Feedback from users regarding the usability and functionality of One Identity Safeguard was positive.

I have seen a return on investment by using One Identity Safeguard, which has reduced the time spent on managing privileged access and impacted the budget by reducing costs by an estimated 20 to 25 percent.

The overall experience with pricing, setup cost, and licenses for One Identity Safeguard was positive.

We did not evaluate any other option before choosing One Identity Safeguard.

For anyone considering One Identity Safeguard, I would suggest starting with a clear plan for what you want to achieve from a security and user access perspective before deployment, as a structured rollout approach makes the adoption much smoother and more effective. I have provided a review rating of 10 for One Identity Safeguard.

The purpose is to ensure that privileged users do not know their own passwords.

Our organization is more secure, and we are confident that the privileged users who are using the systems are actually the users they claim to be due to two-factor authentication because we are using two-factor authentication in One Identity Safeguard. 

It is easy for us to revoke access as well. Previously, we did not know who had access to a system, but now, we can see what access is currently open to systems directly from one single pane of glass, allowing us to revoke that access if necessary. We have limited the possibilities for malicious actions and have made it safer for our users when they are using privileged accounts. They only have privileged access when using that account, but they do not know the password. While nothing is 100% secure, it is more difficult to misuse that privileged account. In the past, IT administrators could log in with domain administrator access on their normal PCs, which made everything work without needing to elevate their rights. Now they cannot do that because they no longer know the password. They are required to go through One Identity Safeguard to elevate their rights.

In the beginning, we had some pushback from the administrators because they could not log in directly to a server or a system. They have to go through the web interface and log in. We had to educate them and put in a little bit of effort. We made them aware that we were also taking risks away from them so that nobody could misuse their credentials. People become administrators only when they want to use the system. When they are done using it, the account is disabled, and administrative privileges are revoked. 

Previously, we had external consultants who had accounts, but we did not necessarily know when they were using the account. We now know because we have put up an approval flow. The external company needs to request access for a user, they need to call us and provide a ticket number. We then can approve it. We can also approve them for a specific duration, such as two hours. After that, the user needs to request access again and he needs to be approved. We now know when external people are using our systems. All the external privileged users are now disabled, which were not disabled before because we did not know when they needed to use the system. They did not have a normal user and a privileged account. They just had one user who could log in to the systems. Now, they need to have a normal user that can log in to One Identity Safeguard, and then the privileged account will only be enabled when we have approved the access to the system. The normal user does not have any access besides logging in to One Identity Safeguard. So, there was some pushback because administrators had to raise a ticket. We also tightened up our ticket system to ensure that IT does not do any work unless there is a ticket.

Our management can see that our security posture has greatly improved because, on a normal day, we do not have any privileged users who are enabled, so it is very difficult to elevate access to various systems. If they are not active, privileged access is revoked, and there is no access without a ticket.

We use the transparent mode feature for privileged sessions. It is very easy because it just goes through the Safeguard session. That session is used as a proxy now, so we can limit our end-user's access to server assets. Only the session has access to the servers, so we can do micro-segmentation in a different way now on our network.

The transparent mode is rather seamless because the user does not see this Safeguard session. They only see the Safeguard for privileged passwords because that is the interface that is there, a single pane of glass. When they request access to an IDP session or server, they see a different background because it goes through the process that does the recording but the users do not see that.

The transparent mode helps to monitor privileged accounts which we could not do before.

We have integrated it with test and development. They do not know the password either. Previously, they were the kings of their kingdom, whereas now, they are just users of their kingdom. They also now have to go through One Identity Safeguard.

If a privileged user does something malicious or suspicious, with session recordings, we can see what happened. We can see this person authenticated with two factors when he logged into One Identity Safeguard. If it was not something malicious, we can use this information to become better so that the issue will not happen again.

The implementation time was quick. It was basically up and running within a week. 

I like the features that allow you to rotate your password, give you access to an RDP session without knowing your password, and record sessions. This is helpful for external people coming in, as we can review what they have been doing and use the recordings for training purposes. For example, if I want to upgrade a system that an external consultant did, these recordings can help identify issues. We can set different keywords to cut off a session if something malicious is detected. We can prevent a malicious action.

We use it to log in to various systems such as Linux and Windows, which is very convenient. There is also a personal vault for browser use, allowing us to save credentials for business-related websites securely. If a user leaves the company, I can assign that vault to another user. I can share credentials, save files within One Identity Safeguard, and ensure that certificates and license numbers are securely stored. I can see who has access to the files. I can save license numbers and license files in One Identity Safeguard, so I know where they are saved. I can also give access only to those who need it, as opposed to them residing on a file share or OneDrive, where access is not as transparent.

From a management point of view, it would be beneficial if One Identity Safeguard Privilege Password and One Identity Safeguard Privilege Session had a more similar interface. Also, if Privilege Session pushed more data to Safeguard Privilege Password, an admin would only need to log in to one place. They could then see the sessions and everything happening, even if it is running on a separate appliance. Why should I log into Safeguard for Privilege Session separately when it has been requested through the Privilege Password appliance? It would be advantageous if it was seen as one unified box, even though they are different. This is the improvement I would like to see.

I have used the solution for less than a year.

It is stable. I would rate it a nine out of ten for stability.

It is very scalable. I would rate it a nine out of ten for scalability.

Our clients are medium to large enterprises.

Most clients use regular support, but some clients use premium support.

Neutral

In previous work, I have used CyberArk and Secret Server. One Identity Safeguard is way cheaper, intuitive, and easier to use. Its implementation costs are much lower than CyberArk.

It is on par with Secret Server, but you do not have session recordings. You just have the privileged passwords and rotation features. You need to harden the Windows because it was installed on Windows, whereas One Identity Safeguard is already a hardened appliance. One Identity Safeguard is more secure than Secret Server. However, I used Secret Server a couple of years ago. It has probably matured now.

We are using the virtual appliance because we already have a virtual environment. The only on-prem setup we have are the physical servers that run a hypervisor. We like to have everything virtual. We can also secure a virtual appliance in a different way compared to the physical appliance. With a physical appliance, if something happens, we have to get hold of the vendor and sort out how fast they can ship a replacement, whereas we can deploy a virtual appliance instantly and get it up and running if there is a problem.

One Identity Safeguard Privilege Password is rather straightforward, rating it as an eight out of ten. Privilege Session is more like a six out of ten, being a bit more complex if I want to use all the features. However, if I just want to use it in Transparent mode, it is easier.

In total, it takes less than two weeks, depending on the landscape. Some preparation, like obtaining certificates and securing a backup share, is required first. I do require input from others to implement it within two weeks. If I can gather all the necessary data and access, the implementation becomes more straightforward.

The deployment was disruptive in a way for the privileged users because they now needed to log in through the web interface, whereas previously, they could log in directly. There are more or different steps. Instead of clicking directly on an asset they want to log in to, they need to log in to a different web page and request access. There are a few more mouse clicks than before, but we now have a better security posture of our environment.

To manage and do the implementation, you need to know certain things. You can also use a trusted partner for implementation. If you do not change anything in the system or do not want to do other connection types, you do not need that much training. You need to be aware of what you should look for. A three-day workshop with a partner would be sufficient. For end-users who need to use the system, a two-hour training would be enough.

We have two One Identity Safeguard specialists in our organization.

It is more expensive than Secret Server but way less expensive than CyberArk. As a customer, I would like the pricing to be lower, but it has a good price point.

There is no reason not to recommend it. Everyone should have a PAM solution to prevent privileged user damage and mitigate risks like stolen passwords or insecure storage. If you want to ensure recordings of activities, be it from external people or highly privileged users, then this is essential. This reduces the risk of malicious insiders. You cannot always prevent it, but having recordings allows you to pinpoint activities before a system failure. You can consider having SPA analytics for additional security. We do not have that yet because of the price, but we might add it later.

I would rate One Identity Safeguard a nine out of ten.