One Identity Safeguard Reviews

Our customer is a public service organization with about 800 privileged accounts and 8,000 functional accounts. The client already has a relatively unadvanced identity management implementation. It's a request-based identity management solution. What we're doing now is getting better control of the privileged accounts and getting rid of the old technology.

The end users don't know of an alternative. They are still subject to identity management through what is quite a large, manual process instead of process automation. For instance, the users do not have a self-service port where they can automatically get privileges they don't have today. Everything goes via the ITSM manual control workflow.

It's the manual processing our client currently has that is what we are thinking of improving. The installation was not set up by my team, but our job is to focus on the most sensitive information assets and secure insights into how service and other infrastructure are managed through privileged accounts. After that, we will work on simplifying the everyday user experience.

We work with just the physical appliances. It wasn't my decision. It was what the client already had. Regarding the form factor, just put it in a rack and it works. It's not an issue.

We're introducing the solution's transparent mode for privileged sessions. This is part of what the client hasn't used before. It will simplify their administrative situation greatly. So far, the rollout of this feature has been a seamless process, but we're still in the midst of rolling it out. The benefits will be on the risk side.

Right now, the way accounts are managed, you don't necessarily know who is using an account. There's a shared admin account, and that's not a good thing. And those accounts are shared in wallets by several people. One of the real benefits of safeguarding here is that the client will have an absolute audit of who is using an administrative interface, whether it's server or network.

I am an independent consultant who assists end users in deploying One Identity Safeguard correctly and creating all necessary workflows within the product. I then ensure its effective utilization in the production environment. I have been working with Safeguard since the beginning and continue to use it presently. Based on my experience, the majority of projects, around ninety-nine percent, involve virtual appliances. While I have performed some hardware appliance installations, I lack extensive experience with them. Therefore, I cannot definitively state whether they are good or bad. However, I can affirm that they function properly.

When we discuss the situation at the beginning of my journey, it serves as a safeguard. So, seven years ago, it primarily revolved around RDP and SSH session control. However, nowadays, I observe that customers are shifting their focus primarily toward password rotation and password management functionality. Moreover, they are increasingly utilizing the permanent analytics capabilities of Safeguard, such as user entity and behavioral analytics. Currently, we utilize all the functionality offered by One Identity Safeguard, including password rotation, password management, session management, and possibly session harmonics as well.

In most cases, we are referring to active directory environments and the safeguards implemented in such environments. This implies a close integration with the domain controllers, which serve as a source of identity information. However, the customers I work with as an independent consultant often utilize password management solutions. This indicates their desire to replace passwords, which may already be in use on certain devices. Sometimes, it involves scheduled password rotation. Additionally, session management has evolved. Nowadays, some customers are not only using RDP and SSH control but also MSS. Furthermore, I have worked on several projects involving HTTPS special control.

The situation as it was seven years ago, the usability and functionality of Safeguard were like three key questions in the case of Safeguard. Unfortunately, several years ago, they still had a sync client, which means a desktop application for one part of the product, while another part of the product was managed through the web UI. Of course, it was not so convenient. But nowadays, all the functionality is managed from the same console, meaning via the web UI, 100 percent. So, from this perspective, I can say that customers are quite happy with the current user interface of the solution.

The most important benefit is that when we talk about the deployment of any PAM solution, it serves as a centralized point for privileged access connections. This includes internal users, such as administrators or individuals with special privileges, like an accountant with additional access to the company's ERP system. This is in contrast to the standard situation where users have a direct connection to the target system, which lacks control. Firstly, a single point is created to enable full control over connections. Additionally, automation allows for quick response in case of any malicious activity. For instance, if the system detects abnormal behavior, such as in an SSH session, it can instantly terminate the session without requiring the involvement of cybersecurity personnel. The advantage of this approach is that it eliminates the need to involve humans in the process, which would take time. With a PAM solution like Safeguard, these actions can be executed within seconds, preventing any negative impact on the target system.

From my perspective, using the transparent mode is quite easy. However, from the customer's point of view, they should take the time to understand how it works properly. Once they grasp the concept of how this mode operates, which is made possible by the unique technology at the core of Safeguard's privileged session module, it becomes a significant benefit. Some customers may find it necessary to review this aspect carefully. Nevertheless, once they comprehend the intended functionality, everything else becomes straightforward.

I did not observe any issues concerning the rollout of the transparent mode for our users.

Monitoring privileged accounts using transparent mode is much easier from a user perspective, as it is almost invisible to them. What we are discussing is the deployment of Safeguard in transparent mode. From a monitoring standpoint, unfortunately, it does not prevent the injection of certain credentials. However, in terms of monitoring functionality, it is almost the same. Therefore, I cannot say that there is a significant negative impact from that perspective.

We utilize the secure remote access feature for privileged users. The majority of my projects involve contractors and third parties rather than direct employees.

Without One Identity Safeguard, managing remote access would be significantly more challenging. Safeguard is the tool that, from my perspective and based on my project experience, enables customers to have complete and effective control over remote access for both their contractors and internal infrastructure. It is remarkably user-friendly. Therefore, there is no distinction between deploying Safeguard for securing our internal network and implementing it for managing remote access from third-party networks and beyond.

It is nice that the Secure Remote Access feature does not rely on VPN; however, all of my customers continue to use VPN and utilize a VPN panel to manage remote access via Safeguard.

There are two parts to Safeguard: the sessions recording part and the password management appliance. With the password management appliance, we have been using version 2.10. For the sessions recording, we started off with version 6.2. It has new additions and updates which have come out, thus we've upgraded. Currently, we are up to version 6.5.

We are doing a sessions recording for all of our UAT and production servers. Therefore, if something breaks/happens or there's a change during the day without the proper change control mechanisms, we can determine the session by pulling the last session on the box and finding out who did what. Then, for the password part, it is used to consolidate enterprise-wide all our passwords for our 2000-plus server accounts.

We have five physical alliances for the password part. Then, for the sessions recording, there are three virtual appliances. We went with these particular versions because they were the latest and greatest. I like to keep things updated instead of dragging stuff out, which is how people get stuck with legacy devices unable to upgrade or with no upgrade path available.

It has greatly helped improve our security posture. Safeguard has an option where it will reset passwords on service accounts, then go out to those servers where that service account is running as a service and update the password on it. That makes password changes very easy. We can regularly change passwords now and are planning on making it an annual activity, where all the people who own service accounts will go in and make sure all their passwords get changed, updated, and reset. That's a huge scary stance right there because people leave the company and memorize all their passwords. Now, they're null and void, and we're in a far more secure place.

We are still building out the Safeguard behavioral analytics feature, but so far, it's pretty good about being able to detect nonhuman input. This has increased our security posture as well. It's really easy to use. Security guys are able to identify, "Why is this person logging into spots on the weekend when historically they've never accessed it on the weekend whatsoever?" We're able to keep watch as there is a lot better visibility of our environment.

Our administrators mainly use it to protect their different packages and access secrets through Safeguard, either by checking out credentials, using encrypted sessions, or utilizing the product's API.

We are using a virtual appliance deployed in the cloud and on-premises.

The centralized storage of secrets and credentials prevents them from spreading throughout the organization. We know who has control over them and who has access. Before Safeguard, there might have been a few Post-Its stuck on screens, which isn't secure.

We have also gained visibility into the use of privileged access. It's way easier for us to see what, when, how, where, and why. We now have a good way to provide justification for doing things, instead of relying upon people to remember. Now we can demand that. 

And the rich level of logging, including visual logs with video recordings of sessions, has given us more confidence in our security posture, where we have onboarded the system.

We started with administrative use cases and we were able to take control of all the local administrator accounts for endpoints and servers. We then started controlling privileged accounts for our domain administrators as well as for any kind of privileged account that had access to our switches, routers, and the like. 

This year we're looking at taking control of all of the servers and application accounts. But that's going to be a longer journey for us because there are a lot more of those accounts, and there is a lot more testing that needs to be done because of the nature of the accounts.

Another use case this year is integrating Safeguard into the SQL database, so we can start taking control of the SA accounts within SQL. 

Furthermore, we have a use case where we are using Safeguard to manage the account for our IIGA solution, which is our identity governance solution. When it creates new users or transfers or terminates users, it's using a privileged account that is being handled by Safeguard.

We have a lot more use cases but these are enough to give you an idea of how we use it.

We went from a state where privileged accounts were being used and not being monitored or even audited to our situation now where we are starting to monitor these privileged accounts more closely. That's where we show value in the product. Whenever a change is happening, we know because we find it in the logs. Our reporting and monitoring team is looking at it, and they are now starting to question changes that are associated with some kind of ticket or some kind CAB (change advisory board) request. It has improved our visibility for privileged access.

We are a One Identity partner, and our clients use One Identity Safeguard for password vaults, session management for Linux and Windows servers, and network appliances.

One Identity Safeguard now prevents unauthorized access to servers by eliminating privileged passwords and requiring all connections to go through a PAM-authorized process. This means no one, including hackers, can access servers without explicit approval, significantly enhancing overall security.

One Identity Safeguard is easy to use with a good partner to support you, and it can be up and running within a few days.

We have successfully integrated One Identity Safeguard with cloud targets, and the process was straightforward.

One Identity Safeguard has improved our incident response time by 300 percent.

We use this solution to control the access of privileged users, such as application administrators, to the internal network. This solution allows us to record and log user sessions.

We use virtual appliances on the VMware platform. The virtualization of such services allows us to flexibly scale our hardware configuration and gives significantly more opportunities for building a stable structure. 

This solution allowed us to provide remote access to the company's internal infrastructure in the context of the COVID-19 pandemic. It made this access more transparent and controlled for information security departments.

We easily integrated this product with our SIEM system for collecting events. Thanks to this integration, we were able to build convenient, regular reports on privileged user connections. Therefore, our information security units can better see who is connecting to the remote infrastructure.

Our company is regulated by the central bank in our country. There are about 4,000 employees in our organization. 

Our main need was to reduce the operational cost of our department by increasing the window of operations to 24-hour rather than have office unemployment. 

We are now digitizing the access control function through One Identity. Whoever forgets their password can reset it on their own rather than reaching out to the security desk. Whenever we have a new employee, we found that it was taking at least two days to get them a username or access to the system. Now, once they are logged into the organization and are registered on our ERP system, their complete access will be ready within five seconds. They will receive an SMS with their username and password so they can start working. This has increased efficiency and effectiveness of the access control function. It has reduced operational costs as well as providing services 24/7 with a platform that can be used anytime and anywhere for investigation in case we have a requirement. 

We use the physical appliances, as they are more reliable. Around the world, dedicated appliances are more reliable than having a virtual version/copy. We went with the physical appliances because they are dedicated and closed like a black box. However, we haven't reported any misses with the virtual version. 

We use the solution’s Approval Anywhere feature which enables us to add an extra layer of security for critical passwords without adding time-consuming approval processes. In the past, we were having problems when a user went on vacation. There were many recalled cases of password sharing. When we received this type of incidence and started to investigate, we found out the past setup had no solution. For example, if someone with a daily duty went on vacation, they still had to do it within the office. That is why sometimes people tried to justify the sharing of passwords by the importance of their duties. Now, by using this platform, if someone goes on a vacation, out of office, or needs urgent/planned leave, then our setup will select the functions tied to that person and automatically delegate them to the next person. That person can start performing that duty based on their access. No sharing of passwords is required.