One Identity Safeguard Reviews

I am an independent consultant who assists end users in deploying One Identity Safeguard correctly and creating all necessary workflows within the product. I then ensure its effective utilization in the production environment. I have been working with Safeguard since the beginning and continue to use it presently. Based on my experience, the majority of projects, around ninety-nine percent, involve virtual appliances. While I have performed some hardware appliance installations, I lack extensive experience with them. Therefore, I cannot definitively state whether they are good or bad. However, I can affirm that they function properly.

When we discuss the situation at the beginning of my journey, it serves as a safeguard. So, seven years ago, it primarily revolved around RDP and SSH session control. However, nowadays, I observe that customers are shifting their focus primarily toward password rotation and password management functionality. Moreover, they are increasingly utilizing the permanent analytics capabilities of Safeguard, such as user entity and behavioral analytics. Currently, we utilize all the functionality offered by One Identity Safeguard, including password rotation, password management, session management, and possibly session harmonics as well.

In most cases, we are referring to active directory environments and the safeguards implemented in such environments. This implies a close integration with the domain controllers, which serve as a source of identity information. However, the customers I work with as an independent consultant often utilize password management solutions. This indicates their desire to replace passwords, which may already be in use on certain devices. Sometimes, it involves scheduled password rotation. Additionally, session management has evolved. Nowadays, some customers are not only using RDP and SSH control but also MSS. Furthermore, I have worked on several projects involving HTTPS special control.

The situation as it was seven years ago, the usability and functionality of Safeguard were like three key questions in the case of Safeguard. Unfortunately, several years ago, they still had a sync client, which means a desktop application for one part of the product, while another part of the product was managed through the web UI. Of course, it was not so convenient. But nowadays, all the functionality is managed from the same console, meaning via the web UI, 100 percent. So, from this perspective, I can say that customers are quite happy with the current user interface of the solution.

The most important benefit is that when we talk about the deployment of any PAM solution, it serves as a centralized point for privileged access connections. This includes internal users, such as administrators or individuals with special privileges, like an accountant with additional access to the company's ERP system. This is in contrast to the standard situation where users have a direct connection to the target system, which lacks control. Firstly, a single point is created to enable full control over connections. Additionally, automation allows for quick response in case of any malicious activity. For instance, if the system detects abnormal behavior, such as in an SSH session, it can instantly terminate the session without requiring the involvement of cybersecurity personnel. The advantage of this approach is that it eliminates the need to involve humans in the process, which would take time. With a PAM solution like Safeguard, these actions can be executed within seconds, preventing any negative impact on the target system.

From my perspective, using the transparent mode is quite easy. However, from the customer's point of view, they should take the time to understand how it works properly. Once they grasp the concept of how this mode operates, which is made possible by the unique technology at the core of Safeguard's privileged session module, it becomes a significant benefit. Some customers may find it necessary to review this aspect carefully. Nevertheless, once they comprehend the intended functionality, everything else becomes straightforward.

I did not observe any issues concerning the rollout of the transparent mode for our users.

Monitoring privileged accounts using transparent mode is much easier from a user perspective, as it is almost invisible to them. What we are discussing is the deployment of Safeguard in transparent mode. From a monitoring standpoint, unfortunately, it does not prevent the injection of certain credentials. However, in terms of monitoring functionality, it is almost the same. Therefore, I cannot say that there is a significant negative impact from that perspective.

We utilize the secure remote access feature for privileged users. The majority of my projects involve contractors and third parties rather than direct employees.

Without One Identity Safeguard, managing remote access would be significantly more challenging. Safeguard is the tool that, from my perspective and based on my project experience, enables customers to have complete and effective control over remote access for both their contractors and internal infrastructure. It is remarkably user-friendly. Therefore, there is no distinction between deploying Safeguard for securing our internal network and implementing it for managing remote access from third-party networks and beyond.

It is nice that the Secure Remote Access feature does not rely on VPN; however, all of my customers continue to use VPN and utilize a VPN panel to manage remote access via Safeguard.

A dealbreaker for customers is the capabilities of the privileged analytics module, which can be extremely useful in certain cases. From a functionality standpoint, I would like to emphasize One Identity Safeguard architecture itself is quite mature. It offers high availability and enables end users to deploy the solution with 99.999 percent uptime, which is crucial in an enterprise environment with a large number of endpoints.

The main point regarding the user experience is that Safeguard has two separate management consoles. Both are web-based user interfaces, specifically HTML-based. However, they are completely distinct consoles. It would be preferable to have a single management console or tool instead. This would allow for a unified point of connection to all nodes, enabling the management and creation of policies, connection requests, and other related tasks.

What I saw and heard from the customers is the control functionality of the HTTP session. Nowadays, there are numerous blind spots in the current organization of HTTP session control functionality. It should be addressed in the latest version, as some competitors already offer unrestricted functionality.

I have been using One Identity Safeguard for almost seven years.

From a technical perspective, Safeguard has two distinct development lines, let's say. The first one is Long-Term Support, which can be considered quite stable. However, when we discuss the non-LTS branch with new functionalities, I must admit there have been a few instances where we encountered some rather strange and interesting bugs. While the non-LTS branch is less stable, it still qualifies as a production-grade solution. In most cases, any bugs that arise do not automatically affect the user experience, overall system functionality, or the ability to control the privileged environment. Nevertheless, there are occasions where these bugs can be quite amusing, requiring us to reach out to technical support and submit a new ticket to have them resolved.

Safeguard is highly scalable due to its architecture. From my perspective, it is one of the most scalable solutions on the market among other Privileged Access Management solutions.

During many projects, we contacted standard support. I mean, even without the premier support contract, we simply created some tickets. We had several video calls with the One Identity team, and I can confidently say that they are highly supportive. Sometimes, for non-critical issues, they may take a long time to respond. However, when it comes to physical issues, they are extremely prompt in their responses, prioritizing them based on the defined priority during ticket creation. They strive to be fully engaged and invested in resolving the problem.

Positive

I previously used WALLIX Bastion, CyberArk Privileged Access Manager, and senhasegura.

CyberArk is a great solution from a functionality standpoint. It offers interesting features in certain cases, which unfortunately are absent in Safeguard. However, from a customer perspective, there are some issues. At times, I wasn't involved in the evaluation procedure when our customers wanted to determine the ideal solution for their use cases. CyberArk can be overly complex in this regard, with numerous different modules, each requiring a separate license. Consequently, the overall cost of the project and solution would be much higher compared to Safeguard. Nevertheless, from a technical standpoint, CyberArk is quite impressive. Yet, it remains overly complex for end users, both in the business and technical teams, and the pricing is not the most competitive.

Regarding WALLIX, I must say that it sometimes has certain peculiarities that are difficult to describe. The way they create the management console and the principles for managing their solution is rather strange. Understanding their approach fully requires reading the documentation several times. Senhasegura is also a decent solution in my opinion, but it is not yet mature enough. They offer a wide range of functionality and modules, but the lack of separate licensing, as in CyberArk, is a plus. However, during deployment and setup, we may encounter some issues. In general, they claim to provide a lot of functionality, but it is not as detailed as Safeguard.

The initial setup is straightforward. Based on the experience of some of my customers, they didn't involve me during the initial deployment phase, but later on, during some kind of policy setup phase, and so on. I can say that even inexperienced users, customers who saw Safeguard for the first time, were able to fully deploy Safeguard by following the official documentation, which is detailed and helpful. They were able to deploy all the necessary components, at least four SAP and one SPS. So, it's a basic deployment process that my customers were able to complete within a couple of days without any issues.

To deploy virtual appliances, in my case, it will take a couple of hours, or perhaps several hours for complex deployments involving geographical distribution between different customer sites, among other factors. However, when considering the entire project, it includes not only the initial deployment phase but also connecting to the active directory, creating necessary policies within the products, and setting up integrations with third-party solutions such as SIM. I've heard that the longest projects with Safeguard lasted around four and a half months.

The number of people required for deployment varies based on the size of the deployment, but typically, between one and two people are needed.

We help our customers with their implementation.

The pricing depends on our perspective, our budget, and, of course, the competitors we are taking into account. For instance, when comparing it to CyberArk, Safeguard is considerably more expensive initially. However, from my viewpoint, the pricing of Safeguard, in comparison to CyberArk, is quite straightforward and logical. What I mean is that we have dedicated licenses for each appliance, as well as licenses for premium users or target systems, and that's all. There are no additional modules. Therefore, in some cases, it may be relatively expensive, but on the other hand, it is logical and straightforward.

I give One Identity Safeguard a nine out of ten.

Privileged users continue to utilize their connection to the target systems, thus remaining unaffected during the deployment process.

Normally, reading the documentation would be sufficient to start using Safeguard for both those who manage the solution and the end-users. However, in real life, I conducted some technical training sessions for Safeguard administrators and Safeguard end users. For end users, in most cases, a two to three-hour training session was enough to familiarize them with the management console. This console is used to request extensions to target systems and perform other related tasks. On the other hand, administrators usually required six to eight hours of training. However, the duration can vary depending on the specific project. For instance, a standard deployment with four nodes would differ from a non-standard deployment with twelve nodes distributed across an entire continent. In such cases, customers may need additional training to ensure business continuity in the event of issues occurring at a specific site. This training would focus on the technical aspects of implementing a business continuity plan.

When preparing to deploy Safeguard, our first step is to engage in a comprehensive discussion with the customer regarding their project goals. We inquire about the specific reasons behind their need to incorporate a PAM solution. Once we have a clear understanding of their use cases, we proceed to address the technical aspects. From a technical perspective, one of the most crucial questions is to define the scope of the target systems, including the types of operating systems and protocols that will be utilized to establish connections, such as RDP, SSH, HTTP, or MSS. After establishing the scope of the target systems, we then proceed to define the scope of the end users who will utilize Safeguard. These users will establish privileged sessions with the target systems. Additionally, we determine the source of identity information for privileged users, which is typically the active directory, although, in some instances, a DAP service deployed in the customer's infrastructure may be utilized. Once these preliminary steps are completed, we have all the necessary tools and information to proceed with the deployment process itself.

Our administrators mainly use it to protect their different packages and access secrets through Safeguard, either by checking out credentials, using encrypted sessions, or utilizing the product's API.

We are using a virtual appliance deployed in the cloud and on-premises.

The centralized storage of secrets and credentials prevents them from spreading throughout the organization. We know who has control over them and who has access. Before Safeguard, there might have been a few Post-Its stuck on screens, which isn't secure.

We have also gained visibility into the use of privileged access. It's way easier for us to see what, when, how, where, and why. We now have a good way to provide justification for doing things, instead of relying upon people to remember. Now we can demand that. 

And the rich level of logging, including visual logs with video recordings of sessions, has given us more confidence in our security posture, where we have onboarded the system.

The whole product solves the privileged access management challenge for our company. We have a secure tunnel, a secure session manager, and automatic logging of sessions, which is good for forensic purposes. We have a rich level of logs and can trace what happened on which machine and see who did what.

Feedback from our users on the usability is positive regarding the UI experience. Instead of keeping their credentials on them somewhere, they now have a very easy-to-use portal with a nice GUI. There has been some feedback from people saying, "Couldn't it do this," or "Now I have to do that". But that's basically change management and not a real problem. There is some getting used to the UI, but I think the UI is very easy to understand and to use. The usability is very good and that's one of the main ways Safeguard stands out from the competition.

Safeguard, the way I see it, has two different parts: vaulting and sessions. And those two are running on different platforms. The vault itself is a locked-down Windows box, which isn't really causing any trouble. The session part is on a Linux box. They sell them separately, but together, they need to be more unified, at least from a UI perspective when you're using it as an administrator. There are some "legacy-level" menus and ways of using it that I don't really appreciate. 

We are using it completely web-based, not through a fat client. The browser experience of administrating SPS (Safeguard for Privileged Sessions) needs a lot of attention from an administrative perspective to make it easier. The readability of the system itself is quite poor. 

A user never really engages with that part. It's only the administrator, and maybe an auditor, who are subjected to using those menus and tools. 

So the SPS could be a lot easier to administrate and the parts should be unified, from a design perspective, so that I can recognize the systems as being part of the same package. They feel like they have been forced together.

We started implementing One Identity Safeguard about one and a half years ago.

It's very robust. We haven't had any issues with Safeguard's stability. 

We have done a few things that have "annoyed" it, but it has always come back. We tried to upgrade one of the session nodes, and we did it in the wrong order, but it pulled through anyway. That was quite impressive. If you deploy it on virtual servers as we have, with a virtual appliance, if you have that under control, Safeguard itself is not an issue, at least for the time being.

I believe we may have done a bigger deployment than we actually need. We were advised to use a node and another node to have a little bit of a cluster function. We went even bigger than that, so we are using the biggest version of what they recommend. 

But I don't see scalability as an issue. I don't think it's something that Safeguard does particularly worse or better than anyone else. It's easy to deploy another node for the same function that you already have. Or if you want to replace something that doesn't work the way you want it to, you can switch it. It is very scalable. We haven't touched the limits of what it's capable of and I don't think we ever will.

We have about 150 users at the moment.

I don't think we are using One Identity's Premier Support. We are using some level of support from them, but that support is handled by our partner. If we raise an issue, our partner coordinates between us and One Identity. 

We did not have a previous solution.

There are different kinds of solutions that Microsoft provides, called PIM, instead of PAM. It's for cloud-based roles and privileged access. We were using that before Safeguard and we are still using it for that specific use case. But we didn't have another privileged access management solution, other than human administrators. It was surely needed.

Just getting a PAM solution is many steps better than what we had before.

The initial setup wasn't really complex. We are using the virtual client, so it was fairly easy. We didn't really have to do any setup. We just had to start a virtual machine and run the appliance, following their documentation, which is very good. It was quite easy. 

We are utilizing a partner for getting started so I didn't find it hard to start. 

Among the things that you need to look out for, and this applies to every product, is how it fits into the network that you are going to put it in. There are a lot of specific ports that it needs to be accessed through, and you should probably keep it as locked down as possible because this system shouldn't be exposed to any other environment. That is a hard task to complete. That is not a fault of the product itself, but it comes with that can of worms. 

And, of course, you have the certificate questions, the different certificates that it needs to validate sessions and keep them secure. That's quite tricky as well. Again, it's not really a Safeguard issue, but your organization needs to know that these are considerations when you start.

Our technical go-live with the solution took three or four months. That was mostly related to our network issues and finding all the different ports that needed to be opened and closed. But starting the application and using it, running the GUI itself, is a matter of days. It depends on your organization and how well-equipped it is for this type of change.

We didn't force any big changes. We were debating if we should onboard our current privileged users and then force them, from day one, to use the system. Instead, we did a side-by-side solution where we started alternative users on it and then told our previous users to use it instead. And if that, somehow, was not satisfactory, they could still use their old account to complete the work. That way, we didn't jeopardize production. Every time we received feedback such as, "I need to use my old account because I cannot use this new Safeguard version," we needed to adapt and improve. 

Once there were no more complaints, we started shutting down the old users who had not been onboarded to Safeguard. We didn't want to bring major change in an instant. We led them to the Safeguard solution and let them try it out, give us feedback. Generally, they found it easier to use Safeguard compared to their old ways and they started preferring it. When we saw we had no risks left, we disabled the accounts that they were using before.

In terms of training, for the admins we had a five-day course, which covered the basics. I did not receive that course, but I didn't really need it. The right partner can explain enough to you, in small sessions, about what you need to accomplish. And the user experience itself is so intuitive that you understand what you're doing. And their documentation is very easy to search and use. You don't really need much training. Of course, you need to understand how you affect different systems if you connect them to Safeguard but that depends more on your own organization than on what Safeguard is.

End-users just need a basic introduction to tell them, "Please go here, use this." They log in with known credentials and the same password as everything is under MFA. It's nothing new to them. And the user experience is very simple for them to check out the privileges that they need for the moment that they need them. That's quite self-explanatory.

We had a partner called Intragen International that helped us understand the best practices for deployment and what not to do. We had them as an adviser, but we performed every step in-house. They didn't have any access to our system. They were more of an adviser.

I believe we have a five-year deal in place, and it's an all-you-can-eat license. It's not user-based.

We also pay our implementation partner. We have a support deal set up with them, so that's a cost we have added on. But it's not applied to the Safeguard bill. The advisory role that they provide us is something that we decided we need.

We looked at the product from BeyondTrust. And we looked at CyberArk because that's what you need to do when you start this process. We also looked at a couple of other products, market leaders, according to review sites. But we mainly looked at CyberArk.

We, as an organization, realized quite early that privileged management access is hard. There were solutions that, like CyberArk, were very advanced and had huge legacy support with every type of system known to man. That was very interesting because you never know what you might have. But when we looked into CyberArk, we also felt that the system was a leader because they were first, not because they were the best. It seemed to be quite complex to deploy. Knowing our limits, we felt the Safeguard solution was more of a fit for us, and the user experience was way more intuitive than the CyberArk version. 

Looking at the other competitors, they were more leaning toward a cloud-based solution or were going that way. Of course, we are always trying to get to the cloud—you never get there, but you always talk about it—and we felt that if we were going to keep all of the secrets of the company anywhere other than in our own environment, it would almost be irresponsible to have it on a vendor that always puts things in the cloud. That essentially meant we wouldn't know where they would be.

By deploying it ourselves, at least we know where the keys to the kingdom are, and we control them. The other vendors were not selected because they were too cloud-oriented for such an important part of our company. We needed to keep it ourselves and keep the responsibility in-house, and not put it anywhere else.

Safeguard had the same philosophy, allowing us to do a virtual appliance that we deployed ourselves in our own data centers, keeping every bit of information inside our walls instead of putting it on the cloud. With CyberArk, we could do that as well, but it sure seemed way harder, so we skipped that.

To prepare for Safeguard you need to know your network, and if you think you do, you don't. You need to have network personnel available during the deployment to maintain tempo in the deployment. If you don't have access to people who are able to change things in the firewalls and the like, you will stall. 

The documentation, what you need to do, is very clear, but every network is different, and you really need to know where you put your Safeguard solution and that you have access to people that can help you fit it into your existing network. That's a very important step.

You also need to know what "high privilege" means to you because it's not defined in Wikipedia. You cannot go there and see what applies to your systems. You need to know that yourself. Be sure about what you want to protect and what levels of protection you want, beforehand. 

And, as I mentioned, there is the issue with certificates, which is an issue for every company. It's quite a hard thing to know. Not everyone is a professional when it comes to certificates. You may need to know the certificate chain, and you might have to update it with new information and roll that out to your organization. That might not be your first thought when implementing it in your system. 

But the main focus is the network, especially if you're also going to deploy Safeguard in your own cloud. That creates a little bit more of a challenge.

We use their product called Active Roles as well. We haven't really done any integration with other parts of our business. We have just given administrators and people with high privilege a secure way to access their systems through RDP and SSH. But we have not integrated any robots or development flow as of now. We are too young in this journey.

We introduce One Identity Safeguard to customers, primarily Italian customers who need to partner with solutions that protect their target resources.

What I like about One Identity Safeguard is its interface, which is easy to understand, even for people new to the product. I also like that the solution collects data without any access to the machine, plus it has a feature that lets people explore access to machines within a network.

Regarding the usability and functionality of One Identity Safeguard, the most common feedback I receive from users is that the solution is easy to use and can easily move data.

I also like that One Identity Safeguard lets you configure the maximum number of connections to the target, a configuration I didn't find in its competitor.

My customers use the transparent mode for privileged sessions in One Identity Safeguard, and it is easy to use, though it may be more difficult to configure. I haven't received any customer complaints about that feature, so it's not that difficult to use.

To start using One Identity Safeguard in terms of training for people who manage the solution and the end-users, my colleague and I took a course from One Identity. That training was enough for the basic features, but for some other features, my colleague and I had to create some tickets, though he and I know the database and processes. For users, it is easy because my company provides them with a two-page resource manual with screenshots. Then, I spent some time with the managers to show how One Identity Safeguard works, which is very easy because I've used the solution before. 

The analytics interface of One Identity Safeguard is also easy to understand.

A feature I found in a competitor would make One Identity Safeguard better, and that is the ability to load balance the traffic in the target. For example, in two machines with some applications, I would like to balance traffic between the two machines with the help of One Identity Safeguard. It would be great if the solution allowed users to add some applications to a cluster and balance the traffic between the applications.

I've been working with One Identity Safeguard for customers for six months.

Stability-wise, One Identity Safeguard is okay. It's been running for almost one year, and there's no problem with its stability, so, in terms of stability, it's a seven out of ten for me.

The scalability, including the clustering for One Identity Safeguard, could be improved. It is fair right now, scalability-wise, and from an engineering perspective, it may not be as easy to do that because the appliance would have to be encrypted, and there's a security requirement. Still, it would be nicer if scalability could be improved in One Identity Safeguard.

Support for One Identity Safeguard could be improved because sometimes the support team doesn't have an answer or solution for some bugs. Support-wise, it's an eight out of ten for me.

Positive

I used a different solution previously, but One Identity Safeguard could limit the maximum number of connections to a target. The other solution, on the other hand, could not do that but has a load-balancing feature.

My company deploys One Identity Safeguard for customers, and I found the process easy.

My customers use the One Identity Safeguard virtual appliances.

I have not used the Cloud Assistant feature of the solution.

I have not used the Remote Access feature for privileged users in One Identity Safeguard.

My company does not integrate the solution with any other parts of the business, such as development, operations, and RPA. It was just tested but not rolled out in production.

In terms of how the deployment of One Identity Safeguard affects privileged users may be a complex question because the customer didn't have a previous infrastructure. The customer is now building the infrastructure, so it's a dynamic environment. The customer doesn't have an old environment.

I'm a One Identity Safeguard integrator, and my company also resells it.

Regarding maintenance, usually, it's not required. Still, sometimes a user could complain about not being able to access passwords in One Identity Safeguard or that there is some misconfiguration I need to analyze, and in the end, the issue is with the target appliance and not One Identity Safeguard.

My rating for One Identity Safeguard is eight out of ten overall.

We are using One Identity Safeguard for our data protection.

We are utilizing the virtual appliance solution because it is slightly more cost-effective and allows us to manage it remotely.

Secure Remote Access feature is being utilized by non-technical users, primarily for multi-factor authentications. We are implementing MFA; however, some users in our branch are not yet connected. Consequently, we are resorting to using a VPN in our access control measures. At times, we have also employed remote branches for auditing and monitoring any potentially suspicious activities. Our endpoint security is consistently updated and ensures encryption for all the internet services we utilize.

It is important that the Secure Remote Access feature does not rely on a VPN. One Identity Safeguard provides us with the ability to manage access to the system network and data from our remote branches through the Secure Remote Access feature, ensuring a secure and confidential connection on the backend.

We have integrated One Identity Safeguard with our DevOps processes to assist in managing the parameters. Prior to the integration, we used to wait for certain automation related to security, either already completed or sometimes people would proceed without reporting. However, after the implementation, it has proven to be highly effective for security testing through automation at various stages, particularly in the pipeline, and for conducting critical analysis. This has significantly improved our understanding. 

There are numerous valuable data protection features, including the content and information that offer us more scalable protection as needed.

We also have access to immediate support for situations that we are unable to handle.

Some of our users find the functionality a bit complex, and it could be made more user-friendly.

The integration of automation, security monitoring, and secure configuration can be enhanced. We can integrate these elements using Ansible or any other necessary tools. This would be advantageous in terms of time and effort saved during implementation, especially when dealing with merged branches. This approach will guarantee that the code is approved, tested, and verified, potentially resulting in substantial time savings.

I have been using One Identity Safeguard for ten years.

Premier Support is valuable because it enables us to receive prompt assistance whenever we encounter any type of issue.

Positive

The time to deploy varies from a few minutes to several hours depending on the scenario.

We integrate security tests into our CI/CD pipeline for privileged users to ensure that these users are not affected.

We also assessed CyberArk, which is a more robust Privileged Access Management solution compared to One Identity Safeguard. However, it comes with a significantly higher cost.

I would rate One Identity Safeguard an eight out of ten.

We conducted training sessions for all employees and managers in our company. The training was tailored to each person's skills in order to streamline the training process and facilitate the deployment procedures.

We have more than 1,000 servers or application servers, and we have several layers of teams. We have super admins, system admins, and operations staff, and we also have application vendors using the system. In such a large environment, it was really difficult for us to do identity management on a daily basis. We had new people joining the team, and we also had people leaving. We had to put in additional manpower to monitor these activities and comply with the regulations. That was the main reason we moved to automation with the One Identity solution. We are using their Privileged Account Management solution.

We have virtual appliances. We don't have physical ones.

We have several data centers located all over the globe. Previously, if someone needed access or certain permissions, we had to manually go to our Active Directory, identify the user, and give permission. We had to do that one by one. When we had hundreds of new joiners, it was a time-consuming activity. Sometimes, this activity would take more than two days. One Identity has made all this easier. Monitoring has become much easier, and I can invest the energy in other things instead of monitoring which user is doing what. It has become a one-console management for us.

For my team, it has reduced the task of monitoring who did what and using which ID by 80%. They only have to do 20% of the work than before.

We are using all of the access features. It is much easier for a new user to adopt this solution. It also works perfectly fine with a VPN.

All the features are promising, but we love the reporting feature because we can get each and every report. That's a major compliance requirement. Its reporting is really amazing, and it has made life a lot easier.

Its setup is quick. It is easy to set up and operate. It doesn't matter whether you have a deep IT background or not.

Cost-wise, it is a little bit expensive, which makes it difficult to get management approval. Its price should be reduced.

In terms of features, I'm completely satisfied with it. I am not expecting any more features. Its cost is the only issue. Everything else is okay.

We introduced this product in our organization in 2014.

It is pretty stable.

It is very scalable. We recently increased the number of licenses. Previously, we had a thousand servers, but now, the number has increased. The number of users has also increased. So, we upgraded our system. 

We are using it mostly for privileged users, developers, and system administrators. In total, we have around 300 users. We have plans to increase its usage. We have some upcoming projects where we want to use it on a larger basis. We have plans to use it for DevOps users and third-party vendors, but it will take a little bit of time.

We have not integrated the solution with any other parts of the business, such as DevOps, RPA, or cloud targets. We are evolving day by day. We are upgrading our technology, and we have plans to do that in the future.

We had premium support initially, but we don't require that now. We didn't encounter any critical issues. We are using their regular support. I would rate their support a nine out of ten.

Positive

We were not using another solution previously. Privilege management was a really tough task before the One Identity solution.

It was straightforward. Of course, when you are introducing a new product, you need to do a little bit of research, but the steps were very simple. You don't need much technical knowledge, and you don't need to go so deep to do the configuration. You can just have a look at the setup start guide. Anyone should be able to do it easily.

Our deployment took around six months because we did a few PoC. We also tested it in different system environments before bringing it to the production environment. Out of these six months, we spent almost two months doing the PoC with other products, and then for two months, we put it in the UAT environment or the test environment, and then we brought it into the production environment. So, overall, it took six months for the rollout.

The deployment wasn't disruptive for our privileged users because they were working with the old method while we were implementing it. So, there was no pause during the implementation. Once we completely rolled out One Identity, they started using it.

To start using the solution, you at least need knowledge of the policies and configurations available. You require a little bit of training because one change is going to impact thousands of users.

When we did the deployment, we had a team of about 30 people. Now, we don't have a dedicated team for its maintenance. We have a team of about 15 people doing other activities and managing various technologies, including One Identity.

I have definitely seen an ROI. It is not necessarily in terms of cost. My work has reduced, and I'm able to focus the saved energy or time working on other technologies or implementing new things in other areas of my organization.

Its subscription cost is too much, and sometimes, it is very difficult to pitch the solution to the management for cost approval. If the cost is reduced a little bit, it would be easier. If its cost was less, many other organizations that currently cannot afford it would be able to use this technology. I'm sure many organizations around the globe are having issues with identity management, and it is a very difficult task for IT to manage privileged accounts.

We did PoC to identify different solutions. We tried several solutions, but it didn't work out. We did a PoC with the One Identity solution, and it was easy to manage because it helped us to meet all the compliance requirements and do other things. That's why we went with this solution.

I would recommend it if you are looking for a privilege management or identity management solution. If you are having challenges with reporting and compliance, it will certainly be helpful because you will get a lot of details for auditing and monitoring purposes.

I would rate it a nine out of ten. It is an amazing product, but its cost needs improvement.

We mainly use the Privileged Session Management (PSM) features.

In terms of the user experience, it is a pretty useful product. It works in a good way. 

We sometimes face issues with configuration and things like that, but we manage to solve them. In general, it is a pretty good solution for the PSM features. 

There can be an improvement in terms of the policy that can be implemented on the SSH session.

I have been working with this product for more or less 2 years.

I have never spoken to their technical support. A colleague of mine interacts with them.

I did not work with any other solution previously. I have read about other products and their features, but I have not worked with them. One Identity Safeguard is probably one of the best solutions for PSM features.

I do not work on the installation. I work on the setup. We do face some issues with configuration, but in general, we are able to troubleshoot them.

Based on my personal experience with the PSM features, it is a good product. I know that there are some competitors, but I have not worked with them.

My colleagues worked on its integration with another tool. It seems to integrate fine, but I do not know for sure if he faced any issues.

My experience is with the PSM features, and for that, I would rate the product a six out of ten. There are some specific features that can be improved, but in general, I have had a good experience with the product.

We use One Identity Safeguard to manage our privileged accounts.

We use One Identity Safeguard on both physical and virtual appliances.

One Identity Safeguard uses a secure remote access feature that does not use a VPN. This is important because it is cheaper and more secure than implementing a VPN for remote access.

People can start using the solution after five days of training.

We don't need to use VPN for remote access.

One Identity Safeguard is slow and not user-friendly.

Managing remote access for privileged users is difficult because it requires a lot of customization.

Current integration with other solutions requires custom API development. I would like to see out-of-the-box integration built into One Identity Safeguard, similar to other solutions.

The deployment affects our privileged users because it takes a long time for them to request privileges, which impacts the SLA.

I have been using One Identity Safeguard for nearly three years.

One Identity Safeguard is unstable. Many bugs affect its performance, particularly when generating bundle batches and performing discovery.

One Identity Safeguard is scalable, but its performance degrades as it is scaled up.

Customer support is a nightmare. They take a long time to respond to tickets, and when they don't understand the issue, they stall by requesting logs.

Negative

I previously used BeyondTrust Endpoint Privilege Management, which is a better solution because it includes recording and remote access out of the box, whereas One Identity Safeguard requires us to integrate each of those components separately. Additionally, each component is a different appliance.

The initial setup is straightforward. The installation takes a couple of hours. One person is required for the deployment.

One Identity Safeguard is expensive and the cost goes up as we scale.

Licensing fees increase as we expand, as does the cost of basic support, which allows us to open tickets. Additionally, we must pay to update outdated appliances.

I would rate One Identity Safeguard three out of ten.

I only recommend One Identity Safeguard for small businesses.

When using One Identity Safeguard, we need to be patient.

I work for a bank, and we use Safeguard to manage access to our Internet banking services. We use Safeguard for two things: identity and access management and detection recording. We have our services onboarded on SysTrack doing RDP directly to the servers or station, and we use virtual appliances for collection. The solution covers around 150 users at this organization. 

I like Safeguard's snapshot feature that enables us to review the last time an application was opened and by whom. If there are any issues, we can look behind the scenes to see what has been done. We can suspend a user's access or close off a server. 

We've had issues managing accounts and access to some data saved on the servers. Accounts are granted a new working certificate daily. We have an account to do it on APIs online and sync it with that. If the path changes at some point or someone changes the password, I don't know if it's from the Active Directory or what. 

I have used Safeguard for one year.

Safeguard is stable. 

It's scalable, depending on the solution case. I don't know if it's domain-based because it was not restricted. We're gradually moving to the Azure cloud.

One Identity support is okay. 

Deploying Safeguard was straightforward.

I rate One Identity Safeguard eight out of 10.