What needs improvement with One Identity Safeguard?

One Identity's support is not appropriately structured, and it has a lot of room to improve.

We sometimes face issues with configuration and things like that, but we manage to solve them. In general, it is a pretty good solution for the PSM features. There can be an improvement in terms of the policy that can be implemented on the SSH session.

Something for One Identity to look at is having integration guidelines for how to logically group accounts. This is always something you need people to do. It would be especially helpful when you have thousands of servers, and within each and every one there are between two and five admin accounts.

One Identity Safeguard is slow and not user-friendly. Managing remote access for privileged users is difficult because it requires a lot of customization. Current integration with other solutions requires custom API development. I would like to see out-of-the-box integration built into One Identity Safeguard, similar to other solutions. The deployment affects our privileged users because it takes a long time for them to request privileges, which impacts the SLA.

A feature I found in a competitor would make One Identity Safeguard better, and that is the ability to load balance the traffic in the target. For example, in two machines with some applications, I would like to balance traffic between the two machines with the help of One Identity Safeguard. It would be great if the solution allowed users to add some applications to a cluster and balance the traffic between the applications.

The GUI has room for improvement because it is confusing and cumbersome.

We've had issues managing accounts and access to some data saved on the servers. Accounts are granted a new working certificate daily. We have an account to do it on APIs online and sync it with that. If the path changes at some point or someone changes the password, I don't know if it's from the Active Directory or what.

There is a lack of documentation and many problems with the plugins. I did run into problems with transparent mode for privileged sessions. We didn't connect correctly to the server. It was an issue we had with the customer's server, not the product itself. The security of the connection could be improved.

We do have some support issues sometimes around user authorization rights and onboarding. Typically it's on the user's end where there are issues. We point them back to the instructions. The big issue I have with the solution is the lack of timely updates. We have feature requests and would like to see the turnaround times on those features to be faster. The pricing could always be better.

Safeguard, the way I see it, has two different parts: vaulting and sessions. And those two are running on different platforms. The vault itself is a locked-down Windows box, which isn't really causing any trouble. The session part is on a Linux box. They sell them separately, but together, they need to be more unified, at least from a UI perspective when you're using it as an administrator. There are some "legacy-level" menus and ways of using it that I don't really appreciate. We are using it completely web-based, not through a fat client. The browser experience of administrating SPS (Safeguard for Privileged Sessions) needs a lot of attention from an administrative perspective to make it easier. The readability of the system itself is quite poor. A user never really engages with that part. It's only the administrator, and maybe an auditor, who are subjected to using those menus and tools. So the SPS could be a lot easier to administrate and the parts should be unified, from a design perspective, so that I can recognize the systems as being part of the same package. They feel like they have been forced together.

Cost-wise, it is a little bit expensive, which makes it difficult to get management approval. Its price should be reduced. In terms of features, I'm completely satisfied with it. I am not expecting any more features. Its cost is the only issue. Everything else is okay.

We currently have a problem with the Active Directory integrations on Windows. Some of our users need to be logged with Active Directory, but we are having communication issues between One Identity and Active Directory. It seems that Active Directory is not well-integrated. Apart from that, when we are using the interactive login, such as when logging in and going inside the site for support, we find that we need to repeat the username and password, sometimes even two or three times. When it comes to suggestions for new features, I would like to see something along the lines of an automated command prevention system. To elaborate, sometimes we will have users who input unsafe commands, and we would like to prevent those commands from being processed, and to be able to identify those users who sent the commands. I believe some kind of automation, possibly based on AI, would be appropriate for this, and it would help the administrators and managers to more easily prevent these kinds of incidents. Part of my role is to reduce the number of total incidents, and if we had an automated mechanism to prevent unsafe commands from being entered in the first place, it would help a great deal.

We have issues using Safeguard to record http/https connection in a video formt. Currently, they don't have a mechanism to record this type of connection.

I requested for an evaluation license, but no one responded to me. We can't review or audit HTTP and HTTPS. This functionality should be added so that we can review and audit HTTP and HTTPS.

When we compare One Identity Safeguard with Cyberark, we know CyberArk has other tools or other features that are more complex and more useful for the customers. For example, I have one customer that wants to elevate the permission that is available in CyberArk. Another example is, I have one potential customer that wants to use some feature that is available only in CyberArk. The scenario is one user request a patient, however, that user doesn't have the permissions. In that request, he wants to request more permissions elevation and more rights under the live connection. This can be done in CyberArk and not in One Identity Safeguard. We need to allow more permissions for the user who requests access for the previous account in a live connection. CyberArk gives stronger features for safeguarding at this moment.

I just received a question from a customer in regards to a connection with Oracle OID. I tried to integrate Safeguard with the Oracle YAML as well as something else to manage the groups and users from a different system, like AD or LDAP. This one feature could be better. At this moment, the platform system can only use the integration with LDAP or AD. The software for research and development to create a connector to a YAML platform can be very complicated.

The only part of the Safeguard solution that I think could be a problem over time is the amount of storage it takes in the sessions. For example, because it records in real-time video it takes a lot of resources. So, it has not been a problem yet, but we are looking at a solution where we allocate the cost of that additional capacity differently. Then there will be enough resources to compensate for whatever the storage needs are. It just takes a large amount of storage for each current session. Another thing that I would like to see them improve is that I would like them to make the transparent board a little bit more transparent. The transparent mode is something I use often and it is the best feature of the product but that is also why I see how it can be improved. It might just be a little bit easier to use.

I would like to see support for RDP over HTTPS so this product can be used in conjunction with the Microsoft terminal. I would like to visualize SSH sessions. I would like built-in traffic balancing mechanisms with the built-in load balancing mechanism when using several instances.

There is room for improvement in the launch module. They built in a launch button but they don't have effective instructions for configuring it to allow it to launch an RDP session. They're working on that, but the button is in the live product. If they were going to install something that wasn't useful, they should have just disabled it and not rolled it out with the product. Because we don't tie it to an RDP session, you actually have to click the download button and then open the RDP session from there, versus just clicking the launch button and it automatically opening RDP.

From a usability perspective, what we are finding out is that our privileged domain admin users, in particular, want functionality for extending a checkout session. So we are working with One Identity support to see if there's an enhancement that can be made to the product. There is another area for improvement that I have sent over to One Identity. I said, "Whenever you check out a password, there should be a radio code associated with the password." That's something that we're trying to work on with them. It was submitted as a request for enhancement. Sometimes, you can't tell if an "O" is an "O" or a zero is a zero. If we had a radio code, the person could correctly read that password and make sure that they're not fat-fingering it.

The multilanguage functionality does not support the Arabic language, even though this solution is deployed in an Arabic region. However, it matches our criteria and requirements overall. One Identity is using a third-party to create one-time passwords. Due to our security restrictions, we needed to build our own. When we discussed this with One Identity, "Why they don't provide a technology that can be hosted on our data center and be built by One Identity," they said they are using a third-party. This was their justification, so I think it's based on their strategy and there's no harm using a third party. However, we were having an issue using a third-party.

Some of the out-of-the-box reporting isn't that rich. We spoke to our Safeguard reps who have acknowledged that some of the reporting features can certainly be improved and that we're not the only customer who has cited this. There are very little out-of-the-box reporting capabilities. You have to build the queries and the report. I believe in the next release they're going to be addressing this.

The interface is better now, but it still could be improved a lot. It needs more organization, menus, automatic refresh of information, and Web 2.0. An official HashiCorp Vault connector would be very helpful inside the platform. SSH implementation is not 100% compatible with standard SSH (openssh). For example : JumpHost. As a result, some options require manual tunning, and complicated user-side configs, where it could be much simpler

We tried the solution's “transparent mode” feature for privileged sessions. It ended up making a lot of Cisco Layer 2 configurations hard and was using a lot of ACLs to control the traffic, which we identified as type of a risk. In order for it to do production that would put an unnecessary burden on our network guys to configure it because that's thousands and thousands of lines of code that they'd have to update and change. We did use this feature for the PoC and that worked out well. However, for production, we are using the Remote Desktop Gateway feature. Transparent mode was too cumbersome, so I don't foresee us being able to use it. On paper when we were initially talking about it, it was definitely going to be the preferred method until we realized the burden it would be on our network guys. Then, we had to step back and reevaluate what we wanted to do. That's when we changed our approach to use the RD Gateway feature. I would like their transparent mode to have an easier implementation. If there was a way that we could do transparent mode without having to use ACLs that would be incredibly beneficial. They could do a better discovery to find out where service accounts are being used on non-Windows Boxes, such as Linux. That would be a good benefit.

I would like to see an adjustment with more enterprise architecture. Currently for SPS (SafeGuard for Privileged Sessions) there is only a single appliance option (both virtual and physical). It can be scaled using a load balancer to handle huge amount of sessions (although the device is quite efficient), but it also means you will need to purchase multiple boxes. It would be beneficial to have segregated modules as an option and you could buy and implement them separately. For example: trap module (proxy), audit module (search interface), storage module (store and encrypt recordings), etc.

I've only been using the solution for a limited time, so in terms of speaking to improvements, I'm not sure I can say. I need more time with the solution to use it in order to properly evaluate it.

Management of the farm of appliances. When you have more than one server to handle the traffic, you need to configure everything on each console and maintain seperately. The cluster feature is coming in the next versions, until then you can handle with some scripts but its not straight forward. In case you want to use a farm of appliances instead of one you should consider this. Monitoring of the platform should be easier and more functional so that you can have a clear picture of the running service. Again when you have a farm of appliances you need to have all the monitoring data centrally so you know what is happening with the overall service. This feature is missing. You have to go on each server to see what is the status there.

The technical support for this solution needs to be immediate, intuitive, and responsive especially as it refers to supporting ticket submissions and processing. Furthermore, we've had trouble understanding how certain policy framework applies. I would like to see clearly laid out policies or better support and explanations around policy dynamics. The stability and downtime of the solution could also be upgraded to include a messaging function which would give users a clear understanding of what's happening without having to navigate to a particular section of the page. Lastly, I would also like to see the price reduced.

* We have not yet found the solution to be extensible through cloud-delivered services. * Our external indexers are able to integrate with a hardware security module (HSM), which is good. What we have now requested is the integration of HSM with the SPS solution to be able to not have to manage certificates and the private key outside of any tamperproof system. * We would like to be able to generate certificate signing requests (CSRs) from the interface for certificates. * We would like to be able to manage the lifecycle of the archived audit traits. If they are on the box, the cleanup and archiving policies are applied, as soon as they are archived on the external share, this does not apply. We need our customers to not have to manually delete these archives. * From a web interface perspective, we would like to be able to duplicate connections, so we can reorder them.

There are some features which are still missing compared to other competitors. For example, some customers need legacy VPN authentication capabilities. The automated change of the passwords, which is now integrated, could be improved to be more flexible regarding different systems.

Feature-wise, right now, it has most of the features that we're looking for. It could improve a bit on the management side of things. One example would be when doing an upgrade. We have a highly-available appliance spare, and even though we have two nodes, there's no way to do an upgrade without taking everything completely offline. It would be nice if they could improve that.