What is our primary use case?
There are two parts to Safeguard: the sessions recording part and the password management appliance. With the password management appliance, we have been using version 2.10. For the sessions recording, we started off with version 6.2. It has new additions and updates which have come out, thus we've upgraded. Currently, we are up to version 6.5.
We are doing a sessions recording for all of our UAT and production servers. Therefore, if something breaks/happens or there's a change during the day without the proper change control mechanisms, we can determine the session by pulling the last session on the box and finding out who did what. Then, for the password part, it is used to consolidate enterprise-wide all our passwords for our 2000-plus server accounts.
We have five physical alliances for the password part. Then, for the sessions recording, there are three virtual appliances. We went with these particular versions because they were the latest and greatest. I like to keep things updated instead of dragging stuff out, which is how people get stuck with legacy devices unable to upgrade or with no upgrade path available.
How has it helped my organization?
It has greatly helped improve our security posture. Safeguard has an option where it will reset passwords on service accounts, then go out to those servers where that service account is running as a service and update the password on it. That makes password changes very easy. We can regularly change passwords now and are planning on making it an annual activity, where all the people who own service accounts will go in and make sure all their passwords get changed, updated, and reset. That's a huge scary stance right there because people leave the company and memorize all their passwords. Now, they're null and void, and we're in a far more secure place.
We are still building out the Safeguard behavioral analytics feature, but so far, it's pretty good about being able to detect nonhuman input. This has increased our security posture as well. It's really easy to use. Security guys are able to identify, "Why is this person logging into spots on the weekend when historically they've never accessed it on the weekend whatsoever?" We're able to keep watch as there is a lot better visibility of our environment.
What is most valuable?
The password part is the most valuable because we were going to start vaulting certain accounts to get a lot of passwords changed. Historically, we have had really stale passwords on non-human and service accounts. E.g., on one of our service accounts, the password hasn't changed for 17 years. It was not even that complicated or good of a password in the first place.
This solution has definitely helped us consolidate. It replicates to other appliances, so we're replicating to our DR site. Thus, if anything were to happen to our data center or personnel, whomever was trying to pick up the pieces and try to put the business back together would at least have all the passwords available to them.
The physical appliance form factors are pretty nice. They are definitely Dell inspired and easy to set up with accurate instructions. We have had no problems.
Regarding usability and functionality:
- It has a nice, clean interface.
- It's pretty direct and easy to personalize.
- Users can set up favorites on certain things that they request. Very often, they shortcut it. So, it reduces the clicks down to three clicks.
- You can have a password for any account.
- It's auditable, which makes the security guys' happy.
What needs improvement?
We tried the solution's “transparent mode” feature for privileged sessions. It ended up making a lot of Cisco Layer 2 configurations hard and was using a lot of ACLs to control the traffic, which we identified as type of a risk. In order for it to do production that would put an unnecessary burden on our network guys to configure it because that's thousands and thousands of lines of code that they'd have to update and change. We did use this feature for the PoC and that worked out well. However, for production, we are using the Remote Desktop Gateway feature.
Transparent mode was too cumbersome, so I don't foresee us being able to use it. On paper when we were initially talking about it, it was definitely going to be the preferred method until we realized the burden it would be on our network guys. Then, we had to step back and reevaluate what we wanted to do. That's when we changed our approach to use the RD Gateway feature.
I would like their transparent mode to have an easier implementation. If there was a way that we could do transparent mode without having to use ACLs that would be incredibly beneficial.
They could do a better discovery to find out where service accounts are being used on non-Windows Boxes, such as Linux. That would be a good benefit.
For how long have I used the solution?
What do I think about the stability of the solution?
The stability is very good. There have been no problems at all so far.
We have four administrators who do maintenance. One of them is the security guy. He will go in and through the audits, looking at session recordings. We also have it locked down so that only he view these things. There are three other admins, including me, are responsible for maintaining the product. We keep things up, making sure the Gateway works, and helping users troubleshoot if they have problems with the Gateway.
What do I think about the scalability of the solution?
It is very scalable. If we want to add another site or stand up another data center, we just buy a couple more appliances. Then, we set up a couple more session boxes and everything is covered.
So far, we are just using it for passwords, then passive session monitoring. Therefore, our usage is pretty minimal:
- Trying to track down people's accounts.
- Getting locked out because of user password changes.
- Not closing out of RDP session right. This is sort of a pain. However, people are getting better about logging off appropriately instead of just closing out the window.
We have about 140 end users because it is really just for our IT people. So far, businesses or anybody outside the IT organization doesn't even know the solution exists.
How are customer service and technical support?
I love the tech support guys. Anytime that I have a problem, I can always put in a ticket. They get back to me right away. We have access to the product team and their Level 3 engineers. I've suggested a couple of feature requests and improvements on the product, then within six months, they were able to put those into an update which was rolled out. So, they are very efficient and quick.
I was surprised because I have dealt with Microsoft support, and we all know how it is: It's pretty terrible. I've dealt with other support companies where you will get somebody with a thick Indian accent and spend 70 percent of the conversation making sure he said what you thought he said. However, with the One Identity folks, it was easy and quick. They're a great group of guys.
Which solution did I use previously and why did I switch?
PAM is totally new to our enterprise. Safeguard was definitely a cultural shift.
How was the initial setup?
The initial setup was very straightforward and only got complex as we added use cases. We added the complexity on ourselves, but the product itself is very straightforward. The deployment took five months.
The implementation strategy was:
- Setting up the sessions box.
- Ensuring it was set up once we received the Gateway configurations.
- Setting up policies and notifying people on how to change their Remote Desktop Client configurations.
- Shifting gears and switching over to trying to input all the service accounts and getting all the passwords loaded up into Safeguard.
After that, it was a done deal.
Our privileged users did complain and grip a bit due to the deployment. At first, they made it seem like the solution was disruptive to them. However, as time went on, complaints went down. Therefore, I think they're used to it by now. They just needed to understand the new technology and get comfortable with it.
We really did have old passwords. People hung onto their processes and certain ways of things. When you asked them to change, they got grumpy. I knew that they were going to get a little grumpy, but I didn't know they were going to be that grumpy. They are over themselves now, especially since the director stepped in, and said, "This is how it's going to be. Get used to it."
What about the implementation team?
We used One Identity Professional Services. They were great. We got the same guy who helped us roll out our Identity Manager. It was really good to work with the same guy. He was a familiar face, already very knowledgeable about the product, and very quick to get answers.
For the deployment, it took about five total people: a security guy, a network guy and a couple of infrastructure guys.
What was our ROI?
We were able to get rid of a couple products, e.g., Identity Manager replaced FIM. Safeguard was totally new. Two-factor authentication has saved us from a couple of brute force attacks on a couple of our C-level executives. That was a pretty good return on investment. We have been able to protect ourselves against a couple of major compromises.
There have been at least three instances where 2fA protected us from compromises, and probably a whole lot more. It seems like people are constantly trying to hit, attack, and penetrate a lot of the things that we have on the perimeter and are Internet exposed.
What's my experience with pricing, setup cost, and licensing?
It is a bit on the pricey side, but you get what you pay for. You don't want to get anything too cheap because then you get cheap stuff and cheap support. That really never helps anybody.
There are other additional costs for some training on their other products because Identity manager can get very involved. Once we got the products and licensing setup, everything else since then has been cake. I don't think we have been spending a whole bunch of money.
Which other solutions did I evaluate?
We didn't want to use a whole bunch of vendors. We had already picked One Identity for their two-factor authentication, Identity Manager, Cloud Access Manager, and Password Manager (self-service) solutions. We just sort of drank all the Kool-Aid.
We tried to look for a comprehensive product offering and One Identity was the only one who checked off all the boxes and things that we were looking at to roll down for the next five years. They are a great partner and always willing to work with us. They are awesome.
We did evaluate other vendors: Centrify, Okta, Azure AD, Azure 2FA, and Ping Identity. We were able to quickly rule them out, but these were the main competitors.
Azure AD is a lot of hype. It sort of sucks. The One Identity product works a lot better, as it's a lot easier to use and GUI-driven with a lot of wizards in it. Azure AD is a bit more complex and doesn't seem like it works all the time. That's why we didn't choose it. It seemed pretty unreliable compared to One Identity.
What other advice do I have?
Take your time. Talk to as many different aspects of the business in the company as you can. Get a lot of input from many people. Know how to sift through good and bad input. Use Professional Services, if you can. The tech on-demand services was much cheaper than their full-blown professional services. For the tech on demand services, we never had to wait more than a few days for some type of response.
The training was pretty easy. There was a one-day training class for the admin. Then, for the users, there were a couple of Word docs that we circulated around which were good enough.
We have not integrated it with other parts of our business. It is standalone and independent.
More time is being spent because there are more steps to check out a password or if you get a password.
We have just starting to really use the product. There is a lot of design, building, and configuring involved, so we have just started to truly take advantage of some of the features it has.
We haven't set up any type of approvals. We're pretty tight on who can see and request passwords in the first place. I would imagine at some point in time we'll probably end up utilizing the Approval Anywhere feature, just not right now.
As far as privilege access management goes, I'd rate it a nine (out of 10). So far, the product has been really easy to use and set up. I'd just make the rollout and implementation of the transparent mode better.
Securely store, manage, record and analyze privileged access
Prevent security breaches and limit damage by putting in place a privileged access management solution. Get a free 45-day trial, or request a demo of One Identity SafeGuard.