One Identity Safeguard Reviews

We use it to link our virtual systems. We have Windows and Linux, and we have some applications. We use One Identity Safeguard to connect to them. We also use Password Vault, and we do session monitoring.

I am one version behind the latest version. I usually wait before doing an update to make sure that there are no problems with the new release.

One Identity Safeguard helps with accountability. We now know which person is accessing which machine. It also helps to make sure that they are secured, and that everyone knows what changes they need.

We have used the transparent mode and non-transparent mode for privileged sessions. The transparent mode is more difficult than the normal mode, but with the help of the documentation, we figured out how to do the necessary configuration and use this mode. Generally, we use the normal mode. We do not use the transparent mode. 

We use the Secure Remote Access feature for privileged users. It was very easy to manage remote access for privileged users by using this feature. When our users cannot be physically present at our place, they can access the resources using the Starling account. It is easy.

The Secure Remote Access feature does not make use of a VPN. This is very important for us because there are some problems with using VPN, so it is easier to use something like Starling. We can be sure that our users can access the network even from home and that the sessions are secure.

I have worked with other One Identity solutions. I have used One Identity Defender, One Identity SPP, and One Identity SPS. They worked very well for our users. We also use the authentication service to control the Linux machines with Active Directory accounts. They work well with each other. I have also used Safeguard Remote Access. I tried its features with Safeguard to allow our users to connect to the sessions by using the cloud so that they do not need to log in to the company servers.

One of the most important aspects is that it is very easy to use and install. It is also agentless, so all of the operations happen more smoothly than any other product. Our end-users find it easy. They have a web application. They only need to enter the credentials, and they can access the Safeguard session. They can use it very fast without any problems. Its learning curve is very low.

We can discover Windows and Linux machines, but we would also like to discover databases. It is very important for us. I have heard that in the new version, we can discover databases, but I have not tried it yet, so I am not sure if the new version does it properly or still needs some work. 

We would like to have the option of importing assets by using the CSV file. It was available in the earlier versions, but it is not available now.

I have been using this solution for about two years.

It is very stable. They always release new updates if there are any issues. For example, for the Log4j issue that happened a couple of months ago, they released an update to solve the issue and make sure that no user is affected by it. It is based on the Linux machine, so it is very stable.

I did not face any problems. It is very scalable, and it can be used for a small company or a big company without any problems.

Currently, there are about 20 users who are using it.

We have used their regular support, not the premier support. When we have any problems related to it, we open a ticket. They always help us. We might have to provide them with additional things so that they are able to troubleshoot better, but they are always helpful. I would rate their support a 9 out of 10.

Positive

We did not use any other solution.

The initial setup is straightforward. We have two installation types. We have Safeguard for Privileged Passwords and Safeguard for Privileged Sessions. For Safeguard for Privileged Passwords, we just need to import and the whole organization will be done. The process for Safeguard for Privileged Sessions is also simple. There are no problems.

The deployment duration depends on the number of systems, the number of users, and the number of applications. In a small company, it might take about two weeks or three weeks.

The deployment did not affect our privileged users. We just needed some time to get used to it. We were not using any PAM product before, so it took some time to get used to using it. It is more restrictive than the Active Directory system, but it is for the best.

For managing and deploying the solution, I took technical training. It was about five-day training with One Identity. After that, I started its deployment. In case of any problem, we could check several resources. We could check the administration guide or forums. We could also open a support ticket with One Identity. For the end-users, I gave the training, and it took one or two days at the most.

I deployed it myself.

We checked out a couple of solutions, but I was not a part of the selection process.

It is a very easy solution. In case of any problem, you can contact the distributor or the vendor, and they will help you.

I have worked with physical and virtual appliances. We went for virtual appliances because they are easy for us. We have servers in our company, so we have the space and resources to install them.

I would rate One Identity Safeguard a 10 out of 10. I have used it for some time, and I enjoyed working with it.

We are using the virtual appliance. We are a cloud company working widely with virtualization. We provide virtual machine to our customers. When we deploy a new solution, we try to use our system to show our customers that it works for them. That is why we are using a virtual appliance which validates the usage.

For now, we are using it for traceability of access inside the platform because we are a certified company: ISO 27001, SecNumCloud, HDS... We use this solution to monitor the session of our administrator and also to capitalize on incidents. When you have an incident in the night and our Level 3 people are working on it, they don't have the time to document all they do on the platform. The main goal is to have the service up as fast as possible. We are now recording the session, and the morning after the incident, we can see the session and understand what has been done to resolve the incident.

We are using the latest version of Safeguard.

When we are asked to do an investigation for a server, we have all the information that we need. We never have any problems as all the information is available to us.

The transparent proxy is the most valuable feature. When you are connecting to a server inside the platform, the user doesn't need to change their habit. They just have to make small configurations to their workstation, then it is transparent for them. Our users like the solution because it's transparent. Users doesn't need to have interaction with 3DS OUTSCALE IT or security team to work as usual. It's interesting for the users because they don't have to think, "I have to note all that I've done during the incident to remember it".

We use the solution’s “transparent mode” feature for privileged sessions. It is very easy because it is only a simple configuration for our users. We don't have to modify our network. We install it, configure it, and it works. So, it is super easy. The rollout for our users is seamless.

The "transparent mode" allows for better visibility. With its monitoring, we can do investigations which are good for us and improve our system.

The interface is better now, but it still could be improved a lot. It needs more organization, menus, automatic refresh of information, and Web 2.0.

An official HashiCorp Vault connector would be very helpful inside the platform.

SSH implementation is not 100% compatible with standard SSH (openssh). For example : JumpHost.

As a result, some options require manual tunning, and complicated user-side configs, where it could be much simpler

We have been using it for a long time: six years.

It is very stable. We have never had incidents with it. When we lost a connection with our Active Directory, the system continued to work. When we lost the storage on the virtual appliance, we restarted it, then it was fine. Thus, the product is very stable. 

One or two people are needed for deployment and maintenance. For the deployment, it's done by the security team for now. However, in the near future, it will be managed by the operations team.

We upgrade about every two months the latest version.

We don't use the scalability. When we need a new appliance, we deploy it inside another network. We don't need scalability for now, but if we grow quickly, we will need to think about it.

We have about 50 users inside the company, including the security team, operations team, infrastructure team, and Level 1 support.

We are using 75 percent of the parallel session unless there is an incident, then we can use all the slots.

I used the technical support once. It was good. I had the answer to my question quickly. I have direct access to the pre-sales team and my account manager. So, I called in and my problem was solved.

Yes but we had to quit it because they didn't have what we needed and it was very expensive. 

In the beginning six years ago, we started with a small instance. We used it very simply and learned how to manage it. 

With the newest version that we massively deployed, we had one week to know how to install it and how it works. Now, we know how it works very well.

Install is fairly simple, with basic options.

Configuration requires a little explanation on the way it works but is straightforward too.

We deployed it ourselves.

We have seen ROI in terms of time. It's easier for us to investigate incidents, which is helpful. It has improved our performance with investigations. It used to take a month to write an incident. Now, it takes us a week, cutting the time down by a fourth.

Our licensing costs are on a yearly basis.

We evaluated CyberArk, which was pretty good, but it is very expensive. CyberArk's interface was better. Also, CyberArk's login was not so transparent. We chose One Identity because it has a transparent login in interruption in the network.

When you use Safeguard in production, it provides traceability and protection around your platform.

I would rate the solution as a seven (out of 10) because of the interface.

I have seen the future of analytics, and it's very interesting. I hope to have the time to try and learn something about that.

We use this solution to control the access of privileged users, such as application administrators, to the internal network. This solution allows us to record and log user sessions.

We use virtual appliances on the VMware platform. The virtualization of such services allows us to flexibly scale our hardware configuration and gives significantly more opportunities for building a stable structure. 

This solution allowed us to provide remote access to the company's internal infrastructure in the context of the COVID-19 pandemic. It made this access more transparent and controlled for information security departments.

We easily integrated this product with our SIEM system for collecting events. Thanks to this integration, we were able to build convenient, regular reports on privileged user connections. Therefore, our information security units can better see who is connecting to the remote infrastructure.

The most valuable feature is the logging sessions with their visualization, which is video recording. This functionality allows us to restore the actions of a user in the event of any incidents.

The solution transparently integrates into the infrastructure and users do not notice it. I would give this feature the highest rating.

While the "transparent mode" feature did not affect the monitoring in any way, it led to an increase in the convenience of connecting users.

This solution visualizes RDP sessions and logs SSH sessions.

I would like to see support for RDP over HTTPS so this product can be used in conjunction with the Microsoft terminal.

I would like to visualize SSH sessions.

I would like built-in traffic balancing mechanisms with the built-in load balancing mechanism when using several instances.

About four years.

Over four years of use, we have not encountered a single system crash or failure. The product is stable.

When increasing the number of users, we can rather easily add to virtual appliances processors and memory, or disks for storing records, which is more difficult to do on a hardware (physical) appliance.

We have two administrators involved in the deployment, configuration, and maintenance of this solution. During the peak of the pandemic, we had up to 3,000 users connected through the solution and able to work from home.

We have used One Identity’s tech support. I would rate it as excellent. They answer all the questions asked of them quickly and efficiently.

We did not previously use a different solution.

The virtual appliance is deployed from the delivered image without any problems. The setup takes about 15 to 20 minutes, including initial setup and configuration. It also is available to any admin user with Unix competencies.

We use the “transparent mode” function to connect administrative users via SSH to the Unix servers. We did not encounter any problems when setting up this feature, as everything was easy. The solution is well-documented and quite understandable when setting up.

It took about one or two working days to administer the solution, read the documentation and settings, and test various configuration options. It was not very difficult. For our users, there were no special nuances since the connection is transparent. They do not understand nor see that they are connecting through the One Identity Safeguard space.

Our implementation strategy was to use this solution to control remote sessions of privileged users, first with our IT support staff. Now, we use the product for this purpose. In general, the strategy was a success.

There has been a lack of losses, since controlling the actions of privileged users is primarily to minimize risks and create an absence of losses.

Licensing and pricing are quite straightforward. The number of recording channel licenses depends on the needs of the customer. I would suggest estimating the number of concurrent sessions per unit of time and proceed from there when purchasing a license.

We evaluated Safeguard and another product. We ultimately chose Safeguard.

Safeguard is an external (in relation to controlled systems) solution which allows you to record sessions. Its competitor was an agent solution that was put on target servers. With the competitor's solution, there was a risk of disconnecting of a privileged user's recording.

Clearly assess your needs and formulate the necessary requirements, then proceed from there with the selection of an appropriate solution. In our case, One Identity Safeguard became this solution. However, this solution is not a panacea for all ills. It is possibly you’ll find that a different solution is more suitable.

I would rate the solution as a nine (out of 10). In order to rate it as a 10, it should have what I would like to see in its coming new releases.

Foreign Language: (Russian)

Как и для чего вы используете этот продукт?

Мы используем это решение для контроля доступа привилегированных пользователей, таких как администраторы приложений, к внутренней сети. Это решение позволяет нам записывать и регистрировать пользовательские сессии.

Мы используем виртуальные устройства на платформе VMware. Виртуализация таких сервисов позволяет нам гибко масштабировать конфигурацию нашего оборудования и предоставляет значительно больше возможностей для построения стабильной структуры.

Как это помогло моей организации?

Это решение позволило нам обеспечить удаленный доступ к внутренней инфраструктуре компании в контексте пандемии COVID-19. Это сделало этот доступ более прозрачным и контролируемым для отделов информационной безопасности.

Мы легко интегрировали этот продукт с нашей системой SIEM для сбора событий. Благодаря этой интеграции мы смогли создавать подходящие регулярные отчеты о привилегированных пользовательских соединениях. Поэтому наши подразделения информационной безопасности могут лучше видеть, кто подключается к удаленной инфраструктуре.

Какие функции вы нашли наиболее ценными?

Наиболее ценной функцией является регистрация сеансов с их визуализацией, то есть запись видео. Эта функциональность позволяет нам восстанавливать действия пользователя в случае каких-либо инцидентов.

Решение прозрачно интегрируется в инфраструктуру, и пользователи этого не замечают. Я бы дал этой функции самый высокий рейтинг.

Хотя функция «прозрачного режима» никак не повлияла на мониторинг, она привела к увеличению удобства подключения пользователей.

Это решение визуализирует сеансы RDP и регистрирует сеансы SSH.

Что нуждается в улучшении?

Я хотел бы видеть поддержку RDP через HTTPS, чтобы этот продукт можно было использовать вместе с терминалом Microsoft.

Я хотел бы визуализировать сессии SSH.

Я хотел бы использовать встроенные механизмы балансировки трафика со встроенным механизмом балансировки нагрузки при использовании нескольких экземпляров.

Как долго я использую этот продукт/решение?

Около четырех лет.

Что я думаю о стабильности этого продукта/решения?

За четыре года использования мы не встретили ни одного сбоя или сбоя системы. Продукт стабилен.

Что я думаю о масштабируемости решения?

Увеличивая количество пользователей, мы можем довольно легко добавить к виртуальным устройствам процессоры и память или диски для хранения записей, что труднее сделать на аппаратном (физическом) устройстве.

У нас есть два администратора, участвующих в развертывании, настройке и обслуживании этого решения. В разгар пандемии у нас было до 3000 пользователей, подключенных через решение и способных работать из дома.

Как бы вы оценили техническую поддержку этого продукта/решения?

Мы использовали техническую поддержку One Identity. Я бы оценил это как превосходное. Они отвечают на все заданные вопросы быстро и качественно.

Какое решение я использовал ранее и почему я переключился?

Ранее мы не использовали другое решение.

Как прошла начальная настройка?

Виртуальное устройство развертывается из доставленного образа без каких-либо проблем. Настройка занимает от 15 до 20 минут, включая первоначальную установку и настройку. Он также доступен для любого администратора с компетенцией Unix.

Мы используем функцию «прозрачного режима» для подключения административных пользователей через SSH к серверам Unix. При настройке этой функции проблем не возникало, так как все было просто. Решение хорошо документировано и вполне понятно при настройке.

Потребовалось около одного или двух рабочих дней для администрирования решения, ознакомления с документацией и настройками, а также для тестирования различных вариантов конфигурации. Это было не очень сложно. Для наших пользователей особых нюансов не было, так как подключение прозрачно. Они не понимают и не видят, что они соединяются через пространство One Identity Safeguard.

Наша стратегия внедрения заключалась в том, чтобы использовать это решение для управления удаленными сеансами привилегированных пользователей, в первую очередь с нашей службой поддержки Информационных Технологий. Теперь мы используем продукт для этой цели. В целом стратегия имела успех.

Какой была была ваша прибыль на инвестиции в One Identity Safeguard?

Мы не испытали никаких потерь, поскольку контроль действий привилегированных пользователей в первую очередь сводит к минимуму риска и создает отсутствие потерь.

Какой у меня опыт работы с ценами, стоимостью установки и лицензированием?

Лицензирование и ценообразование довольно просты. Количество каналов регистрации лицензий зависит от потребностей заказчика. Я бы посоветовал оценить количество одновременных сеансов за единицу времени и перейти оттуда к покупке лицензии.

Прежде чем выбрать этот продукт, вы оценивали другие варианты?

Мы оценили Safeguard и другой продукт. В конечном итоге мы выбрали Safeguard.

Safeguard - это внешнее (по отношению к управляемым системам) решение, которое позволяет вам записывать сессии. Его конкурентом было агентское решение, которое было размещено на целевых серверах. С решением конкурента был риск отключения записи привилегированного пользователя.

Какой еще у меня совет?

Четко оцените свои потребности и сформулируйте необходимые требования, а затем приступайте к выбору подходящего решения. В нашем случае One Identity Safeguard стал таким решением. Однако это решение не является панацеей от всех болезней. Возможно, вы обнаружите, что другое решение более подходит.

Я бы оценил решение как девять (из 10). Чтобы оценить его как 10, у него должно быть то, что я хотел бы видеть в его будущих новых выпусках.

We primarily use the solution to manage passwords and use for the RDP access. 

Our infrastructure is three SPPs and two SPSs. This is across 1,000 users and approximately 500 targets. 

Safeguard can define and update processes and procedures into the security framework of a company, including mobile. It allows us to change the policies and configurations on a mass scale in regards to security.

The most interesting thing about this product is it is very easy to implement and configure as well as its usability. Also, for the final user, the work experience doesn't change when using the SPS for the Linux administrator, which is fantastic. You change only a little bit of the connection. Everything else is really easy.

I just received a question from a customer in regards to a connection with Oracle OID. I tried to integrate Safeguard with the Oracle YAML as well as something else to manage the groups and users from a different system, like AD or LDAP. This one feature could be better. At this moment, the platform system can only use the integration with LDAP or AD. The software for research and development to create a connector to a YAML platform can be very complicated.

I started using it two years ago.

It is a very stable system. There are no problems when using the platform.

The scalability is fantastic. It is very easy to connect and use the solution, if you need it.

There are two different supports: one for SPS and another for SPP. The technical preparation of the support is very high. They have very quickly given me the solution for a couple of issues that I have seen.

We switched from CyberArk to Safeguard. In order to manage CyberArk, it is a very big effort. The platform is very complex. The management system of Safeguard is very easy. Also, the configuration for the targeted user is easier in Safeguard rather than CyberArk. Lastly, the cost of CyberArk's licensing is very expensive.

We try to understand what the customer needs in order to fit the solution for what they want, then we plan all the activities based on that.

We can deploy the system in a couple of days, then the system is up and running. The next step is importing the whole system. The time frame of this depends on many targets the customer has, but it doesn't take too long.

I work at a system integrator, designing and implementing the solution for our customers. I think our customers see a return of the investment using this solution.

Safeguard is cheaper than CyberArk.

It is a good solution. There is no limit to its usage in a company, e.g., IT or financial.

Check the basic rules in the documentation because the solution is easy to use.

I would rate the solution as 10 out of 10.

The primary use case for our One Identity Safeguard solution is to optimize security across private accounts, accounts which can be secured upstream and downstream. The solution enables us to implement encryption protocols across channels. It is designed so that depending on the cryptographic case, different policies can be applied in correlation. 

I don't think it's improved our organization internally. I've had to suspend workflows and focus my time and attention on creating technical, instructional, documentation regarding user procedures and practices.

The majority of the features offered with this solution are the same as with other similar systems. The most unique and valuable features are the upstream and downstream throughput capacities; the Safeguard platform provides agile integration.

In actuality, all the features are valuable. They're good and user-friendly.

The technical support for this solution needs to be immediate, intuitive, and responsive especially as it refers to supporting ticket submissions and processing.

Furthermore, we've had trouble understanding how certain policy framework applies. I would like to see clearly laid out policies or better support and explanations around policy dynamics.

The stability and downtime of the solution could also be upgraded to include a messaging function which would give users a clear understanding of what's happening without having to navigate to a particular section of the page.

Lastly, I would also like to see the price reduced.

It's very stable. There are about 150 users, mostly administration, currently using this solution in our company. We don't encounter many problems with the system.

I am encountering issues when it comes to the scalability of the solution.

Our experience with technical support has been disappointing. We require more prompt and faster response times. We require answers to our questions right away but we haven't received that level of support.

The initial setup was very easy. We followed the given instruction protocol. We also used white papers when necessary for clarification and better understanding. It only took us one month to implement.

We used an integrator for the deployment. It was a good experience. 

Setup cost, pricing and licensing are all very expensive.

We are very pleased with the Safeguard platform feature. You can't find this technology anywhere else.

On a scale from one to ten, one being the worst and ten being the best, I would give this product a nine rating. If the technical support was better I'd give it a 10 out of 10.

We use Safeguard for privileged sessions. It's primarily used as a solution for accessing our production environments.

We were able to take an environment where we had several hosts managed by different people and consolidate that into a single, centrally managed solution.

The extensible framework for authentication is one of the most valuable features. We use an MFA plug-in and a lot of different factors, depending on what the business use-cases are. And of course, the auditing functionality is also valuable.

We have also found the solution to be extensible through cloud-delivered services. It's worked out well. The SPS instances we use are located on-premise, but we can still utilize them to access resources in the cloud. That's not a problem. We haven't deployed any SPS itself in the cloud, but it works fine for our cloud environments.

Feature-wise, right now, it has most of the features that we're looking for. It could improve a bit on the management side of things. One example would be when doing an upgrade. We have a highly-available appliance spare, and even though we have two nodes, there's no way to do an upgrade without taking everything completely offline. It would be nice if they could improve that.

The product has generally been stable. We have had some issues, mainly due to the types of traffic. Our end-users are doing different things through SSH tunnels that were not expected on the appliance. We've been working with support to resolve that.

The product is scalable.

Tech support has been great. They've been responsive and knowledgeable, so we've been happy with them.

It took us about three or four weeks for the initial setup and deploy. Part of that was developing a plug-in for the multi-factor authentication. We were able to do it in a way that wasn't disruptive, with our current infrastructure. At their discretion, the end-users were allowed to move over, one-by-one. After we deployed it, it took about two months for all of the users to actually migrate over to using it.

The three main use cases that we have are:

1. Ensure our human and non-human privilege accounts are locked up in a password vault. 
2. Have workflows to handle the major types of usage, such as break glass and business as usual. 
3. Changes in usage of the credentials are tied into approved change requests. 

These drive our first goal to take all our privileged users on the help desk, our local accounts on our desktops, our servers (web servers, app servers, or database servers), and individuals in our network group who do our firewalls, then migrate all these human accounts into Safeguard Password Vault. Last Fall, we went group by group and revised their accounts. We took away any type of privilege account that they had, ensuring that all of these accounts were then migrated to the Vault. They could then check out passwords to facilitate any type of privilege activities they needed to do on behalf of the bank.

We use virtual appliances for this solution, which made sense for us, especially if we will plan to perhaps migrate to the cloud. Right now, it's all virtualized on-premise.

Anytime new tools and technologies are being brought into the bank, the biggest impact is to the process, procedures, and culture. There is a culture change when any new technology gets rolled out. This solution changes the way we have done the business for many years. We're taking a very controlled, conservative approach in how we roll the technology out.

It is working as it's supposed to work. We had a lot of good support from the One Identity team who helped us build it and do a test. 

We are able to log and get reporting on all privileged activity that is being performed. We like the fact that we can leverage the session recording feature, which is especially valuable when we're dealing with third-party vendors that have to remote into our our boxes and servers to do any work on behalf of the bank. Now, we can record everything they are doing to ensure that they're only doing the changes that were needed. In addition, we use it to leverage knowledge transfer with our internal staff.

We use the solution’s Approval Anywhere feature. We do have the Starling 2FA app on our mobile devices. We haven't rolled out the request and approval yet. We want to get people to use it in their daily functions, whether it's business as usual work, break glass, or any changes that they need to make tied into an approved formal change request. Starting in April, we will be rolling out the request and approval phase. Based on the type of change being requested, break glass will need to be approved, especially if they're doing it during the daytime or off-hours. Then, we will have change requests tied into our change-advisory board. Once there's a change that's approved via our CAB process, then that person will be allowed to check out the credentials they need and tie it back into the ServiceNow ticket that was created. This gives us the audibility between when that change was being made and ensuring that it's being performed for its intended purposes. We are taking a crawl-walk-run approach.

Some of the out-of-the-box reporting isn't that rich. We spoke to our Safeguard reps who have acknowledged that some of the reporting features can certainly be improved and that we're not the only customer who has cited this. There are very little out-of-the-box reporting capabilities. You have to build the queries and the report. I believe in the next release they're going to be addressing this.

We have been using Safeguard in a production capacity for about nine months now.

We haven't had any problems at all. 

There was one issue where we had to put a certain fix on and were able to work with the One Identity people. We downloaded the fix and put it onto our dev environment. After it was baked into our dev environment for a day or so, we then scheduled that change to go live into our production environment. That went very smoothly.

Two people are needed for deployment and maintenance. They're both in the cybersecurity area. There's a manager along with a senior cyber security analyst who runs the platform.

The tool does everything that it is designed to do. It is one of the leading privileged access management products out on the market. They rebuilt the whole product, giving it a nice brand a new clean user interface, which is very user-friendly and easy to use. One Identity has done a very good job taking the old product, TPAM, and doing a whole refresh of that tool. We're very happy with the Safeguard product.

We have approximately 50 to 60 human privilege accounts whose roles are everything, everywhere. From the information security department to the desktop people, there are about 12 users in that area. There are about 20 people who comprise our IT engineering group and another 15 or so who comprise our network team. Then, there are the third-party users who have to login on behalf of the bank to do changes for us, which is another 10 or so privileged accounts which have been setup for a one-time usage when a third-party vendor needs to remote into our system. Crawl-walk-run impacts about 30 percent of all the changes being made. Most changes are made to the production environment and need to be done with a privilege account.

I would rate the technical support as very good and strong. We're happy with the support we get from our One Identity team. We see it as something that will be accepted more as the culture changes at the bank. We did the human accounts first because with the non-human service accounts there have been challenges this year. You have to tread water very slowly since you have to do a good analysis and understand what these non-human service accounts are used for. It's not just a simple lock them up in a vault type of scenario. It will take us a bit more time to put a plan together beginning in the second quarter to address the onboarding of these non-human service accounts into the password vault.

There wasn't much training required for those who manage the product. It was pretty straightforward. We did do training though. We had a training manual as well as a hour training class with various user groups. Our hour training, manual, and how-to guide along with being able to support issues/concerns via our cybersecurity team was beneficial to the success of the implementation.

We did not use another solution previously.

Prior to this Safeguard implementation, we did not know when somebody was using their elevated privileges to do certain features or functions. We only hoped that it was according to whomever the change request was associated. Now that we're able to audit log and record what is being done, we can play back all the sessions to make sure no type of unattended usage of the privilege or elevated credentials were being used. From securing the bank standpoint, it has helped tremendously.

The team shared with us that the initial setup was pretty straightforward.

The deployment took no more time from when we got the servers brought in to when got the software installed. This took a few weeks to get it up, configured, and customized for our needs. Then, there was some sandbox testing which was done, then we started the pilots within the first three months of having the solution stood up.

Anytime you are putting in a deployment change that affects privilege users, it's going to create some problems. That's why we took a very slow approach of taking one user from all of our various groups. We had one person from each of our teams: desktop, network, and IT engineering. We worked with them for about a month. We tried to shake out any bugs and issues that they would have before we gradually rolled it out to others. 

People are very adverse to change. When you have this type of a solution, the technical capabilities of the product along with all the process change creates some issues. However, we expected that.

My role was as head of identity and access management to work in concert with our cybersecurity manager. It is his team who owned and rolled out the technology to the bank. My responsibility was making sure from an identity and access management process that the procedures had been in place and they satisfied our internal and external audit requirements. I'm more of the process guy, not the technician.

Being in information security, anytime you can sit down with the board of directors, and say "We now have a more secure bank," there is ROI. The reason: The biggest threat to any bank is an insider threat. Now, with our privileged access, we have them logged, recorded, and locked up in a password vault so we know who's making changes, when they're making change, and why they're making changes. This helps greatly improve the security posture of the bank. That's what we use to sell and justify that it was a good investment for the bank.

In addition to Safeguard, we looked at a product by the name of CyberArk and one by the name of BeyondTrust. These were the three products that we brought in for a proof of concept. In the summer of 2018, we made the decision to go with Safeguard. Then, between June and July 2019, we had it up and running, starting pilots and rolling it out accordingly.

When we did our scoring criteria on the three products, all the products were very close. What it came down to was price. We had individuals on the cyber team who had previous experience with the One Identity Privileged Access Management product at that time, which was called TPAM back then. Those individuals had a very good relationship and understanding of that tool. This weighed into our decision as well as cost to go with the One Identity Safeguard solution. It was definitely cheaper than the other two products that we evaluated.

The solution is part of our identity and access management product. We use Saviynt as our identity, governance and administrative tool. We certify all privilege accounts on a schedule basis. There is some integration with our identity and access management platform/program at the bank. It allows us to be in a position where we can identify and detect as well as prevent any type of privilege act that's being used as a threat at the bank. The integration was easy. It didn't pose any problems.

We have had a mixed bag regarding the solution’s usability and functionality. We have had some people who said that the tools worked nicely. They checked out their credentials every morning, use them for the better part of the day. We set the duration for eight hours. Once somebody checks out something in the morning, they pretty much use that password for the entire day. For some groups, this created a problem because of the type of work that they do, such as long running processes. We've had some issues where their password expired while a process was still running. We had to work with our IT engineering group to come up with a different type of the duration for their needs. One Identity has been very good at working with us to help us through these use cases. 

Understand each use case very carefully and thoroughly. This changes the way someone conducts their business. We had to be cognizant of the impact to our day-to-day operations. If I could do it all over again, I would spend more time understanding the impact of a security tool, such as a privileged access management solution. I think we could have done somethings better than we did.

We haven't started to use the solution’s behavior analytics feature, but as we start building up some data, then that puts us in a position to be able to identify any type of exception or anomalous behavior. We haven't built up enough trending data to leverage that functionality at this time.

We are very happy with the tool. I would rate the solution as an eight (out of 10).

We use the on-demand version. We use the solution for monitoring and connection to the customer's server for Windows and Linux.

It's easier to connect to the server and it makes it more secure. We've seen about a 40% improvement in that regard.

The monitoring system is very good.

It has a very nice user interface.

The product is very fast to implement.

We use the solution's transparent mode for privileged sessions.

There is a lack of documentation and many problems with the plugins.

I did run into problems with transparent mode for privileged sessions. We didn't connect correctly to the server. It was an issue we had with the customer's server, not the product itself.

The security of the connection could be improved. 

I've been using the solution for one year. 

It's not completely stable. Sometimes the newest version does not support an older version.

The solution is not so scalable. 

Mabe 20 or so users are leveraging it in our organization. They are admins. 

We use regular support. The response times are too long. Sometimes it could take days. 

Positive

I previously used CyberArk. I changed companies, and now I work with this product. I find Safeguard to be easier to implement, however, it does lack documentation.

It is fast to implement. 

While the process is not technically complex, there was a lack of documentation and we had to figure out how to do it ourselves. The deployment took three weeks. We had two people working on the process.

We have yet to witness an ROI.

The solution is offered at a good price. We pay a monthly fee. I'm not sure of the exact cost we pay.

I'm a product partner. 

We are using the latest version of the solution. 

I have yet to use the cloud assistant feature, so I can't say much about that aspect of the solution. We also do not use the solution's secure remote access feature for privileged users. We don't have it integrated with DevOps or RPA.

While basic knowledge is important, there isn't much training required to start using the solution. 

I'd rate the solution six out of ten.