Please share with the community what you think needs improvement with One Identity Safeguard.
What are its weaknesses? What would you like to see changed in a future version?
There is room for improvement in the launch module. They built in a launch button but they don't have effective instructions for configuring it to allow it to launch an RDP session. They're working on that, but the button is in the live product. If they were going to install something that wasn't useful, they should have just disabled it and not rolled it out with the product. Because we don't tie it to an RDP session, you actually have to click the download button and then open the RDP session from there, versus just clicking the launch button and it automatically opening RDP.
From a usability perspective, what we are finding out is that our privileged domain admin users, in particular, want functionality for extending a checkout session. So we are working with One Identity support to see if there's an enhancement that can be made to the product. There is another area for improvement that I have sent over to One Identity. I said, "Whenever you check out a password, there should be a radio code associated with the password." That's something that we're trying to work on with them. It was submitted as a request for enhancement. Sometimes, you can't tell if an "O" is an "O" or a zero is a zero. If we had a radio code, the person could correctly read that password and make sure that they're not fat-fingering it.
The multilanguage functionality does not support the Arabic language, even though this solution is deployed in an Arabic region. However, it matches our criteria and requirements overall. One Identity is using a third-party to create one-time passwords. Due to our security restrictions, we needed to build our own. When we discussed this with One Identity, "Why they don't provide a technology that can be hosted on our data center and be built by One Identity," they said they are using a third-party. This was their justification, so I think it's based on their strategy and there's no harm using a third party. However, we were having an issue using a third-party.
Some of the out-of-the-box reporting isn't that rich. We spoke to our Safeguard reps who have acknowledged that some of the reporting features can certainly be improved and that we're not the only customer who has cited this. There are very little out-of-the-box reporting capabilities. You have to build the queries and the report. I believe in the next release they're going to be addressing this.
The interface is better now, but it still could be improved a lot. It needs more organization, menus, automatic refresh of information, and Web 2.0. An official HashiCorp Vault connector would be very helpful inside the platform. SSH implementation is not 100% compatible with standard SSH (openssh). For example : JumpHost. As a result, some options require manual tunning, and complicated user-side configs, where it could be much simpler
We tried the solution's “transparent mode” feature for privileged sessions. It ended up making a lot of Cisco Layer 2 configurations hard and was using a lot of ACLs to control the traffic, which we identified as type of a risk. In order for it to do production that would put an unnecessary burden on our network guys to configure it because that's thousands and thousands of lines of code that they'd have to update and change. We did use this feature for the PoC and that worked out well. However, for production, we are using the Remote Desktop Gateway feature. Transparent mode was too cumbersome, so I don't foresee us being able to use it. On paper when we were initially talking about it, it was definitely going to be the preferred method until we realized the burden it would be on our network guys. Then, we had to step back and reevaluate what we wanted to do. That's when we changed our approach to use the RD Gateway feature. I would like their transparent mode to have an easier implementation. If there was a way that we could do transparent mode without having to use ACLs that would be incredibly beneficial. They could do a better discovery to find out where service accounts are being used on non-Windows Boxes, such as Linux. That would be a good benefit.
I would like to see an adjustment with more enterprise architecture. Currently for SPS (SafeGuard for Privileged Sessions) there is only a single appliance option (both virtual and physical). It can be scaled using a load balancer to handle huge amount of sessions (although the device is quite efficient), but it also means you will need to purchase multiple boxes. It would be beneficial to have segregated modules as an option and you could buy and implement them separately. For example: trap module (proxy), audit module (search interface), storage module (store and encrypt recordings), etc.
I've only been using the solution for a limited time, so in terms of speaking to improvements, I'm not sure I can say. I need more time with the solution to use it in order to properly evaluate it.
Management of the farm of appliances. When you have more than one server to handle the traffic, you need to configure everything on each console and maintain seperately. The cluster feature is coming in the next versions, until then you can handle with some scripts but its not straight forward. In case you want to use a farm of appliances instead of one you should consider this. Monitoring of the platform should be easier and more functional so that you can have a clear picture of the running service. Again when you have a farm of appliances you need to have all the monitoring data centrally so you know what is happening with the overall service. This feature is missing. You have to go on each server to see what is the status there.
The technical support for this solution needs to be immediate, intuitive, and responsive especially as it refers to supporting ticket submissions and processing. Furthermore, we've had trouble understanding how certain policy framework applies. I would like to see clearly laid out policies or better support and explanations around policy dynamics. The stability and downtime of the solution could also be upgraded to include a messaging function which would give users a clear understanding of what's happening without having to navigate to a particular section of the page. Lastly, I would also like to see the price reduced.
There are some features which are still missing compared to other competitors. For example, some customers need legacy VPN authentication capabilities. The automated change of the passwords, which is now integrated, could be improved to be more flexible regarding different systems.
* We have not yet found the solution to be extensible through cloud-delivered services. * Our external indexers are able to integrate with a hardware security module (HSM), which is good. What we have now requested is the integration of HSM with the SPS solution to be able to not have to manage certificates and the private key outside of any tamperproof system. * We would like to be able to generate certificate signing requests (CSRs) from the interface for certificates. * We would like to be able to manage the lifecycle of the archived audit traits. If they are on the box, the cleanup and archiving policies are applied, as soon as they are archived on the external share, this does not apply. We need our customers to not have to manually delete these archives. * From a web interface perspective, we would like to be able to duplicate connections, so we can reorder them.
Feature-wise, right now, it has most of the features that we're looking for. It could improve a bit on the management side of things. One example would be when doing an upgrade. We have a highly-available appliance spare, and even though we have two nodes, there's no way to do an upgrade without taking everything completely offline. It would be nice if they could improve that.