External reviews are not included in the AWS star rating for the product.
My main use case for One Identity Safeguard is using only one module for privileged session, which we use for admins and contractors.
A quick specific example of how my team uses One Identity Safeguard day-to-day is that we use only the second part for our contractors, not for admins in our company, but for companies that help us perform admin work and support our system.
The best features One Identity Safeguard offers include video recordings to help us control our support risks.
Accessing and reviewing those recordings when needed is easy, and there are no problems with recording or reviewing.
One Identity Safeguard has positively impacted my organization by helping us manage risk. We have this product as Balabit, which is a good product that is very light and helps us check or assist with our needs.
One Identity Safeguard could be improved with a password manager and an identity manager as one big access management system.
I believe improvements could be made around integrating with other tools.
I have been using One Identity Safeguard for eight years.
I rated One Identity Safeguard nine out of 10 because the stability and control could be better, as there are some problems with stability and errors when we use it.
As my organization grows or my needs increase, it is easy to add more users or expand the use of One Identity Safeguard, and that experience has been good.
I would rate the customer support for One Identity Safeguard as eight on a scale of one to ten.
Positive
I did not previously use a different solution before One Identity Safeguard.
The deployment of One Identity Safeguard solution took one or two days.
The deployment affected my privileged users in a way that was pretty smooth.
Before choosing One Identity Safeguard, I evaluated other options based on simplicity, price, and functionality.
Feedback from users regarding One Identity Safeguard's usability and functionality is that it is a good product and very simple to use.
My advice for others looking into using One Identity Safeguard is that it is a great solution for simple tasks, with a good price and good functionality.
My company does not have a business relationship with One Identity Safeguard vendor other than being a customer.
I rated this review nine out of ten.
My main use case for One Identity Safeguard is session management and password vault.
A specific example of how we use session management and the password vault in my day-to-day work is that whenever any admin of our company wants to join an RDP or any session with root access, they receive a password that is automatically rotated by One Identity Safeguard, so the password does not get leaked, and most of our sessions are more private and safer this way.
The main feature that we appreciate about One Identity Safeguard is the password rotation system, which helps our team obtain the password immediately, and it always rotates automatically, so it saves our passwords.
The best feature One Identity Safeguard offers is their integration system with their other platforms like OneLogin.
The integration with other platforms, such as OneLogin, helps me and my team because whenever any admin of our company has to log in, they authenticate through the OneLogin auth system and can authenticate themselves easily.
I believe the auditing system is also effective when it comes to One Identity Safeguard. It keeps a record of everything that has been done in that particular session.
One Identity Safeguard has positively impacted my organization by ensuring that most of our passwords are secured and no one receives extra authorization for any more detailed work. If anyone has to do some particular job, they receive access for that particular job or particular thing only, not the whole admin access.
This has led to fewer security incidents and has helped with compliance in many ways, especially in the session management aspect and RDP management. Whenever someone receives a session, we have the entire recorded documentation of that whole session so that we can maintain compliance and keep our policy strict.
One Identity Safeguard can be improved in their pricing because they are somewhat more expensive.
I have been using One Identity Safeguard for about nine to ten months.
One Identity Safeguard is stable.
The scalability is quite easy to manage with One Identity Safeguard.
I believe their support system is good, and most of the features of One Identity Safeguard are better than other platforms.
Their customer support is good and available 24/7, so there is no problem in that area.
Apart from its customer support being good, I do not have any additional thoughts about One Identity Safeguard. It is quite expensive, and that is the downside. That is the only downside that I have in mind, and most of the things are good.
Positive
We did not use any solutions related to this previously.
The deployment of the solution took about one or two weeks.
The deployment affected our privileged users with a learning curve, so they had a hard time learning all of those features, but eventually, we got through it.
For those who manage the solution and for end users, not much training was required to start using One Identity Safeguard. End users needed about two to three days, and they understood the fundamentals. The developer had to go through more extensive training, about one week or more.
We have seen a return on investment mainly in security, and we have improved substantially, saving a lot of time as well. When something gets leaked, we have to arrange a meeting and handle other matters, and that was a waste of time. That has been reduced considerably.
My experience with One Identity Safeguard's pricing, setup cost, and licensing is that it is quite expensive. The setup cost was high, but eventually in the long run, it is good.
Before choosing One Identity Safeguard, we evaluated other options, such as Microsoft's Entra PIM and BeyondTrust Password Safe, and there were others as well. One Identity Safeguard is better than those because it comes with the whole package, including session management, password management, and everything else.
We have mostly integrated One Identity Safeguard with the auth system and the RDP system when we receive the VMs from AWS. We have not integrated it with any other parts of our business, such as DevOps or RPA.
I believe if you need the whole package, the whole session, password, password management vaults, and the auditing system, you should go with One Identity Safeguard because other platforms do not have all the things in one package.
On a scale of one to ten, I rate One Identity Safeguard a nine because it is way better than other platforms and is a whole package of everything we needed for our purposes. I give this product a rating of nine out of ten.
Our main use case for One Identity Safeguard is as a privileged access management solution across multi-client environments. We use it to secure, control, and audit privileged accounts, enforce session monitoring and password vaulting, and provide just-in-time privileged access for admins, helping us reduce risk while meeting client security and compliance requirements.
A common example is admin access to client production servers. We use One Identity Safeguard to vault privileged credentials and grant just-in-time access only for approved change windows. All sessions are recorded and audited, which has significantly reduced credential exposure and helped us meet clients' audit and compliance requirements. As a service provider managing various customers, we prioritize this consideration.
One additional use case is centralized PAM management across multiple customer environments. We use One Identity Safeguard to standardize privileged access policies, rotate passwords automatically, and enforce session auditing in different client environments. This helps us solve the challenge of shared admin access and inconsistent access controls, improving security and compliance without increasing operational overhead and reducing our time to response.
The best features we can highlight are privileged password vaulting and automatic password rotation, just-in-time privileged access, and session monitoring and recording. These features together stand out because they significantly reduce credential exposure, enforce least privilege access, and provide full auditing visibility across multiple client environments, as we are a service delivery and IT service delivery company with multiple customer environments and access.
We rely most on just-in-time privileged access with credential vaulting. It is easy for the team to use day-to-day because access requests and approvals are streamlined and automated. Credentials are never exposed and sessions are automatically logged. After initial setup, adoption was smooth and it fit well into our existing operational workflows without adding stress to our operational team to adapt to the new technology.
One Identity Safeguard has strengthened privileged access security across our multiple client environments. We have seen a reduction in shared credentials and unauthorized access. We have also seen faster approval for admin tasks and improved audit readiness. It has streamlined compliance reporting and reduced the operational risk of managing multiple client environments manually.
Implementing this solution, we have reduced privileged account-related incidents by thirty percent. We have also cut manual password management time by nearly fifty to sixty percent. Just-in-time access has sped up admin task completion and improved our overall compliance reporting, allowing audits to be completed nearly half the time compared to earlier.
Reporting and dashboards can be made more customized, especially for client-specific views. We use session monitoring less often on low-risk systems, but it is very useful during audits or investigations.
One Identity Safeguard could be improved with flexible and customizable reporting, especially for client-specific dashboards, and simpler integration with cloud and SaaS platforms.
Additional improvements would include easier onboarding and setup for multiple client environments. One Identity Safeguard should provide pre-built templates for common PAM policies.
We have been using One Identity Safeguard for the last three years.
One Identity Safeguard is stable.
One Identity Safeguard is scalable.
The customer support is great. They have knowledgeable staff and the documentation is also good.
Before that, we relied on manual privileged account management and native system tools, which was time-consuming and error-prone, and lacked centralized auditing. We switched to One Identity Safeguard to get automated privileged access and stronger compliance control over multiple client environments.
Privileged access and privileged account incidents have dropped by forty percent. Our manual access management time was cut by fifty percent. The time is reduced by nearly fifty percent for our audit preparation and compliance reporting compared to earlier.
Before that, we evaluated CyberArk. We selected One Identity Safeguard because it offered better integration with our existing infrastructure and streamlined automation for our multi-client infrastructure, which suited our operational and compliance needs.
Plan your deployment carefully and ensure you have skilled resources and partner support for initial setup.
We have integrated One Identity Safeguard with our RPA workflows. It allows secure, automated privileged access for script bots and deployment processes, while ensuring session logging, password vaulting, and audit compliance across cloud-based operations.
The integration was relatively straightforward but required more planning, mapping RPA bots to just-in-time privileged access, and configuring credential vaulting took initial time. Once the setup was complete, it was fully automated and secure.
Our team has given positive feedback. They appreciate the user interface and the streamlined access request and automated credential management has reduced manual work and error. I would rate this review nine out of ten.
One Identity Safeguard is used to secure privileged access management, credential vaulting, and session monitoring because we are an IT-based company that handles the IT infrastructure of our clients, making it very important to keep everything secure.
One Identity Safeguard vaults privileged service accounts and provides time-bound access, ensuring that all administrative actions are tracked, reviewed, and easily monitored. We also use One Identity Safeguard to securely check admin credentials for customer servers. All access is automatically recorded and monitored through session auditing, which helps us comply with our customers' requirements.
We centrally manage privileged credentials, enforce secure access workflows, and record privileged sessions to maintain compliance and strengthen the IT security we deliver to our customers.
The best feature for us is the secure password vaulting, session recording, and automated approval workflows, because this gives us strong control over privileged access and helps us stay compliant both within our organization and with respect to customer compliance. The second feature that stands out is the real-time session monitoring and automatic credential rotation.
Automatic credential rotation helps our team by removing the need for manual changes to privileged passwords, reducing the risk of stale or shared credentials and ensuring that every access is controlled and compliant. It saves time and reduces risk since passwords are rotated after every use, so no one keeps passwords for long-term access. This prevents misuse and limits the impact of credential leaks.
We have found that we are able to comply with all security standards through the password rotation, which has helped us improve our security posture by centrally managing all privileged action accounts and enforcing strict access control to these accounts. Since the session monitoring feature and audit trail are available, we can see what changes were made by the user, who used this, how many times, and what was done in this session. We have also seen a reduction in IT operations because of password credential rotation and password management, which has reduced our manual work and increased our efficiency and security.
Our manual intervention has decreased because of the time we were taking for password management, and we have increased security with roughly a twenty to thirty percent decrease in IT calls, allowing the IT team to do other jobs because the load of password management has decreased. We have increased accountability since every privileged action is now traceable, which significantly strengthens our internal security control, and we have been able to get the compliance checks done much faster.
We have saved time since we do not have to manually manage passwords because One Identity Safeguard has automated that process. We have saved approximately thirty to forty percent of our time, and our team is spending more time on critical issues rather than managing passwords. This has reduced repetitive IT tasks and allowed our team to focus on more significant projects, and it has also reduced the risk of breaches and costly security penalties.
We have always received positive feedback from our team. The password rotation feature of this product is appreciated by all users, and they like this because they have saved time using this product, since they were previously wasting time on password management and manual interventions.
One Identity Safeguard should provide more documentation and training to the team. They can also provide better integration flexibility with more built-in connectors, and easy API workflows would help integrate more with our custom tools. They should provide a faster user interface, as we have noticed that the user interface acts slow when there are a large number of accounts or concurrent sessions going on.
Not every product can be perfect. For example, some parts of the user interface can feel a bit slow when there is a large number of concurrent sessions going on, and the integration with certain third-party tools requires more extensive implementation and configuration. These reasons made me give it an eight instead of a ten, but these are not major issues and just keep it from being completely flawless.
We have been using One Identity Safeguard for two years.
One Identity Safeguard is currently stable, and we have not found any issues. Since its implementation, we have not faced any major issues, and there has been no downtime.
One Identity Safeguard is scalable. We are implementing it globally, starting from one line of business, and now we are expanding, so it is scalable without any issues.
I cannot speak much about the pricing because I am from the technical team and pricing is looked at by the sales team in our organization. However, I can speak about the support, which is very good with faster response times, and the team helps us every time with minimal downtime if we face any issues.
We are satisfied with customer support. The support team is technically very strong and responsive.
Positive
We were using CyberArk, but we switched to One Identity Safeguard because it was costly. Everything was good with CyberArk, but we needed to scale, and the licensing costs were high.
We have deployed One Identity Safeguard in a phased manner. We deployed it for one line of business first, then for the second line, and we are planning to deploy it for other lines of business as well. The deployment for one line of business took approximately one month.
The privileged users adapted easily, and the deployment was done without disturbing our existing environment and setup, so there was no disruption, and the work went smoothly alongside the deployment.
We did not face any significant challenges because the vendor team helped us with the integration, so the ease of integration was quite simple. We only had basic use cases like creating tickets for access requests, which are relatively straightforward, and there were not many complex integrations done. It was easy to integrate and the vendor team helped us with a step-by-step checklist for the integration with our existing SIEM and ITSM tools.
The pricing, costing, and licensing type is quite low compared to other products, so One Identity Safeguard is cheaper than other products, and the functions it has are worth the cost.
I was not part of the evaluation team, but the evaluation team must have evaluated other products. One example of an option that I personally evaluated was BeyondTrust Privileged Access Management.
One thing other organizations should know about One Identity Safeguard is that it integrates well with the existing identity system, which is a very great point for other organizations to know before purchasing it because it makes it easier to deploy in their environment without changing the current workflow or existing network.
One Identity Safeguard provides heterogeneous integration with our existing products or legacy products, and the API integration is very helpful because it allows us to automate the onboarding of privileged accounts and integrate it with our existing ITSM tools, which is a really good thing about this product.
I would advise others looking into using One Identity Safeguard to choose this product because it is cheaper but provides great outcomes, and the security features are robust. I have given this product an overall rating of nine out of ten.
My main use case for One Identity Safeguard is streamlining the employee offboarding and making sure that when someone leaves the firm, all their access across the Active Directory and the Microsoft 365 and a couple of SaaS apps gets revoked automatically within minutes instead of chasing tickets for days. That has been the biggest day-to-day win for me. We also use the privileged access piece for a handful of admins, but offboarding is where it saves the most headaches.
One feature that I genuinely love about One Identity Safeguard that nobody talks about is the access certification campaigns. Every quarter, I have to run a manager review for all M365 and Salesforce entitlements. Earlier, it was me exporting spreadsheets and chasing people for weeks. Now I just launch a 10-second campaign in One Identity Safeguard and managers get a clean list in their inbox with keep, revoke, and reassign buttons. Almost all of them finish it in just two days. Anything untouched after 10 days gets auto-revoked. In the last campaign, we reclaimed about 20 to 30 unused enterprise licenses which are worth real money. That one feature alone pays for the tool every year.
A quick specific example of how the offboarding works in practice with One Identity Safeguard is that last month, we had a sales rep, Sarah, resign on a Friday afternoon. HR marked her termination date and last working day in our HRIS. The moment HRIS automatically published the termination event to One Identity Safeguard, the offboarding workflow triggered in One Identity Safeguard within about 90 minutes. It instantly disabled her AD account and converted her mailbox to shared and removed all from the Microsoft 365 Teams and revoked her licenses and also pulled her accounts from the Salesforce and Slack using the pre-built API integration. For the two apps that do not have connectors, it auto-created revocation tickets in ServiceNow and assigned them to the app owners with exact instructions. By Monday morning, when she would have normally handed in her laptop, literally everything was already locked down. There was no manual checklist and no forgotten access moments.
Two things that I actually use a lot with One Identity Safeguard are that we have contractors that come and go every few months and I just drop their start and end dates into a Google Sheet. One Identity Safeguard picks it up nightly and auto-provisions on day one, and it fully de-provisions on day nine. There are no more situations where contractors still have access three months later. The self-service break-glass feature is invaluable.
The self-service break-glass privileged elevation in One Identity Safeguard helps me greatly with my workflow. When our sysadmin is on vacation and I need to jump into a server really quick, I request temporary elevation right from the portal. I get it for four hours with full MFA plus manager approval too, and it auto-revokes and logs everything. There is no more sharing the domain admin password in a vault note. That is what I live in on a day-to-day basis besides offboarding.
When we switched to these access certification campaigns in One Identity Safeguard, my team responded with zero pushback and everybody loved it. During the first campaign, I was really nervous, so I sent a 30-second Loom video showing how to click the three buttons, and managers knocked it out in under five minutes each. I got Slack messages saying this was the easiest cert they had ever done and asking to never go back to Excel. Now they actually remind me when the next one is due. It flipped from another audit to done before coffee, and I am very happy with that.
I wish more people knew about the Identity Analytics dashboard in One Identity Safeguard, which actually flags shadow admin accounts and risky entitlements automatically. Twice it caught old service accounts that still had global admin in Azure because someone forgot to clean up after a migration, which saved us from audit findings. The UI for building custom workflows is a bit clunky. Drag-and-drop would be a nicer thing to have. It works, but I always have to open documentation for syntax. Everything else is solid.
Fixing the UI for building custom workflows would make my experience 10 out of 10.
I have been working in my current field for the past 1.5 years.
For training to start using One Identity Safeguard, for me as the admin, it requires literally two half-day remote sessions with their onboarding engineer, plus I played around in the sandbox for a couple of hours. After that, I was live. For managers and end-users, there was zero formal training. The managers just get the certification emails with three big buttons, and employees only see the self-service elevation portal if they need it. It is one-click plus MFA. The full company was comfortable in under a week.
The deployment of One Identity Safeguard took exactly three weeks for my organization. Most of that was just testing and tweaking the approval rules. The actual technical deployment was done in under five business days.
The integration with ServiceNow and Azure using One Identity Safeguard was super easy. ServiceNow was literally just plug and play, and their certified app took about 20 to 30 minutes, and it just worked. On Azure, I just had to allow list IPs and drop the lightweight connectors on one jump box. The only tiny hiccup was Azure needed a PAT with extra scopes for the first time, but their support guys fixed it in just a 10-minute call. Overall, it was super easy and I faced no real roadblocks.
I have seen a return on investment with One Identity Safeguard. We have definitely seen a massive return. In terms of time savings, offboarding used to take me, on average, four hours per employee between all the manual ticket chasing and verification. With around two employees leaving per month, that is eight hours a month I get back from that one process. Access reviews used to take me a full week of my time every quarter to prepare spreadsheets, chase managers, and manually revoke access. Now, it is about two hours total to set up the campaign and review the results. That is a saving of 38 hours per quarter or about 152 hours a year. At my blended rate, that is nearly $10,000 in saved productivity costs. On direct cost savings, those access reviews helped us reclaim about 25 unused enterprise licenses last quarter. At an average of $50 a month, that is $1,250 a month or $15,000 a year saved right there, which is almost double what we pay for the tool. Risk reduction is harder to quantify, but avoiding one breach or one failed audit because of a lingering privileged account is worth way more than the $8,000 a year we pay. The ROI is massive. It basically pays for itself in the first month from the time savings alone.
My experience with pricing, setup cost, and licensing for One Identity Safeguard is that we are a 350-seat company and pay roughly $22 per user per year on a three-year deal. This came out to about $7,800 a year total. There were no surprise overages, no workflow or poor connector fees. Everything we use is included in a flat rate, and I am really very satisfied with the pricing. The cost is really low and I am able to get my ROI.
The deployment of One Identity Safeguard did not disrupt my privileged users at all. It was actually smooth. We rolled it out in phases. In week one, we ran everything in silent monitor-only mode with no changes, just watching what could have been done. In week two, we turned on offboarding for a pilot group of 20 people with no privileged impact yet. In week three, we enabled just-in-time elevation for the five admins. The admin's day-to-day did not change until they needed privileged access. Then instead of using their permanent high-privileged accounts or the shared DA password, they just click "elevate" in the portal and got temporary rights for four to eight hours, and everything auto-dropped when time was up. The only complaint was that the first two times, they forgot to request elevation and got access denied. They laughed it off, but after that, there were no outages, no angry calls, and no productivity dip. They actually preferred it now because everything is audited and they are not permanently over-privileged.
I have integrated One Identity Safeguard with ServiceNow where any access request or revocation outside the automatic stuff goes through ServiceNow workflows. I also push joiner, mover, leaver events into Slack via webhook, so the #it-announcements channels get a one-liner whenever someone's access changes. There is nothing with RPA yet, but the ServiceNow plus Azure pieces are in production and rock solid.
I would rate my overall experience with One Identity Safeguard as an 8 out of 10.
Our main use case for One Identity Safeguard is access management and session management for our privileged users.
A specific example of how we use One Identity Safeguard for privileged users involves our integration with OneLogin, which is another product by One Identity. When our privileged users sign up with OneLogin, we provide them with all the necessary details about their session, and we monitor their activities to control any mistakes they might make. This process is fully automated by One Identity Safeguard.
In addition to access and session management, we also use One Identity Safeguard for password vault safety, ensuring that most of our privileged users receive a different password each time they log in so that the admin doesn't know the password, thereby protecting the entire system.
The automation of session management with One Identity Safeguard helps us significantly, as it saves us a lot of time and reduces errors. Since many of our developers and privileged users are still learning, they tend to make mistakes, and One Identity Safeguard points those out, helping us avoid major issues.
Feedback from users regarding One Identity Safeguard's usability and functionality is mostly positive.
We mostly rely on the session management and vault system features of One Identity Safeguard. In my experience, the best features One Identity Safeguard offers are mostly related to session management, which is highly automated and makes a lot of sense.
One Identity Safeguard could be improved by reducing pricing a little bit, and while the support team is mostly good, better pricing would also be advantageous.
Regarding needed improvements, the integration process has a learning curve for most of our developers. The deployment of One Identity Safeguard took about a few weeks, and I can say it was a painful process.
The deployment of One Identity Safeguard was not disruptive to our privileged users, but they had to learn a lot about the product because its user interface is complicated, and there is definitely a learning curve.
I have been using One Identity Safeguard for about six months.
In my experience, One Identity Safeguard is stable, with most of their updates being reliable.
One Identity Safeguard's scalability for our growing organization is straightforward; it is mainly automated, so we don't have to do much.
One Identity Safeguard's customer support is good, and I would say it's better than CyberArk's.
The integration with OneLogin was easy for our team since both products are owned by the same company, and the API integration process is straightforward, with the support team being very helpful.
On a scale of one to ten, I would rate One Identity Safeguard's customer support a nine.
Positive
Previously, we were using CyberArk's PAM for privileged access management, but we switched to One Identity Safeguard because CyberArk was too expensive over time, especially as the number of privileged users increased.
We have seen a 12% return on investment with One Identity Safeguard, and we have saved a significant amount of money. When we were using CyberArk, it was very costly, and One Identity Safeguard is much cheaper in the long run.
My experience with the pricing, setup cost, and licensing of One Identity Safeguard is that pricing is good, especially in the long term, as it's way better than CyberArk's, and the other costs are relatively similar.
Before choosing One Identity Safeguard, we evaluated other options, mainly CyberArk's products, and I don't remember much about the other solution we considered.
Since starting to use One Identity Safeguard, there has not been much improvement, but I can say it's affordable, and that's primarily why we are using it.
The affordability of One Identity Safeguard has allowed us to allocate budget elsewhere, particularly towards integrating it with OneLogin, which helps us manage our increasing user base's needs and costs.
My advice for others considering One Identity Safeguard is that if you have more employees and privileged users and are looking for a long-term solution, then it is a good option—it's actually the better option. One Identity Safeguard is inexpensive in the long term, and it offers a better solution than CyberArk's, and mostly the pricing is what I value about it.
I rated this review nine out of ten.
Neutral
The purpose is to ensure that privileged users do not know their own passwords.
Our organization is more secure, and we are confident that the privileged users who are using the systems are actually the users they claim to be due to two-factor authentication because we are using two-factor authentication in One Identity Safeguard.
It is easy for us to revoke access as well. Previously, we did not know who had access to a system, but now, we can see what access is currently open to systems directly from one single pane of glass, allowing us to revoke that access if necessary. We have limited the possibilities for malicious actions and have made it safer for our users when they are using privileged accounts. They only have privileged access when using that account, but they do not know the password. While nothing is 100% secure, it is more difficult to misuse that privileged account. In the past, IT administrators could log in with domain administrator access on their normal PCs, which made everything work without needing to elevate their rights. Now they cannot do that because they no longer know the password. They are required to go through One Identity Safeguard to elevate their rights.
In the beginning, we had some pushback from the administrators because they could not log in directly to a server or a system. They have to go through the web interface and log in. We had to educate them and put in a little bit of effort. We made them aware that we were also taking risks away from them so that nobody could misuse their credentials. People become administrators only when they want to use the system. When they are done using it, the account is disabled, and administrative privileges are revoked.
Previously, we had external consultants who had accounts, but we did not necessarily know when they were using the account. We now know because we have put up an approval flow. The external company needs to request access for a user, they need to call us and provide a ticket number. We then can approve it. We can also approve them for a specific duration, such as two hours. After that, the user needs to request access again and he needs to be approved. We now know when external people are using our systems. All the external privileged users are now disabled, which were not disabled before because we did not know when they needed to use the system. They did not have a normal user and a privileged account. They just had one user who could log in to the systems. Now, they need to have a normal user that can log in to One Identity Safeguard, and then the privileged account will only be enabled when we have approved the access to the system. The normal user does not have any access besides logging in to One Identity Safeguard. So, there was some pushback because administrators had to raise a ticket. We also tightened up our ticket system to ensure that IT does not do any work unless there is a ticket.
Our management can see that our security posture has greatly improved because, on a normal day, we do not have any privileged users who are enabled, so it is very difficult to elevate access to various systems. If they are not active, privileged access is revoked, and there is no access without a ticket.
We use the transparent mode feature for privileged sessions. It is very easy because it just goes through the Safeguard session. That session is used as a proxy now, so we can limit our end-user's access to server assets. Only the session has access to the servers, so we can do micro-segmentation in a different way now on our network.
The transparent mode is rather seamless because the user does not see this Safeguard session. They only see the Safeguard for privileged passwords because that is the interface that is there, a single pane of glass. When they request access to an IDP session or server, they see a different background because it goes through the process that does the recording but the users do not see that.
The transparent mode helps to monitor privileged accounts which we could not do before.
We have integrated it with test and development. They do not know the password either. Previously, they were the kings of their kingdom, whereas now, they are just users of their kingdom. They also now have to go through One Identity Safeguard.
If a privileged user does something malicious or suspicious, with session recordings, we can see what happened. We can see this person authenticated with two factors when he logged into One Identity Safeguard. If it was not something malicious, we can use this information to become better so that the issue will not happen again.
The implementation time was quick. It was basically up and running within a week.
I like the features that allow you to rotate your password, give you access to an RDP session without knowing your password, and record sessions. This is helpful for external people coming in, as we can review what they have been doing and use the recordings for training purposes. For example, if I want to upgrade a system that an external consultant did, these recordings can help identify issues. We can set different keywords to cut off a session if something malicious is detected. We can prevent a malicious action.
We use it to log in to various systems such as Linux and Windows, which is very convenient. There is also a personal vault for browser use, allowing us to save credentials for business-related websites securely. If a user leaves the company, I can assign that vault to another user. I can share credentials, save files within One Identity Safeguard, and ensure that certificates and license numbers are securely stored. I can see who has access to the files. I can save license numbers and license files in One Identity Safeguard, so I know where they are saved. I can also give access only to those who need it, as opposed to them residing on a file share or OneDrive, where access is not as transparent.
From a management point of view, it would be beneficial if One Identity Safeguard Privilege Password and One Identity Safeguard Privilege Session had a more similar interface. Also, if Privilege Session pushed more data to Safeguard Privilege Password, an admin would only need to log in to one place. They could then see the sessions and everything happening, even if it is running on a separate appliance. Why should I log into Safeguard for Privilege Session separately when it has been requested through the Privilege Password appliance? It would be advantageous if it was seen as one unified box, even though they are different. This is the improvement I would like to see.
I have used the solution for less than a year.
It is stable. I would rate it a nine out of ten for stability.
It is very scalable. I would rate it a nine out of ten for scalability.
Our clients are medium to large enterprises.
Most clients use regular support, but some clients use premium support.
Neutral
In previous work, I have used CyberArk and Secret Server. One Identity Safeguard is way cheaper, intuitive, and easier to use. Its implementation costs are much lower than CyberArk.
It is on par with Secret Server, but you do not have session recordings. You just have the privileged passwords and rotation features. You need to harden the Windows because it was installed on Windows, whereas One Identity Safeguard is already a hardened appliance. One Identity Safeguard is more secure than Secret Server. However, I used Secret Server a couple of years ago. It has probably matured now.
We are using the virtual appliance because we already have a virtual environment. The only on-prem setup we have are the physical servers that run a hypervisor. We like to have everything virtual. We can also secure a virtual appliance in a different way compared to the physical appliance. With a physical appliance, if something happens, we have to get hold of the vendor and sort out how fast they can ship a replacement, whereas we can deploy a virtual appliance instantly and get it up and running if there is a problem.
One Identity Safeguard Privilege Password is rather straightforward, rating it as an eight out of ten. Privilege Session is more like a six out of ten, being a bit more complex if I want to use all the features. However, if I just want to use it in Transparent mode, it is easier.
In total, it takes less than two weeks, depending on the landscape. Some preparation, like obtaining certificates and securing a backup share, is required first. I do require input from others to implement it within two weeks. If I can gather all the necessary data and access, the implementation becomes more straightforward.
The deployment was disruptive in a way for the privileged users because they now needed to log in through the web interface, whereas previously, they could log in directly. There are more or different steps. Instead of clicking directly on an asset they want to log in to, they need to log in to a different web page and request access. There are a few more mouse clicks than before, but we now have a better security posture of our environment.
To manage and do the implementation, you need to know certain things. You can also use a trusted partner for implementation. If you do not change anything in the system or do not want to do other connection types, you do not need that much training. You need to be aware of what you should look for. A three-day workshop with a partner would be sufficient. For end-users who need to use the system, a two-hour training would be enough.
We have two One Identity Safeguard specialists in our organization.
It is more expensive than Secret Server but way less expensive than CyberArk. As a customer, I would like the pricing to be lower, but it has a good price point.
There is no reason not to recommend it. Everyone should have a PAM solution to prevent privileged user damage and mitigate risks like stolen passwords or insecure storage. If you want to ensure recordings of activities, be it from external people or highly privileged users, then this is essential. This reduces the risk of malicious insiders. You cannot always prevent it, but having recordings allows you to pinpoint activities before a system failure. You can consider having SPA analytics for additional security. We do not have that yet because of the price, but we might add it later.
I would rate One Identity Safeguard a nine out of ten.
We are using it internally because I work in a consultancy company. I use it both for our internal privileged accounts. We have different systems like Google Cloud, some internal servers, data centers, etc. To secure those privileged accounts, like the administrator accounts and root accounts, I use One Identity Safeguard to rotate passwords, authorize sessions, and more. The second use case is that we also implement One Identity Safeguard for different customers.
The most significant benefit is that in the past, we saved passwords in Notepad files or Excel files. Now, we do not, and we have more security. We do not have saved passwords or plain text passwords in different places within the organization. That is probably the most significant benefit regarding security.
In terms of integrations, we have basic integrations for our Windows and Unix servers. We do the transparent connection for LDP and SSH, and that is all. The integration is simple overall for this kind of connection. However, if we want to integrate different consoles or different systems, it is a bit more complex because it is not so much out of the box, but for our current systems, it was very easy.
End-users require just a couple of training sessions and some documentation, and they are ready to go. They can start using the tool as an end user in a week or less. Managers or administrators require a technical specialist training workshop, which is a full-week course. After that, they need one to three months of training with laboratories and documentation. They would need at least three months to work well with the platform.
There is ease of implementation. Compared to other PAM solutions, it is easy to implement and use from an administrator's point of view. That is the most important benefit. It is very simple to implement and use.
We should be able to create customized connectors in a better way. For ad hoc or special use cases, I sometimes find we have limitations. Improving the way we develop new connectors for non-typical systems would be beneficial.
Another area for improvement could be the threat detection capabilities, like those seen in other PAM vendors. The ability to detect strange behaviors during a transparent connection or detect risky sessions and respond immediately would also be a good improvement.
We have had good feedback about One Identity Safeguard, but for LDP and SSH sessions, when we have to connect to a different console, such as a web console, the customers sometimes complain about the efficiency of the sessions. It takes extra time, and the user experience is not so good when you are using different connectors than normal ones.
I have been using it since 2020, so about five years now.
I would rate it a nine out of ten for stability. It is like a black box. It is an appliance. It is difficult for things to go wrong.
It is scalable. I would rate it a nine out of ten for scalability. It is easy if you need to implement resources.
In our organization, we have 15-20 people working with this solution. Our clients are medium enterprises.
We use their partner support. It is usually okay. When I have day-to-day incidents and problems, the response is good enough in terms of time and quality. However, with complex problems, the response is not as fast.
Neutral
I have experience with CyberArk. I would say CyberArk is a more complex solution in terms of implementation, day-to-day administration, and maintenance. It is more complex and difficult in some ways, but for advanced or difficult connectors, CyberArk has more capabilities to develop customized connectors. It can cover more special or ad hoc use cases, but at the price of more complexity overall.
One Identity Safeguard is at the top level because it covers almost all the general PAM use cases. It covers password rotation, transparent connections, threat detection, isolation, etc. It can cover the needs of most organizations. We have also been able to better cover more complex use cases with One Identity Safeguard than with other PAM solutions.
We have a virtual appliance. We chose the virtual appliance because we were already using a virtual machine infrastructure, so it was easy for us. Our implementation is not complex. We do not have a lot of regulations. It does not matter if we lose connectivity. It is not the end of the world, so for us, a virtual appliance was good enough. It was easier to implement. We do not need to rely on physical devices.
To implement and be functional, it takes days, probably one week, but when I go to a customer and need to do all the configuration and integrate systems, it can take a couple of months overall. It takes days to implement, but configuring and integrating everything can take some months.
In terms of maintenance, it requires less maintenance compared to other PAM solutions. There is not much maintenance regarding the infrastructure. They are, black boxes or appliances, but they do require maintenance in terms of day-to-day configuration, permissions, and connectors.
We did not cover many use cases regarding efficiency and cost reduction, so we did not see ROI directly. However, being more secure makes it less probable that we will suffer an attack or data loss, which is a cost reduction, but I did not see much time reduction. There is about 10% savings.
It is cheaper than CyberArk. Its price is fair.
We use the solution’s transparent mode feature for privileged sessions. There was an impact on the users with the roll-out of this feature because we changed the way people were connecting to systems and faced some problems like communication and networking problems. People did not have the correct permissions at the time. That was a bit of a problem, but we now have a seamless integration. It took us a couple of months to have everything working.
I will recommend it to some customers because it is easy to deploy, administer, and configure. The price is fair. The scalability is also good.
Overall, I would rate it an eight out of ten. It covers pretty much all use cases, but sometimes there is a lack of customization.
We use it to handle secure access to our Windows and Linux servers and also to manage some of our user accounts. This includes password rotation, JIT, and disabling accounts when they are not in use.
We use their physical appliance.
I look after the backend, but I am also a user of it. In general, users do not love it because there are extra steps to what they are used to, but it is an intuitive service. The approval workflows work particularly well with their integration into Teams. From a backend point of view, it is not too bad. There are a few places where the interface could be slightly different, but mostly, it is fairly intuitive.
The Approval Anywhere feature provides an approval process. We use it for our external contractors. It is nice and easy once things are set up from their point of view, and it provides the university with an additional layer or multiple layers of security, which we did not have before.
We have integrated it with Identity Manager, which is another One Identity product. We have not integrated it with anything else. We thought about integrating it with ServiceNow to have a one-stop shop from ServiceNow to make API calls and requests from there. However, we wanted to keep things a bit simpler at this point. The interface is pretty nice. Asking users to go via the Safeguard method works well.
It provides secure and centralized access to both on-prem and cloud servers, which we did not have before. Previously, there were myriad ways to access our servers, so this centralizing feature is beneficial.
The auditing and approval mechanisms are features we did not have before and are greatly appreciated.
I do not have any integrations at the moment, and I also do not use the API to automate this. I have to set up user accounts, then privilege accounts, and then linked accounts, and do some association there. There are many steps. We are still in the onboarding phase, and it seems very manual. Ideally, a single interface to integrate all these processes would be useful.
A couple of missing features that I have seen are about to come out, and I am happy they are addressing customer feedback with exactly what I wanted.
I have used the solution for probably about 18 months to 2 years.
We have not had any issues with the core product itself, but there is an add-on called SCALUS, which is quite critical to the user experience, and that does not work. They have been having issues with that for quite a long time, like months. That is not great at all.
Scalability is fine. We have a cluster of SPPs and a cluster of SPSs, and we can add a node to that cluster without much fuss. We did it on one of the clusters, so it is all good.
They are quick to acknowledge a call or case, possibly due to SLA requirements. Overall, it is a hit-and-miss. Sometimes, I get a very helpful response and they address issues on a call. Other times, I am politely informed they cannot help.
Neutral
I did not use any similar solution previously.
It was a little bit of stop-and-start. Quite a few people were involved, but we had One Identity's professional service's help as well. We had something working within a week.
It does require maintenance. It is not a SaaS service. It is not a hosted service, so I have to resolve any issues that come along. I have to deal with any feature enhancements and patching.
We had One Identity's professional service. We had probably four people from our side.
We bought their other products, so it was not that expensive. It is one of those where the more you buy, the cheaper it is.
I would rate One Identity Safeguard an eight out of ten.