In my last blog post – “If you are a One Identity customer you really should read this post!” – I talked about our rationale for why we built the One Identity Hybrid Subscription (OIHS). In this blog post I want to talk specifically about the OIHS and how it benefits our Safeguard customers. The newest versions of One Identity's on-premises products include the One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join your on-premise Safeguard deployment with the One Identity Starling software-as-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Safeguard. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Safeguard to add value to your investment.

As of today, we have three main features in the OIHS that are applicable to Safeguard: Two-factor Authentication, Approval Anywhere, and Identity Analytics and Risk Intelligence (IARI). Let me take you through a tour of each of these and why they are important.

Two-factor Authentication

Included with the OIHS is an unlimited license to use One Identity’s Starling Two-factor Authentication (S2FA) with any One Identity product, including Safeguard. Safeguard is one of our privileged account management (PAM) products. Ultimately, hackers want access to your privileged accounts as they provide unlimited access to systems and data. In nearly every recent high-profile breach, lapses in privileged account management have been exploited. To limit this sort of damage when a breach occurs, you need a secure, efficient and compliant way to provide access to privileged accounts.

One of my concerns about any privileged account management solution – including Safeguard – is how you protect access to your PAM solution. After all, Safeguard holds the keys to your kingdom along with all of the recordings of privileged sessions. Unauthorized access to either Safeguard’s passwords or session recordings is something no one wants to contemplate.

Safeguard sends a push notification to the user’s mobile device where they can complete the login by pressing a button in the app. If the user does not have the Starling 2FA app, they have the option to receive a one-time password via SMS or a phone call.

Safeguard's strong two-factor authentication ensures that only authorized users are permitted access. The S2FA secondary authentication service provider is automatically added when you join Safeguard to Starling via the One Identity Hybrid Subscription. Once integrated, you can leverage S2FA to protect access to Safeguard, and thus, to your privileged passwords and session recordings.

There’s a video on our One Identity Youtube channel that walks through integrating Safeguard and S2FA here:

Approval Anywhere

Approval Anywhere is another one of our Starling cloud features that are included in the One Identity Hybrid Subscription. The Safeguard Approval Anywhere feature integrates a privileged access request workflow with Starling Two-Factor Authentication, allowing approvers to receive a notification through an app on their mobile device or tablet when a privileged access request is submitted. The approver can then approve (or deny) privileged access requests through their mobile device without needing access to a desktop or web application. The Approval Anywhere feature is enabled when you join Safeguard to Starling.

Approval Anywhere makes it easy for the worker and manager “on the go” to immediately approve, or deny, a request for a privileged password. No need to logon to a workstation or through a VPN to approve or deny the request – do it immediately, from wherever you are.

In the example below, Rob Requestor has asked for access to the demouser account on a protected system named slcpl01. You can tell from the request when he requested it and that he needs access for two hours. A simple push of the Approve or Deny buttons will handle the request for access from Rob.


Starling Identity Analytics & Risk Intelligence

The Starling Identity Analytics & Risk Intelligence (IARI) service collects and evaluates information from data sources, such as Safeguard, to provide you with valuable insights into your users and entitlements. When integrated with Safeguard, Starling Identity Analytics & Risk Intelligence allows you to identify Safeguard users and entitlements that are classified as high risk and view the rules and details attributing to that classification.

Evaluation of risk and the security implications around privileged users provides administrators and security teams with insight and oversight you can’t normally understand just by looking at individual accounts and entitlements. These privileged user accounts deserve the highest levels of scrutiny you can afford, and the use of high powered analytics is a perfect use case to assist here in order to gain an understanding of what you need to do in order to mitigate risk.

While it’s long been accepted that auditing privileged users is de rigueur, what’s been missing is a more proactive stance – to profile the privileged user, if you will, to best understand where you MIGHT be more vulnerable and want to pay closer attention to activity. Safeguard provides the method and IARI provides the proactive oversight you need to understand and act accordingly to minimize risk to your most valuable assets. Together you can analyze, visualize and mitigate risk on privileged accounts with Safeguard and IARI.

In the example below, you will see that IARI is highlighting that John Doe has “Access Request” capability in Safeguard but does not require two-factor authentication (2FA) to request access of a privileged password. With this level of visibility, you can quickly determine where you should be strengthening your security and reducing your attack surface. This is just one of many different situations that IARI can highlight and monitor for you with respect to your Safeguard installation.

For more information on configuring a new data source module and the classification rules used to identify high risk users and entitlements, see the One Identity Starling Identity Analytics & Risk Intelligence User Guide. For more information on the One Identity Hybrid Subscription please visit

I hope you find this information useful. I'm always interested in feedback so feel free to drop me a line at Jackson.Shaw(at)

Related Content