Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.8.1 - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 6.8.1

Release Notes

03 February 2021, 04:19

These release notes provide information about the One Identity Safeguard for Privileged Sessions 6.8.1 release.

Topics:

About this release

One Identity Safeguard for Privileged Sessions Version 6.8.1 is a release with new features and resolved issues. For details, see:

NOTE:

For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

New features

New features in Safeguard for Privileged Sessions (SPS) version 6.8.1:

Integrating ServiceNow with SPS

SPS integrates with ServiceNow by enabling ticket ID request and validation during authentication and authorization on target servers.

The integration adds an additional security layer to the gateway authentication performed on SPS by verifying that the user has a valid reason to access the server. SPS prompts the user for a valid ServiceNow ticket ID, and upon successful authorization, it permits the user to access the information system. For more information, see ServiceNow - Tutorial.

Timeline tab

From the Search interface, for data recorded by SPS, you can view session events and alerts on a timeline, and search in the contents of the audit trail. The Timeline tab replaces the now deprecated Events, Alerts, and Contents tabs.

Figure 1: Timeline tab

Creating and downloading reports redesign

The user interface for creating and downloading reports, including report chapters and subchapters, have been redesigned. The new reporting workflow simplifies the process of creating and downloading reports, and it provides a better user experience.

Figure 2: Reporting > Create & Manage Reports — Configuring custom reports

Trust stores

You can use trust stores that store the certificate chains of trusted certificate authorities (CA) to verify the certificates in TLS connections. You can add and edit custom trust stores in the newly created Basic Settings > Trust Stores page.

CAUTION: Upgrading to SPS 6.8 changes authenticating the users of the web interface with X.509 client certificates: certificates are validated against a trust store instead of a trusted CA list. During the upgrade, the trusted CA list formerly used for authentication is copied to a trust store that has revocation check disabled by default.

If you enabled revocation check for your trusted CA list and added the URLs of certificate revocation lists (CRL) before or you would like to enable revocation check, you have to edit the settings of the trust store manually. Navigate to Basic Settings > Trust Stores, select revocation check type Leaf or Full for the trust store and make sure you add a CRL URL for each root and intermediate CA.

For more information about trust stores and how to configure them, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

Cluster Management redesign

The Cluster Management window of the SPS user interface has been reworked to provide better visual differentiation between the procedures of creating a new cluster and joining to an existing cluster. The changes affect the user interface only, and have no impact on the functionality of the cluster management feature.

Default Network Level Authentication (NLA) settings

Starting from 6.8.0, the default protocol-level settings for RDP connections have changed and NLA is now enabled by default in the RDP setting policies.

Due to this change:

  • The default RDP setting is now default_nla, where NLA is enabled.

  • The RDP setting, which was previously called default has been renamed to legacy_default.

  • RDP 4-style authentication is now cleared by default.

NOTE: If you are upgrading from an SPS version earlier than 6.8.0, and you have an existing RDP setting named legacy_default or default_nla, you must rename it before upgrade.

Other improvements
  • SPS now checks if the random generator creates the same byte sequence.

  • If there is a gateway authentication or authorization failure due to an AA plugin, the reason of the failure is displayed in the Details tab of the Search interface.

  • SPS now supports usernames both in user principal name (UPN) and down-level logon name formats for RDP and RDG connections (such as username@domain and DOMAIN\username).

  • If you have One Identity Safeguard for Privileged Analytics (SPA) activated, now it automatically runs an algorithm evaluator tool every day to evaluate how well the machine learning algorithms for analytics are working on the current dataset residing on the SPS deployment. For more information, contact our Support Team.

  • The Pointing device biometrics and Typing biometrics options in Content Policies have been deprecated. You can still use these options in Indexer Policies.

  • The list of supported key exchange (KEX) algorithms for SSH have been updated with the supported Elliptic-curve Diffie–Hellman (ECDH) algorithms.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating