Introduction
One Identity provides three different One Identity Safeguard for Privileged Sessions (SPS) appliances (boxes), and deciding which box suits customers' exact requirements best always depends on a great many factors. All boxes have different performance measurements and One Identity's goal is to provide information to help select the most appropriate solution for customers' environment.
For detailed hardware specifications of the three SPS appliances, see Hardware specifications in the Installation Guide.
It is strongly recommended to always ask One Identity engineers to verify the planned design. Each and every use case is different and there can be case-specific conditions changing the final design. One Identity cannot take responsibility for improper architectural and/or performance design if One Identity has not been asked to verify those.
Performance capabilities heavily depend on several client-specific technical factors. Consequently, the maximum number of concurrent users served by a given SPS box may vary in each IT environment.
Note that:
-
While this document uses the terms "sessions" and "concurrent sessions" when providing figures, "concurrent sessions" also means "concurrent users" (assuming that a single user corresponds to a single session).
There can, of course, be users in the client's system who are not all using session management at once, and there can be users (for example, the admin account) who are able to open multiple sessions concurrently. The rough conversion of one user to one session simply serves as a ballpark estimate when calculating license requirements. Client-specific circumstances can fine-tune this estimate.
- All benchmarks presented in this document assume typical administrative workflows within the sessions.
- All performance tests were carried out without One Identity Safeguard for Privileged Analytics (SPA) configured, so measurement figures provided in this document are only valid for SPS appliances with no SPA used.
- Each column in Performance metrics shows the benchmark for a particular protocol.
- When measuring performance for a given protocol, all sessions audited by SPS during the test were from that protocol only (for example, in the case of SSH measurements, 100% of the sessions was SSH).
Performance metrics
This section provides detailed performance metrics, as well as capacity information related to indexing, and audit trail files.
General performance and capacity information
Pure performance:
- The number of indexer worker threads running inside SPS is 0.
- Real-time alerting (Content policy) is disabled.
Table 1: Pure performance
SPS T1 |
200 |
1000 |
500 |
SPS T4 |
300 |
1200 |
600 |
SPS T10 |
500 |
1500 |
750 |
SPS Virtual Appliance (VA) |
VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.
When calculating the required resources, always take into account the overhead produced by the virtualization layer.
NOTE: Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance. |
Capacity with real-time alerting:
- SSH: Content policy was enabled on 100% of the sessions, with 4 rules matching 10% of the commands.
- RDP: Content policy was enabled on 100% of the sessions, with 1 rule matching 10% of the window titles.
Table 2: Capacity with real-time alerting
SPS T1 |
20 |
10% |
200 |
20% |
SPS T4 |
90 |
30% |
600 |
50% |
SPS T10 |
150 |
30% |
1350 |
90% |
SPS Virtual Appliance (VA) |
VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.
When calculating the required resources, always take into account the overhead produced by the virtualization layer.
NOTE: Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance. |
Audit trail files
Size of the audit trail files:
The .zat audit trail files written by SPS is a proprietary binary file format that is compressed on-the-fly. The size of the files heavily depend on the type of actions made by the monitored user, but also on the screen resolution used in graphical connections. If file transferring within a session is also audited by SPS, the size of the transferred file must be calculated in addition.
The typical size of audit trail files, assuming a typical administrative workflow and depending on the terminal window size and the screen resolution is as follows:
- SSH / Telnet: ~15-35 KB / minute (~1-2 MB / hour)
- RDP: ~2-10 MB / minute *
- Citrix ICA: ~1-5 MB / minute *
- VNC: ~5-20 MB / minute *
- HTTP: depends on the monitored web content
|
Caution:
* The screen resolution of graphical sessions has significant impact on the size of the audit trail file. The following examples are for audit trails containing constant activity. Administrative activity is typically not sustained in real life, therefore we calculate with different sizes for disk occupation.
More sophisticated disk occupation sizing should be the outcome of Proof of Concept activity.
- 1024x768: less than 1 MB / minute
- 1680x931: ~5 MB / minute
- 1920x1080: ~10 MB / minute
|
Reference audit trails:
One Identity partners have access to reference audit trails of both CLI and graphical sessions, showing a sample session of typical administrative usage. One Identity provides reference trails for normal and for heavy usage. To request access to reference audit trails, contact One Identity.
Note that these audit trails contain sustained activity. Hence from a viewpoint of disk occupation, these are not references for sizing.