Feature Request: Audit feature to log access to Passwords

Is there or will there be an audit feature?
Specifically I would like to see which passwords have been accessed/read by an user.
If an employee leaves the company it is always a hassle to change all passwords the user may have had access to.
With this feature we would be able to change only those passwords which have been accessed by the user.

Thx


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • roustemroustem AgileBits Founder

    Team Member

    The server keeps track of the activities performed by the user. We are working on make the activity log visible in the Admin Console.

    I saw a few requests about tracking which password have been accessed by the user but I am not sure how to implement it reliably. The team member has access to the entire vault and technically they are able to just scroll through all the vault items in Mac app. Would that be considered access?

  • Well I would define "access" as "the user has knowledge of the specific password".
    -user has seen the password with his eyes
    -user has copied password to clipboard
    -just every action that compromised the password

    If an employee leaves our company (on good or bad terms) it is essential to make sure we can change all passwords he/she has knowledge of.

    For example a project manager leaves the company. He/She was responsible for 10 customer projects and know logins and passwords for all related project resources (internal and external on customer side). We then need to change all passwords on our side and have to inform the customers IT departments so they can change logins on their side.

    As this can lead to hundreds/thousands of passwords that need to be changed it would be great to have an audit feature which minimizes these changes to only those passwords that were "compromised".

    Examples:

    http://thycotic.com/products/secret-server/features/audit-reports/

    https://www.manageengine.com/products/passwordmanagerpro/auditing.html

  • roustemroustem AgileBits Founder

    Team Member

    I mentioned that in another thread. I do not think it will be possible to reliably track items that the employee "has seen with their eyes".

    1Password clients can operate offline without connecting to the server for a certain period of time (there is a limit). It means that the user could disable network access and review/copy all the information from the vaults they have access to. Even if we try to track access on the individual item level (which is going to be a large undertaking on its own), this information won't be sent to the server if the client is offline.

    A more reliable solution would be to create multiple vaults and organize access on the vault level. Our client apps are being updated to make it easy to work with multiple vaults.

    For example, here is how we organized our vaults at AgileBits:

  • +1 for password access history. My company provides high-end data transformation services so it would make conversations with project auditors about our security practices much easier.

    Otherwise, my crew and I are really enjoying the beta. Good work so far!

  • Log Feature would be good. But I am guess it wouldn't be reliable. Since it has to be done on the client side and then log send to server....

    Random

  • I can't see it being that unreliable. Clients sync with the server regularly and are all official and fully maintained by AgileBits. Unless one was offline for an extended period, auditing would be rather decent...maybe not impossible to bypass but the software isn't very useful without frequent server sync in Teams. Might as well upload the audit when downloading changes IMO...but maybe it could be a per-vault or per-team option to enable auditing? It would generate a lot of data to maintain.

  • brentybrenty

    Team Member
    edited December 2015

    There are some technical (and social) challenges there, but it's certainly something we can look into. Thanks so much for the feedback! I'm glad you're all enjoying the beta. :chuffed:

    @dszp: You're right that the 1Password Windows 10 app isn't as fully featured as the 1Password for Windows desktop app, but for many use cases — especially on a Surface — it's really nice...and we're not done yet! Hopefully between our development team's ingenuity and Microsoft's efforts to make the Windows Store attractive to developers we'll be able to take it even farther in the future. :)

  • @brenty Thanks for supporting the discussion. What are the kinds of social challenges you'd anticipate in adding this function? Do you expect issues such as discomfort within the user community regarding tracking of their Team Vault access actions or are there other issues that come to mind. Genuinely interested to hear your (and others thread participants') thoughts, since access logging is an aspect of data security practices that is guaranteed to feature in comparisons of 1Password For Teams with (so-called) enterprise competition.

  • While l understand that mobile clients can go offline and still access vaults and their data, I must say that not having any audit trail available seems a huge oversight -- even if it is with the caveat that "offline devices may not have been able to sync audit data". It may very well turn out to be a deal-killer for those of us who have clients that expect this level of reporting.

  • I agree... this is an important feature and one that your competitor has...

  • @dgano: Perhaps AgileBits can solve this by allowing for a category of vaults that can only be accessed online. This could be discretionary based upon user rights.

  • I agree with @cobaltjacket Have the ability to disable offline access. And then be able to audit access and usage of the password and not just edits and creation.

  • brentybrenty

    Team Member

    @LesserSpottedPotoroo: Hmm. Upon revisiting this, my brain tells me that 'social challenges' might not be the right term, but I can't think of what might be better at the moment so I'll try to explain myself clearly this time! :lol:

    I guess my primary concern is that once people have the data, you can't retcon this to stop them from having ever had it. You can revoke access so that future changes are inaccessible to them, but that doesn't seem to be what we're talking about. After all, even a mildly motivated user could easily disconnect from the network (to avoid being on the receiving end of a kill switch) and copy information from the vault to somewhere else.

    In order to access any vault's data, a person needs at least two things — three, in the case of 1Password for Teams*:

    1. The vault itself, which will be stored locally on disk (or at the very least, accessed within the browser on their computer)
    2. The Master Password used to encrypt it
    3. *The Account Key, also used to encrypt 1Password for Teams data

    If they have all of these, they can access the contents of the vault. With 1Password for Teams, we can take all three of these away due to policy, but it can't be retroactive: whatever they've already accessed has been used as they've seen fit, and can continue to be used until it's invalidated (for example, by changing login credentials).

    So I guess what I'm saying is that before sharing sensitive information with someone, it's important to assume that it can never be taken back. After all, while a username and password can be changed, they likely already possess any information to which these have granted them access. Access controls are useful, but it's important that we neither oversell them nor expect the impossible.

  • @brenty I think (could be wrong) that the question is, is there a problem providing an audit trail of who has viewed/used what credentials. If an employer has access to a vault with customer server info for 1,000 customers, and is then fired or leaves, an audit log showing which of those credentials the user ever accessed (viewed/used) means only having to change passwords on, say, 200 of the 1,000 customer machines. Very much easier than changing them all because they were merely in the vault the employee had access to, but may have never seen

    Obviously the user could have grabbed all the passwords, but if auditing was on, that would be reported as well. As you said it's true they could have used their credentials to access the data outside the app directly, or copied it, but I think this is an extreme case that's unusual and at least the audit logs would be useful in many situations, or at least provide a list of the highest risk credentials as a place to start changing even if the goal was to change them all.

    I could be wrong, someone feel free to contradict me :-)

  • @cobaltjacket and @bcefalo -- seems like we're all on the same page.

    Make it an administrative option: if you enable auditing, you automatically forego offline vaults.

    Any time a password is "revealed", copied, added or modified should be obvious logging events; all vault permission mods as well, of course.

    While much of the data in 1PTeams isn't obfuscated like passwords, it seems quite possible (as others are doing it VERY well) to log add/change/delete/view in a fairly detailed format.

  • Regarding the audit log function, there's a specific thread for this feature request here: https://discussions.agilebits.com/discussion/51453/feature-request-audit-feature-to-log-access-to-passwords#latest

    It's a healthy thread and a number of the points raised here are covered.

    Just to get meta for a second: Considering the OP (@ramonpeek) started this thread with the suggestion of multiple features, maybe our audit feature discussion would do well to to move to the specific thread above. What do you guys think? @brenty, if that makes sense, is there a way for our audit-specific comments to be merged with (or copied to) the other thread?

    Just a thought.

  • Thanks for the pointer to that thread, I'd missed it. Good stuff.

  • dtearedteare Agile Founder

    Team Member

    As you say, having "online access only" would help here, and we've had requests for this feature for other use cases as well so that might make an appearance someday.

    As for the more detailed audit log, I'd like to start by exposing the Activity Log feature we've been working on first as it gets us 80% of the way there. Once that's available, we can look at taking the audit feature further.

    Thanks again for sharing with us. It's great to know what's important to you :)

  • brentybrenty

    Team Member

    @dszp, @LesserSpottedPotoroo: I've merged the audit portion of the more general business feature discussion with the existing audit feature request discussion here. Thanks so much for your continued feedback! :)

  • edited December 2015

    Thanks, @dteare and @brenty. Much appreciated.

    BTW, I noticed my original comment in (http://bit.ly/1RllN1f) that suggested the thread merger has been brought over to this thread in the act of migrating the other (important) surrounding comments so it might seem a little self-referential now. No biggie.

  • brentybrenty

    Team Member

    @LesserSpottedPotoroo: Yeah, that's really confusing. Sorry! I hate when that happens, but the alternative would be to modify posts retroactively. That can get pretty weird too, so it's not something we do without good reason. :dizzy:

    For the record, LesserSpottedPotoroo is not insanely suggesting being moved to the same thread, as that comment was part of a different discussion when it was originally posted. :lol:

  • I also like the idea about having an administrative option for auditing, even though it means that you automatically forego offline vaults.

    It is of course an enterprise feature. After working with the teams beta a bit, I'm not 100 % convinced that it aims at the enterprise segment though?

    Looking forward to see what the Activity Log feature entails.

  • brentybrenty

    Team Member

    I also like the idea about having an administrative option for auditing, even though it means that you automatically forego offline vaults.

    @emilr: Indeed, for this to really work it may need to be online-only though, forgoing local caching entirely. It's certainly something we can consider adding in the future if there's a need.

    It is of course an enterprise feature. After working with the teams beta a bit, I'm not 100 % convinced that it aims at the enterprise segment though?

    I think the confusion stems from the fact that two different people will imagine different things when you say 'enterprise feature'. While there's certainly overlap, every business has it's own needs. And the only way we can know what yours are is if you tell us! ;)

    Looking forward to see what the Activity Log feature entails.

    Me too! Thanks so much for the feedback! :)

This discussion has been closed.