Can Team admins audit prohibited action of employees saving client logins to their Private Vaults?

I'm interested in a particular scenario of managing teams where a member has access to both their own personal Vault and a Team vault in the application. Let me describe a common situation (not involving 1Password) which arises in my business of accounting. Employees are provided login information for personal client accounts which they access through a browser. When entering this information, the browser asks if they want to save this information for auto-entry. Employees are trained to not save client logins, but nevertheless it's easy to do. Most common browsers are designed for personal use case and provide every opportunity to save this info. And from a personal productivity standpoint, ease of entry is desirable for employees. Mistakes happen.

What this illustrates is a scenario where users are compelled by the app and productivity goals (or other motivations) to do what they shouldn't. I'm interested to hear if the 1Password application has a feature for verifying team users have not saved client information into their Personal Vaults. I'm thinking a verification check needs to be performed for team admins to ensure an employee's Personal Vault does not contain a Team Vault client logins.

I read the post about Team audit logging and wonder if an admin can identify this prohibited behavior using this feature. It would be a security failure if the ease of use of the application makes it a simple matter to save client info into your Personal Vault, and later, after termination of employment, still have access to their former client's accounts. Removing a user from a vault would not be the end of securing client logins. All client logins would need to be reset.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: windows 10
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @xtiansimon: First and foremost, you raise some excellent points! Thanks so much for that clear description of the problem you (and others) may be facing!

    What this illustrates is a scenario where users are compelled by the app and productivity goals (or other motivations) to do what they shouldn't. I'm interested to hear if the 1Password application has a feature for verifying team users have not saved client information into their Personal Vaults. I'm thinking a verification check needs to be performed for team admins to ensure an employee's Personal Vault does not contain a Team Vault client logins.

    I'm not entirely sure what you mean by "verification check", but to be clear, only you have the encryption keys for your Personal vault, and that goes for every member. That's fundamental to the security of each of our Personal vaults. Otherwise it wouldn't be very "personal" (or secure) at all.

    I read the post about Team audit logging and wonder if an admin can identify this prohibited behavior using this feature. It would be a security failure if the ease of use of the application makes it a simple matter to save client info into your Personal Vault, and later, after termination of employment, still have access to their former client's accounts.

    Regarding audit logs, these will help you identify what's been accessed, but there won't be "prohibited behaviour" in there unless you've failed to set permissions. 1Password Teams doesn't enforce restrictions through policy; it does so through secure encryption. So it's important to recognize that if you're giving someone access to the data who isn't supposed to have it, that isn't a "security failure" on 1Password's part; it's just doing what you asked it to do. If you don't share the vault with someone, they won't have the keys to decrypt it, period. And without the encryption keys, the data can't be decrypted for them to access it. As the Admin or Owner, you have the power. :sunglasses:

    Removing a user from a vault would not be the end of securing client logins. All client logins would need to be reset.

    You've hit the nail on the head. Secrets that are shared cannot be unshared. This is something you'll need to do any time you want to prevent someone from accessing an account in the future: you've given them the credentials, so you'll need to revoke access and then change them so they cannot use the account going forward. They will no longer have access to the vault (or account) once it's revoked (or suspended), but you should assume that they still have the data cached on one or more devices. If I give someone the key to my house, I can't prevent them from using it to make a copy — or change the locks while I'm away.

    I think the important thing to keep in mind here is that 1Password is a single 3rd party app which is installed, as as such it is subsidiary to the OS. Similarly, the 1Password browser extensions operate within the constraints of the browsers themselves, according to their security policies and frameworks.

    That probably sounds like an overly dramatic way of putting it, but it's true. But more to the point, 1Password can't prevent the OS, the browser, or other apps from being used to capture and save sensitive information. Now, if "security" suites are any indication, it could be possible for 1Password to do this, but as we've all seen this brings with it many other problems. And ultimately we want 1Password to be a good citizen on people's devices, not causing bizarre conflicts with other software. It's meant to be a secure, convenient way to store and access data, not create a police state on the machine.

    But getting back to your scenario, 1Password Teams permissions can be used to restrict vaults to read-only and prevent export. In your scenario, I'd recommend that logins like those you describe be placed in a managed vault with limited access by the admin instead of having the user save it themselves (potentially in the wrong vault). It's important to keep in mind though that while you can restrict "view" and "export", you're still giving them access to the credentials. It's possible that an enterprising user could extract the data using the browser, or simply use the browser itself to save the credentials. So in that case it may also help to disable the browsers developer features and password management. Again, that won't stop them from using other means, but it certainly helps. And if you're able to restrict them from installing other software to work around this, that can help as well. Cheers! :)

  • Thank you for a through response.

    From you're response I can imagine better the activities which would need to be in place to manage passwords using 1Password application. The admin(s?) who manage the Team Vault will be the point persons for entering all passwords and employees would at no point be entering password information into 1Password. In this case a use can't "accidentally" enter client information into their Personal Vault. (I know that sounds like a no brainer, but in small organizations without dedicated IT personnel duties are sometimes blurred. 3rd party apps instill and impose security processes).

    FWIW, It seems the bottleneck here is that browsers still use plain text passwords. I'm starting to imagine the need for some kind of Pre-shared Key between the browser and 1Password so employees would never be copy and pasting plain text credentials.

    Lastly, if a Team Vault admin needs to reset passwords I imagine this would be accomplished by resetting all passwords in the Team Vault shared with that employee. This seems OK because in our current organization, the Vault admin would be the only employee who also works on all client accounts (they already have broad access). Employees who manage client accounts will have access to only those accounts they manage, so each employee could have their own Team Vault consisting of all of their clients and only their clients. When an employee leaves, access to that Team Vault is revoked and all passwords in that vault can be reset.

    This scenario does bring to mind one more particular management need. When an employee leaves, their clients will be distributed to current employees. And several employees may need to access a client's credentials until such time as a new employee is hired to be the sole client manager. Does 1Password have features to permit Team Vault admins to move individual credentials or groups of credentials (one client will certainly have anywhere from 5-15 logins) easily from one vault to another? Or am I asking for the moon? ehehe

  • JacobJacob

    Team Member

    @xtiansimon On behalf of brenty, you're welcome. Thanks for getting back to us so quickly. :)

    From you're response I can imagine better the activities which would need to be in place to manage passwords using 1Password application. The admin(s?) who manage the Team Vault will be the point persons for entering all passwords and employees would at no point be entering password information into 1Password. In this case a use can't "accidentally" enter client information into their Personal Vault. (I know that sounds like a no brainer, but in small organizations without dedicated IT personnel duties are sometimes blurred. 3rd party apps instill and impose security processes).

    I assume you're talking about the activity log, which would allow you to see when someone modifies an item, vault, or member. If one of your employees has access to a client's password, there's really no way to ensure that it's never used in the wrong place. Access is access, after all.

    FWIW, It seems the bottleneck here is that browsers still use plain text passwords. I'm starting to imagine the need for some kind of Pre-shared Key between the browser and 1Password so employees would never be copy and pasting plain text credentials.

    Not necessarily. It's one of the bottlenecks, but there is something else that comes into play as well: If someone doesn't have a password, they can't use it. Therefore, if they can use it, they have it. And if they can use it, they can change it. Which means they can lock the owner of the password out if they don't update the stored password with the one they're now using. Of course, the owner can probably reset the password if their email address is still on file.

    The main point of all this is if someone isn't trustworthy, they shouldn't have access to your passwords. That's pretty obvious, but if they actually wanted to lock you out of the accounts, they can. That's just the reality. Lots of things are based on trust, though. You giving them the job in the first place is a lot of trust. Little acts of trust happen every day. When they mess up, some of that trust can go away, and sometimes it can disappear completely. I don't know if we should expect password managers to solve the human condition. ;) Or rather, the less common human condition.

    There are some tools that can help with this, like SSO, but they have their own pros and cons. In the end, passwords are used almost everywhere, and we made sharing them as secure as we possibly could. People outside the account can't access your passwords without the Master Password and Account Key for one of the team members, but people inside it can access what is available to them.

    Lastly, if a Team Vault admin needs to reset passwords I imagine this would be accomplished by resetting all passwords in the Team Vault shared with that employee. This seems OK because in our current organization, the Vault admin would be the only employee who also works on all client accounts (they already have broad access). Employees who manage client accounts will have access to only those accounts they manage, so each employee could have their own Team Vault consisting of all of their clients and only their clients. When an employee leaves, access to that Team Vault is revoked and all passwords in that vault can be reset.

    I think this is a good way of handling things. You can also make sure they don't move items to their Personal vault or another one (by mistake, mainly) by disabling the export permission on the vault.

    This scenario does bring to mind one more particular management need. When an employee leaves, their clients will be distributed to current employees. And several employees may need to access a client's credentials until such time as a new employee is hired to be the sole client manager. Does 1Password have features to permit Team Vault admins to move individual credentials or groups of credentials (one client will certainly have anywhere from 5-15 logins) easily from one vault to another? Or am I asking for the moon? ehehe

    Absolutely! The same permission I just mentioned, when enabled, allows you to do this. It's enabled by default and you can move things on 1Password.com by clicking the share icon (the up arrow inside a box) when an item is selected and choosing the vault you'd like to move the item to. You can also do this in the apps. In the Mac app, for example, select the items you wish to move by holding Command on your keyboard while clicking them, or select them all by pressing Command A on your keyboard. With the items selected, choose Items -> Share from the menu bar, then select the vault you want to move them to and click Move.

    Hope that helps! Glad we've got a good discussion going here. :)

This discussion has been closed.