Teams questions from a business/corporate IT perspective

Options
aclotfelter
aclotfelter
Community Member
edited November 2015 in Business and Teams

I have used 1Password for a while, and am now evaluating Teams for use by my organization's IT department. I have a few questions/concerns so far. I expect that many business/corporate IT departments will have similar questions.

Categories
Can we create/edit/delete categories? The lack of this functionality in previous versions of 1Password was a bit inconvenient, but not so bad, since I was the only one using the vault. Looking now as something to be implemented for my team, I have to have a more critical eye.

With any shared set of data, standardization is key. We have certain types of data that we would like to have defined in certain ways. We want to make sure that all users are supplying all of the same types of data, and that they use the same fields as others for this data.

A good example of the issue here is the category for "Servers". This has all kinds of fields that don't apply to us, and is missing some fields that we would like to add. We have different data, and would want different definitions, for physical and virtual servers, for example.

Also, categories such as "Outdoor License", "Social Security Number", and "Passport" clutter up the app with categories we don't need (and looks a bit unprofessional).

Offline backups
Part of our evaluation of this product is how to implement disaster recovery. Having multiple admins, a physical backup of the key for our safes, etc is all good. Additionally, we need to insure ourselves against some sort of DoS or catastrophe on your end. We need to have a local copy of all this data, if we are going to place the keys to our kingdom into it. We were evaluating a competitor's product (which I will not mention here), and it has trade offs. It requires more complexity and configuration, but it allows a few other features, such as allowing us to print off doomsday physical copies of our data to store in our physical vault. We would probably do this on a monthly basis or so.

Do you provide any functionality like this, and/or any way to access the data, in the event that your servers became unavailable?

Technical Architecture
In proposing, and then implementing, a solution like this, technology/security professionals will be expected to possess a strong understanding of the technical aspects of the solution. We will need to be able to understand, and then describe, the specific way that the data is handled. Are vaults monolithic files that get synced to clients? Are they a collection of encrypted entries that are updated/synced independently? What happens if two different people update an entry simultaneously? When I go to the website, I enter my master password to log in. How is this authentication handled? Is my Master Password being sent over the wire? Is it being handled with JavaScript? A technical white paper would be of great assistance here.

Support
Finally (for now!), I need more information about your support options. Currently, the only real support option seems to be these forums. If you are looking to move into the business sector, I imagine that you have more robust options in the works. Particularly for data of this importance, many business/corporate customers will insist on at least direct email support, and likely phone support. Can you fill us in on your plans in this area?

Thanks

Comments

  • rickfillion
    rickfillion
    edited February 2018
    Options

    Hi @aclotfelter,

    Thanks for writing in. I'd be happy to try to answer these questions for you.

    Categories

    Currently there's no support for custom categories, nor for disabling the standard categories like Outdoor Licenses that might not apply to you. We've changed how things work with respect to categories to make it much more flexible for the future, but the current behavior is set to match 1Password without Teams. It's actually the Teams server that is telling the apps which categories are available, and the templates for new items are provided to the client by the server. This is going to open up a lot of possibilities for us going forward.

    Offline Backups

    We'll do our best to keep the server lights on, but you're absolutely right... there are doomsday scenarios to take into consideration. You could lose your internet connection, or power, etc... There are a few things here that will help you. The first is that currently all apps that connect to the servers make an offline copy of everything. You can setup your 1Password for Teams account on your Mac, then kill its net connection without worries about not having data (there's an exception there for Document files that are downloaded on demand). So even if our server was to go down temporarily, each device would still have the data it needs to continue operating. They would simply not be able to sync with one another. In the event that you want a hard-copy of your data, you can use the Print feature that's available in our desktop apps. Using this feature you could print out everything and put it in your physical safe if you so chose.

    Technical Architecture

    A technical whitepaper that details the security aspects of 1Password for Teams is available here. It's still being worked on, so you might see some sections that indicate that the documentation is forthcoming. We're trying to be as open as possible about how this machine works.

    Quick answers to your security questions:

    • Authentication happens via a process called SRP (Secure Remote Password). Your password never leaves the device, only your username (email address) leaves the device. The client tells the server that it'd like to start a session for user "rick@agilebits.com", the server returns some SRP parameters. The client can take the SRP parameters, the username, your password, and your account key, and will start the SRP process which generates large numbers. There's an exchange of some large numbers between the client and the server, at the end of which if your username, password and account key were correct, the client and server will have arrived at the same number which is then used as an encryption key. All traffic between the client and the server is then encrypted with this encryption key (this is on top of SSL/TLS).
    • Javascript does the heavy lifting and coordinating, but most of the cryptography is offloaded to WebCrypto which is an emerging standard in web browsers that allows Javascript to call into system native code that can run the crypto at speeds that Javascript could never hope to achieve.

    There are questions that are not answered in the whitepaper, like how Sync works. I can answer whatever questions you might have regarding sync. We'll have to consider writing something to detail how that works in some detail. I'll see if I can answer your immediate questions:

    • Vaults are not monolithic files. Vaults are only a container of items.
    • If two devices edit different items in the same vault simultaneously then the changes simply get copied over from one device to another.
    • If two devices edit the same item in the same vault, then the first device to communicate to the server will get to copy its item to the server. The second device will get told that it cannot copy it to the server, and must first get the latest version from the server. The second device will get the first device's copy, then will merge the changes. Merge happens at a per-field level, any conflicts get put into a Conflicts section within the item. Once merge is complete, the second device will be able to copy its item to the server. The server will then notify the first device that there's a change, and the first device will copy that back down.

    Support

    You're right, currently our support is primarily done through this forum. We're doing this because it's a great way to get feedback from users and have users be able to see what others are saying to be able to say "oh right, I want that feature too!" There will be different support options available by the time we're out of beta. There are different support options available right now, in fact anyone can email support@agilebits.com and they'll get a response. We encourage users to email us if they have anything to discuss that shouldn't be discussed in a public forum. The response times on the forum tend to be faster than by email at the moment because we have an awesome community of users who actively assist us with the forum and can answer a large portion of questions users would have before any of us can get to it. We'll have more to announce regarding support as we get closer to official release.

    I hope this helps. Let us know if you have any additional questions. We're here to help.

    Rick

This discussion has been closed.