Business/corporate features needed

I'm a very happy 1Password user but I'm forced to use another application within my company due to missing features in 1Password.
I just noticed "1Password for Teams" and was wondering if maybe this could replace our already aged software (Password Safe Repository).
Looking through the currently supported features I was happy to see many good thing, but I'm still missing some essential features needed for corporate use.
Perhaps I didn't look well enough, but if these features are indeed missing I would hereby like to address them.
Of course I'm hoping they would one day be implemented so that everyone in my company can switch-over to 1Password.

Vault Copy Protection
Within every company there are many employees that one day choose to start working elsewhere.
Some of the employees might have bad intensions and could choose to copy customers databases and take them with them.
Although copying a customer database is bad enough, it is even worse if they can copy the entire "Password Vault" containing all passwords.
Therefor we need a mechanism that ensures that passwords cannot be accessed by people that have left the company.

I think the only way of doing so is by checking the user credentials before unlocking the "Password Vault".
This will obviously limits the possibility of offline usage of a "Password Vault", but that would be more than acceptable.
In fact, we do not require an offline copy of the "Password Vault", however it could be useful in order to improve performance.
Nevertheless the most important thing is that no user can access the "Password Vault" if the administrator has revoked his/her access rights.

Password Access History
In case a problem occurs at one of our customers we want to know who last accessed the system. Since all our customers have there own (very hard to remember) passwords we currently check the password access history to see who retrieved the password over the last time.
If we are going the use "1Password for teams" such information should be available. It also is useful in combination with the earlier described "Vault Copy Protection" since it also makes is traceable when a malicious user is copy passwords one-by-one.

Customer related items
1Password does not only offer the capability to store passwords but also other items like the Wallet, Software, etc...
We need this because we like to store items such as "SSH/VPN login details", "System details (IP's, Type info, Serial numbers, etc.)", etc..
We there for have quite a few thing to store in the vault that are all customer-related.
What we need is a quick and easy way to create a group of items that can be assigned to a customer, so we can see all items of a specific customer in one overview.

Customer templates
As an added feature to the previously mentioned "Customer related items" we also require " templates" to quickly create a new customer.
This template would then contain all items that we need for a specific kind of customer. So image creating a new customer and automatically adding all items to define: "SSH/VPN login details", "System details", " Specific access passwords", etc..
If an entry has no data/password stored, it should be clearly marked as a "ToDo" .

I hope this information is very useful to your team.
And perhaps you can already inform me about already having planned to implement oen of these features.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: ug:mac/security-audit, ug:mac/security-preferences, ug:mac/security-audit, kb-search:history

Comments

  • Jeff ShinerJeff Shiner AgileBits Admin

    Team Member

    Hi @ramonpeek

    Thanks for the feedback and feature requests! I think they make a lot of sense.

    Here are my thoughts and feedback:

    Vault Copy Protection

    It looks like your main concern here is ensuring that an employee who has left the company can no longer access any vaults that have been shared with them. When they do leave the company you could Suspend and then Delete that employee. This will have the effect of preventing them from accessing the vault on the client apps.

    As you mention, it is possible that they are offline and hence the deletion has not yet taken effect. We are looking at a couple of options that might help out here. We could either limit (as an option) certain vaults to be accessed online only and not stored locally. Alternatively we may set a configurable limit on how long a vault could be viewed offline before the person must connect to see if changes in access have been made. I think these would help out in your scenario, but ultimately you need to be careful as once someone has access to a login it is always possible they have saved that information in some other way... even if just writing it down.

    Password Access History

    To make sure I understand this correctly, you'd want the team member and timestamp from the last (or perhaps each) time that a Login is used (filled or has the password copied)? I can definitely see some scenarios where this would be helpful.

    Customer related items

    You are absolutely correct that 1Password has a lot of value in storing just about any important, sensitive information. :)

    You mentioned that you'd like to see "all items of a specific customer in one overview". What I would suggest is that you create a separate vault for each of those customers. That way you could simply switch to that vault and then easily see what items are stored in that vault.

    Customer templates

    I can see this as a useful feature for on-boarding new employees as well. I believe you can largely accomplish this in the following way.

    You can create a vault which will contain the items that will be given to each new customer/employee. This would be a "template vault" as those items would exist but not associated to any specific customer. Whenever you onboard one of your customers or employees you can create a new "customer vault" and then copy all of these items from the "template vault" to that new vault. This can be done pretty easily in the 1Password for Mac app by selecting the items from the "template vault" and using Item > Copy which makes a duplicate in the new vault. You could create many different template vaults containing the specific items you need for the different customer types.

    I would love your thoughts on the above!

  • ramonpeekramonpeek
    edited December 2015

    Thank you for you elaborate answer, it's very much appreciated.
    Here is my reaction;

    Vault Copy Protection
    Both proposed solutions ; "Working offline only" and "Offline vault access time limit" are good ways to reach the goal I mentioned. Personally, I prefer the "Working offline only" option since it would be the most secure method. Nevertheless, the other option offers access to passwords when no Internet connection is available, which could still happen. So both options would very much be appreciated.

    Password Access History
    You understood me correctly. All we need is a logbook (per item) that shows who retrieved the item and when.

    Customer related items
    Using a separate vault per customer could be a solution. But you have to realize we have over 2000 customers that we need to find and access with ease, and also create new customer vault with ease (even low level users should be allowed to create vault (or rename existing "template vaults" an admin has created for future use.) . I have to admit that I didn't join in the Beta test so I have no hands-on experience so far. (Note: Didn't do so to prevent conflicts with my existing "older" software). However, I'm assuming it would be very easy. Therefor a simple "Yes" or "No" answer to the question "Is it very easy to maintain over 2000 customers/vaults?" would be sufficient for me at this moment.

    Customer templates
    I can see how the proposed solution could work and I agree to this solution if the items addressed in "Customer Related items" are sufficiently addressed. I will check with colleagues to see if we are able to setup a test environment with the "1Password for Teams beta" software.

    I'd love to hear your response.

  • I would also love to see the same features mentioned in 1Password. I work at a small consulting company with a dozen employees, and it would be great to move our password storage to 1Password Teams for additional security. The auditing of user access would be excellent (bonus points for being able to view a log of passwords touched by a particular user in a particular timeframe--employee gets fired, for example, and it would be great to know what passwords he's seen in the last year. If he never saw a customer's password, no need to change it when he leaves).

    Not sure how well templates would work, custom templates would be great but not required, but I am in the Teams beta (though haven't used it much and I'm primarily on Windows so I won't yet), I do see that Tags still exist (though no Folders which seems to be only on some platforms?). Creating a Tag per customer, as long as it's easy to search/sort/limit by tag (and even search for tags), could work, but it would be a bit "clunky" perhaps. Probably better than one vault per customer, we have tens of thousands of customers; probably a few hundred we'd need to keep secure items for, but that's still a lot of management required to bolt on top of tags. Might work though. I know in my personal Windows or iPhone app I wish I could easily apply tags to multiple items at once (tag equivalent of "move all items to folder" for folders) and there doesn't appear to be a way.

    Copy protection I'm less concerned about, the max-life-offline solution seems fine to me. We don't lock people out often, but it would be a great sanity check, and since users could have written passwords down as you mentioned, this is more of a safety measure than ultimate security. Especially in concert with an auditing feature this would be helpful.

    Definitely interested in this here! I've been eyeing PassportalMSP for a while but they've raised prices apparently and I have more trust in the 1Password system overall, even though I know you'll never integrate with Autotask or ConnectWise since they're so industry-specific :-)

  • roustemroustem AgileBits Founder

    Team Member

    @dszp -- about the integration with other services. One thing we are looking at currently is having public open-source API for 1Password for Teams that can be used in custom integrations.

  • @roustem - thanks, that sounds awesome! What better way to make the system attractive than to make it the must-have piece working with other tools!

  • brentybrenty

    Team Member

    It's definitely an exciting idea. We'll see what were we can take it. :)

  • Sounds good, but obviously get Windows support for basic Teams out the door first...I've heard it's going to be nice...

  • brentybrenty

    Team Member

    If you're as excited as we are to use 1Password for Teams everywhere, check out the beta of 1Password (for Windows 10) in the Windows Store. It is geared primarily toward tablets and phones, but will run on any Windows 10 machine and has 1Password for Teams support. Cheers! :)

  • Oh I've used the beta, it's...OK. Since it doesn't fill web browsers (I understand the sandboxing issues), it's mostly useless at the moment (for me...and I'd also like it to minimize to the system tray), but I saw that PIN/biometric support is available in Beta 2 which will definitely make it quite nice from that standpoint! Definitely some uses, and I have a Surface Pro 3 so from a tablet standpoint it will be quite handy (pulling it up and using PIN to log in rather than typing full password if in tablet mode sounds great), but not cutting it for everyday use yet, even with Teams support.

  • brentybrenty

    Team Member

    I've merged the audit-focused portion of this discussion with the existing audit feature request discussion. Cheers! :)

  • Thanks, @brenty. Much appreciated.

  • brentybrenty

    Team Member

    :):+1:

This discussion has been closed.