Disaster Recovery plan

Hi there,

first thanks for the awesome product. We use the Business variant in our team.

I am currently in the process of preparing a Disaster Recovery plan. One of the Disaster Scenarios is a malicious administrator that tries to lock us out of our systems/backups.

Currently I plan to have only one "Disaster Recoverer" in the owner group and save this users credentials (address, secret-key, master-password) somewhere safe (Safe deposit box). The Employees will be members of the Administrators group at max. Therefore a malicious Administrator can not delete the team account. Credentials needed for recovery (FDE Passwords, Backup Keys) are stored in a special vault where only the Owners have the "Empty Trash" and "Manage Vault" permissions. Admins can add, view and update passwords but never finally delete. Therefore a malicious Administrator can not delete the recovery credentials.

I have two last concerns:

  1. Cloud an malicious Administrator suspend the Disaster Recoverer to prevent Disaster Recovery by locking everyone out?
  2. Cloud an malicious Administrator somehow Recover the Disaster Recoverer to gain access to the account?

Can you give a hint how I could prevent these two attacks?

Kind regards
Clemens


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cbergmann
    cbergmann
    Community Member
    edited November 2019

    sorry for the typo Cloud => Could

  • Hi @cbergmann! Thanks for asking about this before implementing it. There are a few recommendations I'd like to make, since it sounds like there's some confusion about how sharing passwords works. First, you mentioned that Owners are the only ones who can empty the Trash and manage the Disaster Recovery vault, but those permissions aren't what will truly protect you from others on the team doing something malicious with the credentials. After all, if you share passwords with someone, they can use them to change those passwords to something else, then not store the new ones in 1Password at all – it wouldn't matter if they could delete the item or not, since the password is now something entirely different.

    You mentioned using a safe deposit box that has the Emergency Kit of an account in it, which is a good idea. However, if you're worried that an administrator might delete the account, I'm not sure that's possible in this case. Only someone who is an owner can do that. If you're worried an admin will access an owner's account, simply don't store the owner's account details anywhere an admin could access it, and don't let them have access to the owner's email address, preventing them from recovering their 1Password account and getting a new Secret Key and Master Password for it.

    Could an malicious Administrator suspend the Disaster Recoverer to prevent Disaster Recovery by locking everyone out?

    Yes. Administrators can suspend anyone on the team.

    Could an malicious Administrator somehow Recover the Disaster Recoverer to gain access to the account?

    Yes, this is what I mentioned above.

    If you have some additional questions about this, feel free to reach out to our business team at business@1password.com. :)

  • cbergmann
    cbergmann
    Community Member

    hi @Jacob,
    thanks for the reply and the detailed explanation.

    In general you are right with the "the attacker could change the password" argument. In this special case we are talking about Encryption passwords for off-site off-line disaster recovery backups. These passwords/encryption Keys could not be changed because the Hard-Drives are off-line. Therefore the only chance for the attacker to prevent recovery is to prevent decryption by deleting the keys from 1password (or the whole 1password account).

    regarding the suspend aspect You wrote in September 2018 that the last owner could not be suspended. Is this still true or has this changed in the past year?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cbergmann: Correct. They would need to make someone else an Owner in order for them to be suspended (or deleted).

This discussion has been closed.