Why we need local vaults.
I today read up on how in the future there is no longer support for any type of vault that is not synchronized. This for me personally breaks requirements to an extent where I can no longer use 1password for business and personal use.
I have worked with Agile Bits as a partner, I have been an early advocate and business customer of 1password, and I have been a CTO/CPO of three security companies. I hope the following is useful to explain why this design choice forces a substantial (and growing number) of users to use other platforms. Also to be clear, this has nothing to do with SaaS. I am comfortable a subscription-only model as well as cost.
For me and my organization vaults right now fulfill two critical functions for 1password in professional settings:
- Compliance with non-disclosure and information storage agreements
- Partitioning of hosts into multiple classes of trust
For both I am not aware of any other mechanism that 1password offers right now that can solve these problems.
Today, a lot of the information that I get from other organizations is governed by strict agreements where this information can be stored. This often includes credentials for these organizations, and there is often no carve out on storing this information in encrypted form. Working as a consultant, I may credentials (as well as keys, certs and other sensitive information) for a number of organizations. Right now, I store these in a local vault that is only stored on a very small number of high-security systems under my control. Legally I can't sync this to a 1password server, and thus I could no longer store this in 1password.
The second issue is that not all systems are trusted in the same way. I have a shared iPad that is used in aviation and is sometimes used by others. In the family we also have several gaming PC's with a wide collection of games and mods (from questionable sources intalled) and used by the entire family and my kids' friends. And I have a personal work laptop that's locked down. And sometimes a corporate laptop that is also locked down. The level of trust for these devices is very different. They are on different VLAN's with different security settings. Right now, I can partition information with local vaults on different systems. I have a key that is from my primary employer, it's in a local only vault. I have credentials for a company where I am an advisor. That's in my personal, local vault. Without local vaults, every piece of sensitive information would be on every system. And in case of a host compromise could be read out by an attacker. That's not a risk I could manage. In theory, you could address some of this by using virtual users for each system (or class of system) and have different logins only sync certain vaults to each system. But right now that would require a large number of accounts and would be cost prohibitive and hard to manage. And it still doesn't address the first problem.
Having been a chief product officer in the past, I don't quite understand why is it hard to include a flag in a vault that prevents synchronization. From a technical level, it is a very simple feature and it would remove a lot of friction from your selling motion. My two cents as a long time fan of Agile Bits would be to add this feature before 1password 7 becomes unusable. I would like to keep using 1password, but without local vaults I can't do that for business or privately.
Guido Appenzeller
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
+1
It’s especially ridiculous that they have moved to a SaaS model (not a hang-up on its own for me, either) and then start removing features, all while telling you that getting less for the same price is actually an improvement!
0
