Feature request: failsafe mechanism for mission critical vaults

jkh1pw
jkh1pw
Community Member

During a recent disaster recovery discussion, we realized that there seems to be a gap in functionality. Since vault deletions are immediate and permanent, it allows for the possibility of an insider threat doing catastrophic damage with no recourse. I feel like there should be a way to tag/categorize specific vaults (or even an org-wide setting) which would require a second admin to approve before a vault is deleted. There should be some kind of mechanism in 1Pass so that a disgruntled admin can't singlehandedly nuke your org's most important secrets.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ScottS1P
    edited October 2023

    Hello @jkh1pw,

    I'm Scott on the 1Password support team. It's nice to meet you.

    Thanks for asking about adding a fail safe to prevent the malicious deletion of important vaults. While 1Password currently has no feature like this, I'm glad to share your request with the team to consider as they plan the future of 1Password.

    Have you given any thought to how you would like this feature to work? For example:

    • Should vaults be able to be undeleted for some amount of time?
    • Should it require another admin or owner to approve the deletion of a vault?
    • Should this feature apply to all vaults or only specific ones?

    If there is anything else you can share about how you would like such a feature to work, or anything about your use case, I'll be glad to make sure the team is aware. Post it here, or if you'd prefer to share confidentially, please send an email to BusinessSupport@1Password.com with your comments, a link to this community post, and a note that you are @jkh1pw.

    Thanks again for contributing to 1Password's evolution. Have a wonderful weekend!

    ref: PB-36095000

  • ajh0912
    ajh0912
    Community Member

    I think this would be very beneficial. One way (I'd like multiple ways to be available) would be the option of requiring some proportion of currently active admin accounts confirm the deletion before it is processed.

    Your Team account currently has 5 non-suspended admins, 4 of which have active sign-ins.
    How many admins are required to confirm the deletion of this vault?:
    1. All admins with active sign-ins are required to confirm
    2. Any 2 admins can confirm

    (where '2 admins' can be adjusted, within reason - don't let them specify more than the number of admins with active sign-ins, and if there are less active admins in the future than the number specified, produce warnings or fall back to option 1)

  • LieutenantLefse
    LieutenantLefse
    Community Member

    A malicious admin can just create another admin account.

    Perhaps the simplest solution would be to optionally allow undelete of vaults for (say) 14 days. Turning that option off would also need to be on a 14-day fuse.

  • Thanks for taking the time share your feedback, @ajh0912 and @LieutenantLefse. I've shared these internally with our team.

  • YellowVista
    YellowVista
    Community Member

    Perhaps the simplest solution would be to optionally allow undelete of vaults for (say) 14 days. Turning that option off would also need to be on a 14-day fuse.

    I share these concerns. Vaults really need to be recoverable in order to mitigate the risk of accidental or intentional (malicious insider) vault deletion. 1Password presents unique risks with respect to insider threats, because there aren't any good backup options. (By contrast, we can use tools to automatically backup our Office 365 data. So even if a malicious insider were to delete all of our Office 365 accounts/data, we would have the immutable offsite backups we could restore.)

    There should also be a an option to allow the account "Owners" to recover any items for a similar period of time even after they have been "Destroyed permanently", because a malicious insider could just Delete and then Destroy Permanently all of the contents of a vault.

    A related concern I have shared in the past with someone at 1Password is the need to protect "Owner" accounts from being removed from vaults or having their permissions changed, being suspended/deleted, or having a recovery initiated without the approval of one (or better, multiple, other Owners). ... In one of the businesses I work with, the in-house IT admin (and external IT support team) have global/root admin privileges for pretty much everything, but not for domain name registrations/DNS records, and only certain key owners of the business are setup as "Owners" and "Administrators" in 1Password. The in-house IT admin has more limited privileges. .... The problem is that the in-house IT admin should be able to manage most of the 1Password users and help them with account recovery. But the in-house IT admin (who is a trusted insider, but not at the same level as an owner or executive officer) should NOT be able to mess with the accounts of the members of the "Owners" group.

  • @YellowVista

    Thank you for the detailed feedback and suggestions! I've shared your comments with the team as well.

    Regarding the topic of securing your 1Password Business account I would recommend taking a look at the following article: Best practices for securing your 1Password Business account

    -Dave

    ref: PB-38281596

  • YellowVista
    YellowVista
    Community Member

    @Dave

    Regarding the topic of securing your 1Password Business account I would recommend taking a look at the following article: Best practices for securing your 1Password Business account

    I have read that. The issue is that we would like to be able to delegate day-to-day administrative tasks for our Business Account, such as onboarding new team members and helping team members recover their accounts, to our IT admin. But we do NOT want the IT admin to be able to mess with any settings/permissions/etc. for Owners, such as removing Owners from vaults, changing Owner permissions, suspending/deleting owners, or initiating the account recovery process for Owners. We would like those things to require the approval of one (or better, multiple, other Owners).

    In addition, I would like the option to require Owner approval for the deletion of any Vaults, rather than Administrator approval.

    Basically, the first request is to be able to turn on an option ("Restrict Changes to Owners") where the "Recover Accounts", "Manage People", "Suspend People", "Invite & Remove People", and "Manage All Groups" permissions do not permit anyone who is not an Owner to take any such actions with respect to an Owner. That is, if the "Restrict Changes to Owners" feature was enabled, an "Administrator" could perform all of those actions for all users EXCEPT for Owners.

    The second request is to have a "Require Owner approval for Vault Deletion" setting, such that if an Administrator attempted to delete a vault, it would send a request to the Owners to approve such deletion rather than performing the deletion immediately.

This discussion has been closed.