1Password Migration to shared ISO environment

[dianamartin]

Talked to Bart L. from ISO on 3/15

We discussed what ISO was doing. They have been piloting 1password and were waiting to get their environment. They said that they can add us to their environment, they are covering the cost for this licensed environment. They hope to issue out accounts to all users that have a MS account so that it prevents people from saving their passwords on browsers.

1Password Migration

MS Group - ATD Data and Technology Services

• [x] Add users to “MS Group - ATD Data and Technology Services”
• Existing users in group: Diana, Tracy, Tilly, Amenity, John, Scott, Andrew
• Need to add 15 users
• [x] Added 15 users
• Added as Owners: Amenity, Peggy, Chia and Frank
• [x] Send Bart L. email with updated members on “ATD Data and Technology Services”
• Send email to Bart on 3/20

• [x] Rebuilt vaults, move vaults to ISO instance
• [x] Provide access to members for each vault again
• [x] 2 weeks - out of pilot mode
• [x] ISO will be communicating across the city
• [x] Seek refund w/ Jamie (vendor contact)

Pros

• Will no longer require ProCard purchasing for 1password (foreign exchange rate)
  • Save $$$
  • Currently spending $1,197 annually (25 licenses)
• Guests can be invited to a vault, not provisioned a license
• Users will no longer have the browsers save their passwords
• Passwords are more secure and complicated, avoiding hacking

Differences

• Managing DTS MS Group - ATD Data and Technology Services” rather then in 1password

Departments using 1password

• AE
• ACC
• APH
• ATD
• PARD

[dianamartin]

2/23/24

@frankhereford @amenity Recent updates on this..

• I followed up with Bart L. (ISO)

  Hey Bart, if you're around before 3 pm (I have a meeting then), I wanted to talk to you about the latest enterprise 1Password stuff. I saw that COA newsletter that mentioned it, but I'm wondering how that would affect the TPW Data and Technology Services team as I've recently renewed our 1pasword user seats this past January.

He said

You can move to the site licensing any time you want. We would just need to assign licenses for you all. 1Password has agreed to refund all instances that adopt the site license.

• So if you can get the client deployed (or can identify your systems) we can mass deploy and allocate licenses for the group
• Health has already deployed in a similar fashion - other groups are trying to go live in March

I asked him about the vault access credits and he said

I think it is included in the license - we can give it a try if you like - meant we don't risk anything trying other than the time spent.

• it is included in the licensing as far as I know and I do remember the discussion
• ISO purchased this ELA and is providing it to everyone

He offered to get me set up to look around

I can give you a license from the ELA right now if you like

• [x] I was able to get access and sign in
• Just added you - just let me know what else you need. You will notice some stuff is restricted - if you need any of it let us know and we will make it happen (like shared vault creation - we are trying to not have 10k shared vaults so are limiting that ability to select people)
• It's just the vault creation that is limited, so I can have you added to the vault admin group who can create vaults. Not sure about guests, I have not had to deal with that but I don't see why it would be an issue.
• anyone with an email address on one of the city domains can get an account under our ELA

He provided a help resource

Other things

• Amenity asked Frank to a mini presentation on 1pw
• I asked Frank if he wanted to be an early adopter like me and check out he new environment and see it is has the functionality we are wanting for the vault secret credits. I'd like his expertise to see if we can migrate over to the enterprise environment. It's not a rush request, but it is important.

[frankhereford]

I wrote Bart L. today asking about how a 1PW Connect integration might look as well as asking if I could get access to the service to evaluate its impact on our team. I am seeking to establish a dialog with him about 1PW and to learn more about what the COA deployment looks like, in particular around the control of DTS vaults and if they reserve the right to administrate or access them. I'll follow up here as our conversation develops.

[frankhereford]

I have written up findings about the Enterprise 1PW service, and very briefly, we do not have permission to use it at this time. Other than that one, important thing, I think the COA Enterprise account is entirely sufficient.

I have more comments here: https://github.com/cityofaustin/atd-data-tech/issues/16372#issuecomment-2020520540. Thanks!

[frankhereford]

Following up here on the completion of #16372 --

There are not blockers from a technical perspective that would prevent us from moving to the enterprise 1PW account. We are able to deploy a connect server which provides access to our shared secrets vault in the enterprise system.

I think it might be worthwhile to have a conversation among DTS stakeholders about our willingness to give up the last-word in control of our secrets and their storage, but in terms of technical concerns, they are all buttoned up, I believe. Thanks!

[dianamartin]

5/15/24

Catching up on documentation On 5/8/24 Scott messaged Frank to ask about 1pw configuration

Hello Scott, I now have access to 1password. I am not able to create a shared vault for my MMC & Comm teams. Can I get admin privs to do this, can uassist, or do I need to submit a ticket in SN?

Frank replied

Hi Scott, I hope you’re doing well. DTS isn’t supporting the department’s use of 1PW, or at least not at this time. However, I speak with Henry frequently as he’s here at 8700, so I did connect with him briefly to pass along my unofficial suggestion of who he may want to contact for that new vault.

I think the general answer we want to give folks when they inquire about 1Password is to reach out to ISO at [cybersecurity], but I don’t have that on any authority – just my own understanding.

On 5/14/24 emailed ISO

Hello,

I’ve talked to Bart in the past about getting this set up. TPW has been paying for 1password since 2019, but we have finally evaluated the COA enterprise 1password environment and are feeling ready to migrate over.

However, the biggest thing that needs set up is the vaults we currently use. I wanted to discuss what the plan is for vault creation in the enterprise platform. Do y’all already have documentation on that or best practices. I know that security groups/distribution lists are used to manage the vaults. We’ve hired some new folks recently and I’m hoping to get this set up quickly.

Please ping me on teams/set some time up if any clarification is needed.

This is currently how our vaults are set up. The “red” highlighted vault, I think we’ll deprecate. The “cyan” colored ones are the ones I’d like to get up in running. I’ve been in the COA 1PW platform and seeing they have the ability for “collections” and will continue to do more research on it to see if we need streamline any vaults.

FYI: I believe another TPW division (Henry, Arterial Management) has already put in a similar request to get this set up. I’d love to understand the process and structure to be able to guide our users on this new platform.

[dianamartin]

5/15/24

Participants: Cedric W. (ISO), Adnan, Scott, Diana, Tarek, Henry, Peggy

• ISO: Cedric, Adnan, Tarek
• TPW: Diana, Henry, Peggy

Getting Access

• CTM SN --> cybersecurity
• or CyberSecurity
• Dynamic Group provision, perhaps wont need to route to CTM/ISO

Vault Admins

• ISO would identify - Departmental Vault Admins
  • Diana
  • Tech Services?
  • ISO - admin back up
  • fix permission issues

Vault admins roles

• Assign members to vaults
• Ability to create vaults
• No external persons managing the vault
  • Back ups identified
  • Account Recovery - ISO
• DTS isn't necessarily responsible

Policies & Best Practices

• Contractors
  • As long as they have (austintexas.gov)
• Guest Share (vault)?
  • not had it come up
• Separated Employees
  • MS group<>AD

Employee & Family

• Will become read only if they separate with COA
• They have to enroll in paid account to get access back to

Migration Steps

• Move/Copy

CSV Fields exported

• Title
• Url
• Username
• Password
• OTPAuth
• Favorite
• Archived
• Tags
• Notes

[frankhereford]

The Developer and API vaults have been successfully migrated to the COA account and all contents in them have been archived in the DTS account. 🏁