cityofaustin / atd-data-tech

Austin Transportation Data & Technology Services
18 stars 2 forks source link

1Password Migration to shared ISO environment #11770

Open dianamartin opened 1 year ago

dianamartin commented 1 year ago

Talked to Bart L. from ISO on 3/15

We discussed what ISO was doing. They have been piloting 1password and were waiting to get their environment. They said that they can add us to their environment, they are covering the cost for this licensed environment. They hope to issue out accounts to all users that have a MS account so that it prevents people from saving their passwords on browsers.

1Password Migration

MS Group - ATD Data and Technology Services

Pros

Differences

Departments using 1password

dianamartin commented 8 months ago

2/23/24

@frankhereford @amenity Recent updates on this..

He said

You can move to the site licensing any time you want. We would just need to assign licenses for you all. 1Password has agreed to refund all instances that adopt the site license.

  • So if you can get the client deployed (or can identify your systems) we can mass deploy and allocate licenses for the group
  • Health has already deployed in a similar fashion - other groups are trying to go live in March

I asked him about the vault access credits and he said

I think it is included in the license - we can give it a try if you like - meant we don't risk anything trying other than the time spent.

  • it is included in the licensing as far as I know and I do remember the discussion
  • ISO purchased this ELA and is providing it to everyone

He offered to get me set up to look around

I can give you a license from the ELA right now if you like

  • [x] I was able to get access and sign in
  • Just added you - just let me know what else you need. You will notice some stuff is restricted - if you need any of it let us know and we will make it happen (like shared vault creation - we are trying to not have 10k shared vaults so are limiting that ability to select people)
  • It's just the vault creation that is limited, so I can have you added to the vault admin group who can create vaults. Not sure about guests, I have not had to deal with that but I don't see why it would be an issue.
  • anyone with an email address on one of the city domains can get an account under our ELA

He provided a help resource

Other things

frankhereford commented 8 months ago

I wrote Bart L. today asking about how a 1PW Connect integration might look as well as asking if I could get access to the service to evaluate its impact on our team. I am seeking to establish a dialog with him about 1PW and to learn more about what the COA deployment looks like, in particular around the control of DTS vaults and if they reserve the right to administrate or access them. I'll follow up here as our conversation develops.

frankhereford commented 7 months ago

I have written up findings about the Enterprise 1PW service, and very briefly, we do not have permission to use it at this time. Other than that one, important thing, I think the COA Enterprise account is entirely sufficient.

I have more comments here: https://github.com/cityofaustin/atd-data-tech/issues/16372#issuecomment-2020520540. Thanks!

frankhereford commented 6 months ago

Following up here on the completion of #16372 --

There are not blockers from a technical perspective that would prevent us from moving to the enterprise 1PW account. We are able to deploy a connect server which provides access to our shared secrets vault in the enterprise system.

I think it might be worthwhile to have a conversation among DTS stakeholders about our willingness to give up the last-word in control of our secrets and their storage, but in terms of technical concerns, they are all buttoned up, I believe. Thanks!

dianamartin commented 6 months ago

5/15/24

Catching up on documentation On 5/8/24 Scott messaged Frank to ask about 1pw configuration

Hello Scott, I now have access to 1password. I am not able to create a shared vault for my MMC & Comm teams. Can I get admin privs to do this, can uassist, or do I need to submit a ticket in SN?

Frank replied

Hi Scott, I hope you’re doing well. DTS isn’t supporting the department’s use of 1PW, or at least not at this time. However, I speak with Henry frequently as he’s here at 8700, so I did connect with him briefly to pass along my unofficial suggestion of who he may want to contact for that new vault.

I think the general answer we want to give folks when they inquire about 1Password is to reach out to ISO at [cybersecurity], but I don’t have that on any authority – just my own understanding.

On 5/14/24 emailed ISO

Hello,

I’ve talked to Bart in the past about getting this set up. TPW has been paying for 1password since 2019, but we have finally evaluated the COA enterprise 1password environment and are feeling ready to migrate over.

However, the biggest thing that needs set up is the vaults we currently use. I wanted to discuss what the plan is for vault creation in the enterprise platform. Do y’all already have documentation on that or best practices. I know that security groups/distribution lists are used to manage the vaults. We’ve hired some new folks recently and I’m hoping to get this set up quickly.

Please ping me on teams/set some time up if any clarification is needed.

This is currently how our vaults are set up. The “red” highlighted vault, I think we’ll deprecate. The “cyan” colored ones are the ones I’d like to get up in running. I’ve been in the COA 1PW platform and seeing they have the ability for “collections” and will continue to do more research on it to see if we need streamline any vaults.

FYI: I believe another TPW division (Henry, Arterial Management) has already put in a similar request to get this set up. I’d love to understand the process and structure to be able to guide our users on this new platform.

image

dianamartin commented 6 months ago

5/15/24

Participants: Cedric W. (ISO), Adnan, Scott, Diana, Tarek, Henry, Peggy

Getting Access

Vault Admins

Vault admins roles

Policies & Best Practices

Employee & Family

Migration Steps

CSV Fields exported

frankhereford commented 5 months ago

The Developer and API vaults have been successfully migrated to the COA account and all contents in them have been archived in the DTS account. 🏁