* Articles housekeeping Style tweaks: - reduced categories-and-search margin-top - changed color of category on cards - removed time stamps from cards Image updates: - created missing images, and replaced existing with a cleaner, more vibrant style to the following categories. - security - guides - engineering - podcasts - Normalized release thumbnails. The current graphics are over-designed, inconsistent, and too busy/hard to process. * lint fix * remove ")" from image caption * remove old article images * update cover image filenames for consistency * add deleted image, update filenames to match naming conventions * fix typo in filename Co-authored-by: Eric <eashaw@sailsjs.com>
4.8 KiB
Tales from Fleet security: securing 1Password
No matter how much we wish SaaS tools had support for Single Sign-On (SSO), there are still so many websites and other resources that require individual passwords. Running a company without providing employees with a password manager is setting them up for failure. Of course people will use the same asswords on multiple sites if they do not have a way to manage different ones. That being said, password managers do centralize a lot of the security eggs in the same basket, which is why the manager itself must be as well protected as possible and why hardware security keys should be used on high-value systems.
At Fleet, we use 1Password. While configuring 1Password is relatively straightforward, here are a few things we do that can help you secure your 1Password instance.
Require 2FA
By setting the Account Password Policy to Strong, we gained the ability to support and then require 2FA.
When enabling 2FA, we ensured we also required it, as otherwise, there would always be some users without it.
2FA methods
We highly recommend that all of our users configure security keys as a 2FA method, but unfortunately, 1Password does not allow enforcing this. For this reason, we recommend that employees configure their keys and then delete the tokens from their authenticator apps.
We have made a feature request to 1Password, as having a very secure authentication method is excellent, but if weaker forms remain available, what's the point?
Restrict the number of administrators and powerful accounts
If an administrator account or an account with account management privileges gets compromised, things could go south quickly.
Ensure at least one admin recovery kit is stored securely
1Password, the company, can't retrieve our data as it is encrypted. If all admins were to get locked out at once, this could lead to data loss. For this reason, we store a physical copy of an emergency kit in a secure physical location.
Get rid of recovery kits on computers
We also ask that everyone delete emergency kits from their computers. To catch mistakes, we also run a policy in our instance of Fleet that runs this query:
SELECT 1 WHERE NOT EXISTS (SELECT * FROM file WHERE path LIKE `/Users/%%` AND filename LIKE "%Emergency Kit%.pdf");
This query succeeds if it does not find PDF files with a name like "Emergency Kit" in user directories.
Require modern apps
We enable this feature to block old, unsupported clients from accessing our vaults. Since these older clients might have vulnerabilities or not support the latest security features, this reduces the odds that something could go wrong.
On top of blocking old clients, we also push 1Password updates to our managed workstations to keep them up to date instead of only stopping very old clients.
Slack notifications
We have configured Slack notifications, which you can find under the integrations configuration page in 1Password. We ensure that our security and operations teams see critical information about 1Password accounts, such as recovery attempt requests.
Recovery process
We documented and practiced our recovery process to ensure everyone with access to perform recoveries knows how to identify the requester. We also ensure that anyone working on a recovery warns everyone and confirms they have identified the requester.
Item sharing
Item sharing is one of these features where we can't recommend a setting. More restrictive is more secure unless you need to often share secrets with third parties. We simply recommend picking what makes the most sense for you.
Effort and conclusion
We feel our 1Password environment is safer than the defaults with these settings. Applying these settings takes a matter of minutes and will require users to enable 2FA.
While additional configuration is possible to secure the Mac 1Password application, support for this is, unfortunately, 1Password has not kept these features in the recently released 1Password 8. If you are using 1Password 7, we definitely recommend checking them out.
Want to discuss this further?
Feel free to drop in our #Fleet Slack Channel to discuss anything security-related with us!
What's next?
Stay tuned for our next article in the Tales from Fleet security series!