Check out all the on-demand sessions from the Intelligent Security Summit here.
Password-management platform 1Password is expanding into the “secrets management” space, helping developer teams across the enterprise safeguard private credentials, such as API tokens, keys, certificates, passwords, and anything used to protect access to companies’ internal applications and infrastructure.
Alongside the launch, 1Password has also announced its first acquisition with the purchase of SecretHub, a Dutch startup founded in 2018 that claims to protect “nearly 5 million enterprise secrets” each month. Following the acquisition, SecretHub will be shuttered entirely, with its whole team — including CEO Marc Mackenbach — joining 1Password.
Recent data from GitGuardian, a cybersecurity platform that helps companies find sensitive data hidden in public codebases, revealed a 20% rise in secrets inadvertently making their way into GitHub repositories. If this data falls into the wrong hands, it can be used to gain access to private internal systems. By way of example, Uber revealed a major breach back in 2017 that exposed millions of users’ personal data. The root cause was an AWS access key hackers discovered in a personal GitHub repository belonging to an Uber developer.
There has been a flurry of activity across the secrets management space of late. Israeli startup Spectral recently exited stealth with $6.2 million in funding to serve developer operations (DevOps) teams with an automated scanner that finds potentially costly security mistakes buried in code. San Francisco-based Doppler, meanwhile, last month raised $6.5 million in a round of funding led by Alphabet’s venture capital arm GV and launched a bunch of new enterprise-focused features.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
1Password has built a solid reputation over its 16-year history, thanks to a platform that can store passwords securely and simplify log-in. It allows consumers and businesses to log into all their online services with a single click (rather than having to manually input passwords) and can also be used to store other private digital data, such as credit cards and software licenses. The Toronto-based company raised its first (and only) round of funding back in 2019, securing $200 million to help it push further beyond the consumer sphere and cement itself as an integral security tool for the enterprise.
Today, 1Password claims some 80,000 business customers, including enterprise heavyweights such as IBM, Slack, Dropbox, PagerDuty, and GitLab. With its latest “secrets automation” product, the company is striving to make its platform stickier for existing and potential clients searching for an all-in-one platform that protects all their credentials — from employees’ email passwords to core backend business systems.
While 1Password’s existing password-management toolset helps people securely access accounts without having to remember dozens of passwords, the “automation” facet of its new product name refers to machine-based system workflows that, for example, enable an application to securely “talk” to a database. “This means being able to roll secrets into your infrastructure directly from within 1Password,” chief product officer Akshay Bhargava told VentureBeat. “We are the first company encompassing human and machine secrets.”
Typically, infrastructure secrets can be splayed across countless cloud providers and services, but according to 1Password, it’s not uncommon for companies to cut corners or use a dubious combination of hacks and homegrown tools to manage the security around this issue.
According to Bhargava, 1Password was working on a secrets management solution before it acquired SecretHub. In fact, many of 1Password’s customers were already storing their infrastructure secrets in its vaults.
“Our customers have raised this workflow as something they’d like 1Password to solve,” Bhargava said. “It’s fair to say our first version is homegrown, and we’ve been focused on solving this problem for a while.”
Secrets automation allows admins to define which people and services have access to secrets, as well as what level of access is granted. At launch, it integrates with HashiCorp Vault, Terraform, Kubernetes, and Ansible, with “more on the way.” However, 1Password is also announcing a deeper partnership with GitHub, which will see the duo collaborate to “solve problems for our shared customers and users,” according to Bhargava. “We plan to build a workflow to support customers in delivering secrets and configuration into their CI/CD pipelines on GitHub,” he said.
As for costs, all companies will receive three credits for free. The cost then rises to $29 per month for 25 credits, $99 for 100 credits, and $299 for 500 credits. “We prorate based on usage,” Bhargava added. “We will work with companies needing more than 500 credits a month on an individual basis.”
In terms of how credit is consumed, companies configure the 1Password vaults they want secrets automation to access and then stipulate the permissions for a development environment with tokens. “If an API client needs read and write access to data stored in a 1Password vault, that access is defined using a token,” Bhargava explained. “One token, accessing one vault, is what defines a credit. If that same API client needs to access two vaults, that then becomes two credits. And similarly, if a single token is created for read access to vault A and another for write access to vault B, that becomes two credits.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.