All customer stories
How The Associated Press protects journalists and their sources with 1Password
The Associated Press (AP) is an independent global news organization dedicated to factual reporting. Founded in 1846, AP today remains the most trusted source of fast, accurate, unbiased news in all formats and the essential provider of the technology and services vital to the news business. apnews.com
Industry
- Media
Use Cases
- Secure credential sharing
- Compliance and auditing
- Centralized credential management
PDF Version
Key results
Journalists and their sources are protected when crossing borders with Travel Mode.
Credentials and multi-factor authentication (MFA) codes can be shared securely.
Centralized admin controls create needed oversight and speeds up onboarding.
Increased security visibility and control with the 1Password Activity Log.
Background
Few names come more readily to mind than the Associated Press (AP) when the subject of news comes up. With journalists in nearly 100 countries and all 50 US states, AP faces unique challenges when it comes to keeping their people – and their sources – safe.
As a global news organization, those risks include increased scrutiny and risk of cyberattacks. Because of the sensitive nature of their work, AP staff are encouraged to use strong, unique passwords to secure their information.
In the beginning, there was no single password manager solution used by AP staff. Instead, several different password managers were being used across the company.
As Danielle Meah, Senior Director of Information Security at The Associated Press, explains: “There was a lack of uniformity across password management and staff were expressing a need for a better solution.”
This created a disjointed process and the AP team saw an opportunity to keep everyone secure, while creating a single location to manage private data. “There was a desire from the editorial side to have a central password manager,” Tucker Ross, Information Security Engineer at AP, says. “Something that our team could manage, control, and revoke access to.”
Privacy and security at the office or on the go
AP was looking for a password manager that could protect their staff both in their home country and when they were crossing borders while on assignment. Then they discovered Travel Mode.
“One of the most critical things that we do as InfoSec is protect our journalists and protect the sources that they have,” Meah says. “We have journalists traveling to all different parts of the world, including many high-risk countries where you don’t have an expectation of privacy.”
The travel feature on 1Password was attractive to us, especially for journalists who are moving around and going into places where physical devices may be confiscated or there may be some other cybersecurity-related threat.
Tucker Ross,
Information Security Engineer
When a 1Password user enables Travel Mode they can choose to temporarily remove vaults from their device. This means that if their device is confiscated or they’re asked to unlock a device, only the 1Password vaults marked as safe for travel will appear – keeping all other information private and secure.
“We highlight travel mode whenever we onboard people into 1Password,” Ross says. “We tell them that they have this ability to designate passwords in the travel vault and limit the risk of something bad happening.”
Creating a central control
Using a variety of password managers at AP helped their employees use strong, unique passwords, but it didn’t give Ross and his team the ability to control access to other tools and information.
“One thing that I don’t think is really confined to just the media and journalism space is controlling privileged access,” Ross explains. “Rotating and managing privileges in Amazon Web Services (AWS) accounts, any kind of technical accounts, Secure Shell (SSH) keys, that’s something we’re actively using 1Password for.”
And the monitoring capabilities of 1Password also help AP ensure that their private data stays within the company walls. “1Password has an activity log that’s pretty granular,” Ross shares. “We can see if there’s any kind of suspicious activity, like exporting sensitive information.”
The Activity Log enables admins to monitor events that happen within the team. There are several actions the log tracks that admins can review, including creating files and vault items, changes to user access and groups, and even device authorizations. Revoking access, should someone no longer need certain information to complete their work, is simple with 1Password.
Being able to manage all our proprietary data in one central place has allowed us to manage it much more efficiently.
Tucker Ross,
Information Security Engineer
Sharing accounts with two-factor authentication
Two-factor authentication (2FA) is often seen as a security boost but can interrupt workflows if the 2FA is tied to an individual device or email account.
Ross explains how this has not only complicated the workflow at The Associated Press, but also created a security risk: “We were seeing some teams share authentication methods in ways that were not as secure as we would have liked.”
For teams that use shared social media accounts, using 1Password as an authenticator for 2FA means that codes can be shared securely between team members. “1Password has really simplified that process,” Ross says. “You can use it as an authentication app and set access control and set audit logs.”
This makes sharing accounts and information seamless between colleagues, while also improving overall security, and access management.
Our technical teams really like 1Password because we can share cloud credentials – things beyond just the standard username and password combos – and it allows for customizing the forms and the tool.
Tucker Ross,
Information Security Engineer
Seamless switching, fast onboarding
Requiring an entire team that was using a variety of password managers to switch to one solution could have encountered a lot of pushback – but at AP it was a smooth transition.
“People really seem to like it,” Ross says. “We had people using various other tools and the ease of switching over to 1Password was very simple. We get good feedback about the usability from multiple devices, including desktop and mobile.”
“One of the benefits of 1Password is that it’s extremely easy to use,” Meah adds. “In a less technical environment, it’s really difficult to uniformly implement any one technology,” she says. “The fact that we were able to do that with 1Password is hugely beneficial.”
Rolling out 1Password in an organization is a secure and simple process. 1Password works with businesses to develop a plan to implement 1Password and onboard every employee.
“It was a really easy process,” Ross says about setting up 1Password from the technical side. “We were assigned a deployment manager from 1Password who worked with us every step of the way and they were able to give us best practices on securing the account, scaling the account, automating deployment, automating creation, and deletion of users.”
Creating a secure password command center
With much of the staff already using various password managers, the real task for Ross and his team was determining which password manager to choose.
Ross dug deep into what features would meet AP’s needs for strong, reliable security. “I was particularly attracted to 1Password because of the security audits the company published,” Ross says. “Also, the use of a private key for decrypting individual vaults and the vault architecture, which would limit the blast ratio if they were compromised.”
The top 1Password benefits we’ve seen at the AP are centralization – being able to manage everybody in a central place – along with the visibility that centralization brings, and being able to use it across multiple devices with ease.
Tucker Ross,
Information Security Engineer
More stories from 1Password customers
Alliants reduces risk by securing access to high-value guest data
Frontiers went back to basics, developing a rock-solid foundation for security by mastering the fundamentals.
Secure your business with 1Password
Protect your business with the enterprise password manager trusted by more than 180,000 companies.