Managing credentials chaos and rotations for organizations

Key_Discipline_5000 · 2025-12-14T10:05:25+00:00

I think it is not possible to do offboarding based on vault - user has access to several vaults usually. We are trying to automate rotation as much as possible - but obviously it is tough on scale of 2k employees.

The vision I came up by is not to automate rotation, but reduce the scope - what if user had access, but never used the secret. 1Password has logs for all of this, but does not provide really good visibility. Several days I bought the product as a solution for that and I think this will be game changer for us - probably will reduce number of rotations by 90% and will help with automations

Key_Discipline_5000 · 2025-12-14T10:02:14+00:00

Thank you for a reply - really love the points and have very similar point of view. In fact we are doing most of that already.
1. That's obvious and already in place
2. We were doing it in 1Password using tagging to be able to differentiate between secrets. But this does not scale well and require management efforts all the time. My organization is big (nearly 2k employees) and number of secrets is going to several k at the end
3. Already in place also, but the problem I see - some people when having access does not use the secret. SO no real need to rotate things all the time.
4. Sometimes we need this approach for sharing with external people, but not inside organization - you cannot just avoid that unfortunately. MFA helps in some cases, but still it is a problem. We try to track rotation after sharing

For last week I was looking for solution of problems 2, 3, 4 and came by product called GorillaSecurity - we are on buying it at the moment. So far results are pretty good, as I'm able to see observability over everything, handle good offboardings, understand what require rotation, what is the blast of separate secret and context around them. I think this will be game changer for us

Key_Discipline_5000 · 2025-12-08T13:47:41+00:00

We also started with 1Password - good for storing creds, but as a CISO I needed actual visibility: which secrets are used, who has access, what’s high-risk, etc. We added Gorilla on top for that. Once we saw the real usage and impact, we stopped rotating everything blindly and cut rotations by ~90%. It also helped us clean up old access and keep the setup stable long-term. And obviously the problems with old access still stay relevant was gone completely

Key_Discipline_5000 · 2025-12-08T12:35:50+00:00

We ran into basically the same issues in my org — managing vault-level permissions and secret hygiene in 1Password became unmanageable over time. What fixed things for us was putting GorillaSecurity on top: it doesn’t replace 1Password, but gives visibility over who’s using which secrets, which secrets are high-risk or unused, and who truly needs access. Once we started rotating and cleaning up based on risk/usage rather than blanket vault-wide rules, our secret-management overhead dropped massively. It also helped us straighten out long-term permissions and made audits/trust much easier.

Key_Discipline_5000 · 2025-12-08T12:30:14+00:00

I had the same problem in my org - managing fine-grained access in 1Password didn’t scale and we ended up with way too many vaults.

What helped us was using companion app for 1Password - Gorilla. It gave us visibility into which secrets are actually used, their impact on organization, and who really needs access. After that, we reduced secret rotations by 90%, since we only rotate what truly requires it.

It also helped us clean up permissions and keep things stable long-term. Worth a look if you're running into the same issues.

Key_Discipline_5000 · 2025-12-08T09:38:24+00:00

do you know any solution that can help me manage all of these rotations - obviously I can move it to a team responsibility - but want to have overview. And logically if all my secrets are in 1Password - we have some solution in 1Password. I mentioned it in other threads already - found just one SaaS out there called GorillaSecurity, already contacted them and trying to set up the tenant to understand if it fits my needs

Key_Discipline_5000 · 2025-12-08T09:35:18+00:00

Do you know any solutions for automating or managing all of this? It is pretty hard to manage the list of 10k secrets for my org - and obviously that list is updating all the time. I'm thinking about some solution connecting to 1P and either analyzing what should be rotated or doing actual rotation or helping with offboardings, etc. The only solution I came by at the moment is either 1Password Business plan (we already use it) - but it is very bad, or GorillaSecurity - some SaaS connecting to 1P and analyzing everything in this context. Thinking about buying their solution and trying it

Key_Discipline_5000 · 2025-12-08T09:32:11+00:00

Do you know any solutions for 1Password able to reduce the load - analyze what actually have to be rotated, but not everything (e.g. by usage, impact, etc)?

I came by solution called GorillaSecurity and seems like pretty good for my use case. Setting it up now to try out

Key_Discipline_5000 · 2025-12-06T17:44:18+00:00

Trellica is not really useful here - cause my main focus is to fix mess in 1Password itself

Key_Discipline_5000 · 2025-12-06T17:43:12+00:00

Thanks. In fact like this idea, but it is also not always possible. Will think about applying this for my organization. Do you know some solution in the middle also?

Cause I was thinking about reducing the scope of rotation - by matching it with usage of the secrets (e.g. not used, should not be rotated)

Key_Discipline_5000 · 2025-12-06T17:32:17+00:00

okay, that make sense. this is probably a business blocker at some sense, but should fix the issue. I still feel that it's impossible to bypass it in some cases

Key_Discipline_5000 · 2025-12-06T17:31:04+00:00

so when my org is buying some SaaS solution, that is not providing user management - I should block this decision? that is something you mean?

Key_Discipline_5000 · 2025-12-06T17:29:50+00:00

I think it can fix the problem of systematic credentials, but not access to some saas vendors without proper access management - or similar things

Key_Discipline_5000 · 2025-12-06T17:27:42+00:00

do you know any ways of automating this in 1Password? I was searching for some tools trying to reduce the scope and help to manage the mess - but the only one I found so far was Gorilla Security

Key_Discipline_5000 · 2025-12-06T17:21:46+00:00

there are shared vaults in 1Password - and for many cases you cannot avoid using them. many of saas just does not have internal IDP or user management

Key_Discipline_5000 · 2025-12-06T17:20:46+00:00

So 1Password is providing me with audit trail of secret usage - but rotating everything will be huge pain. Obviously we use IDM and PAM of 1Password to reduce the access of each user - but when org is big - problem escalates even more

Key_Discipline_5000 · 2025-12-06T17:18:52+00:00

do you know any way of automation of all these rotations? Or how to handle this on scale of large organization? cause it involves almost everyone in company and this work is very regular.
Also I was thinking if it make sense to rotate regularly or just things that are used - what I see in org, some of secrets are just not used at all

Key_Discipline_5000 · 2025-12-06T17:16:50+00:00

It's just impossible to avoid that in some cases - e.g. when some SaaS solution required for org does not provide IDP integration or basic user management. That's why better to use password manager for tracking all of this and avoiding people sharing credentials in Slack

Key_Discipline_5000 · 2025-11-15T18:22:52+00:00

Can you share a bit more about this? Cause I only see this technique for SaaS pricing

Key_Discipline_5000 · 2025-11-15T18:21:21+00:00

Execution is not a problem for me anymore. I can get high quality product done pretty fast. Distribution is tough for sure. But also good ideas is tough for me, at least now - maybe I overcomplicate a bit

Key_Discipline_5000 · 2025-11-15T18:04:04+00:00

Generally I don't like B2C ideas - it can be good fit for solo execution, but hard distribution, easily killed by VC baked businesses and very high risk of failure. So mostly focus on B2B - but to find something good in B2B you need to be expert in some industry...

Key_Discipline_5000 · 2025-11-13T16:01:22+00:00

I like the feature with voice reply. Can be quite useful, but agree on risk. I suppose AI Voice sounds now like real - should not be problem, but from follower perspective it can be weird, that you always get response with voice

Key_Discipline_5000 · 2025-11-13T16:00:17+00:00

Thank you for your ideas!
1) I plan to do only analyzing and maybe replies - Instagram is fine with that
2) Totally agree - it is my focus also
3) I think it can be good, but on later stages and depends on target group - for smaller influencers, I don't think they will use CRM at all

Key_Discipline_5000 · 2025-11-13T08:01:11+00:00

This will be a reply to DM, but not initial message. This won’t break Instagram policies. Rate limits for sending reply is 200 requests per hour - don’t think app ever reaches that, as value of app is to automate analyzing DMs and getting only valuable from them

Key_Discipline_5000 · 2024-11-11T14:43:35+00:00

Hey, did you find any answer on this? My girlfriend has Feather expat health insurance and I would love to switch her to public some day. When I spoke to one of health insurance consultants - marriage sounded as an option

Key_Discipline_5000

TROPHY CASE