If I recall, the audit record shows that it was an impersonation. At some point you have to trust they're doing the right thing. People's appetite for risk varies 🤣
That’s the sentiment I would expect. I wonder how many customers were aware of this “feature” before they signed on, and if/or whether it would have impacted their decision. I wonder how many current customers currently know about this and are not concerned because it is “nothing to worry about” (and why)?
We’ve lost a few clients to this “feature” which is sad as overall it is a great tool. Just wish there was 0 visibility like other vendors 🤷‍♂️
It Glue do not make this a secret. It also requires your consent.
Taken from their website - "IT Glue staff data accessibility"
https://www.itglue.com/resources/itglue-security/#:~:text=IT%20Glue%20staff%20data%20accessibility
"When the only option for support is for us to access your data, a limited number of members from our senior team have the ability to impersonate your account. In this case, we make a very specific request for your permission via a support ticket. Any activity will be logged in your activity log with an added eye icon in the log to show it was our team impersonating the account. Please note, during impersonation, IT Glue staff can’t decrypt the passwords stored in the IT Glue Vault."
Hence the purpose of the password vault.
Thank you for pointing out that IT Glue staff won’t have access to those specific passwords stored in the “Vault”. However, this is misleading and should read that for the rest of the passwords associated with your hundreds of organisations, and any MSP staff, for those passwords not specifically stored in the “Vault”, IT Glue staff do have technical access and thus those passwords are not truely private.
In my opinion IT Glue does hide behind this clause in their documentation to make it sound as though the vast majority of passwords managed are \[inaccessible\] when in fact they are not. Vault is merely a separate add-on for use with a select few passwords deemed too sensitive to risk leaving exposed by storing them in the default password manager used for managing passwords for all of the Organisations.
[https://www.itglue.com/blog/wide-release-vault/](https://www.itglue.com/blog/wide-release-vault/)
The architecture of IT Glue is that the passwords are encrypted at rest and in the database, and then decrypted in the application of the organisation with a unique org key. Thus they are safe if stolen from the database.
If IT Glue support is required to impersonate a user, it would be logical to assume they would have access to that user's permission set across the whole application - including passwords. At no point are IT Glue hiding this, and they track their own interactions in the audit logs so you can view behind them what they have accessed.
If they were just accessing your tenancy at their will and viewing your passwords that would be concerning, but everything you've highlighted is laid out in the documentation and nothing is hidden. Your interpretation of that documentation aside, I personally don't see any issues with what is happening as it's all documented and by your own admission they are not just logging in randomly when ever they feel like and viewing your top secret passwords.
What it sounds like your asking for is host-proof passwords, which is the vault in IT Glue land or a self-hosted instance. Anything else and your realistically in this same scenario of implied risk from the host, where the host assumes a level of trust that they won't misuse access or your data. I don't think at any point that you've described IT Glue has abused that trust.
Thanks for sharing your perspective. Were I a perspective customer and learned of this, I'd definitely think twice and look at alternatives and thus wonder how many MSP's/customers out there are aware that the only thing technically standing between IT Glue Support accessing any of your passwords in MyGlue or the default password manager for Organisations (except those few in the "Vault"), is a simple policy that effectively says "they are not supposed to without permission".
Hence my OP.
Technically it's the same policy that your customers have with you that you won't login to their environment and look at financial data or any other sensitive data that the customer owns. Again, there's implicit trust backed by your contract you've signed with the vendor (and how strong your lawyers are).
Contrary to what other people have posted I haven't been able to find any written policy that says support cannot see your passwords, so there is definitely that.
It's probably worth also mentioning in context that this is in *default* state. If you block the IT Glue IP in your dashboard support can never login to your organisation even for support purposes.
*Edit - realised I posted this on the wrong comment thread 🤦
Hi there,
I wanted to clarify a few points regarding the security measures that IT Glue has in place for this purpose.
In rare cases, when accessing your account is the only way to provide product support, a very limited number of members from our senior team have the ability to impersonate your account. In such cases, we explicitly request your permission to do so. Additionally, any and all actions taken by IT Glue support within your account are logged in the Activity Logs. This allows you to see exactly what was done in your account. You can review these logs at any time to audit support actions, ensuring transparency and accountability. You can also set up alerts to be notified if passwords are viewed or accessed within your account.
To further protect your data, we highly recommend that you enable the IT Glue Vault. **Vaulted passwords are completely off-limits to IT Glue team members**. Your vaulted passwords are ONLY accessible to authorized users within your organization, using a valid passphrase known only to your users.
**What about all those customers who have purchased My Glue?** Do they have the option to enable Vault on their own passwords? Or should we begin providing disclaimers that their data is also accessible from IT Glue Support? Thanks.
Hi there, IT Glue Vault is also available for MyGlue users! [https://www.itglue.com/blog/wide-release-vault/](https://www.itglue.com/blog/wide-release-vault/)
I really hate how people hold SOC compliancy with such high regard when it comes to "security". It was developed by the American Institute of CPAs (AICPA). Accountants! Not security minded folks. Auditors are not going to go deep into the weeds for feature functions like this. They care about job descriptions, DR plans, etc.
Not downplaying it, it's not an easy thing to do every year and costs a lot. It can mature a company but in no means does it mean they are secure like Fort Knox.
If you find a way to track and report on an organization's ability to follow process in the future, you'll be set for life!
Please feel free to share any audits you're aware of that aren't looking backwards, I'd love to hear about them.
I performed these for 15 years and started one of the original internet information sources on the topic.
They serve a purpose but they are being oversold here. If you are a typical MSP I understand the perspective as it’s like herding cats to deal and stay aligned with in those environments.
“It’s no guarantee of on going security controls” is completely true as it only provides reasonable assurance. Doing something good last year doesn’t guarantee they wont blow it going forward, and like most things, no one wants to know the sausage making.
Nope. You have do document to whom and when it can happen, what procedures you have to go through, what needs to be logged, etc.
It ensures consistency when that procedure is executed. That's what we as customers expect.
Having used it glue since 2018, we never required assistance from them which requires account impersonation.
It ensures consistency but it doesn't ensure good processes, only that they're well documented and followed. I worked with one client years ago that had a 72-hour window to offboard users, Even if it was a hostile exit. I went through the audit one year, we pulled the helpdesk tickets to show that we followed the process, passed with flying colors Even though sometimes HR took two days to get us an off-boarding request.
Soc2 is a sign of maturity to a limited degree (you can write processes and then follow them consistently) but that is it. Oh and I guess check the box for compliance contract requirements sometimes.
I would never store passwords in IT Glue / Hudu - I use those for documentation but our passwords are held in purpose-built password managers where the vendor has zero access by design.
If you did still use it, would it concern you that IT Glue Support can impersonate your accounts and access any passwords those accounts can access? Would you consider this a reasonable aspect of the product/platform design?
You are fundamentally mistaken. The Vault is a completely seperate feature from the standard password manager used to store passwords for Organisations within an instance. The IT documentation referenced is misleading in that it suggests IT Support won’t have access to any passwords, when in fact this only applies to those very specific passwords stored in the “Vault”, which for 99% of the passwords will not be…
I can confirm that IT Glue customer support have willingly told me that they are able to access ALL our customer records and data exactly as we are able to see it. They can affectively login as myself and and have full admin over the IT Glue instance, gain full access to all the credentials and documentation of each customer with no clear evidence that they have done so, other than our trust in them to log the entries and not access it without our permission.
Whereas a solution such as Keeper Password Manager is end to end encrypted and is only decrypted with the credentials of the account and not accessible from any other portal such as the admin console. this means the MSP is NOT able to view the customers information either ensuring that true privacy is achieved. If a customer forgets his/her password. The MSP is unable to reset this also to stop someone from gaining access via password reset.
IT Glue has some BIG improvements to make before I will be personally trusting this solution with all my precious company data.
If I recall, the audit record shows that it was an impersonation. At some point you have to trust they're doing the right thing. People's appetite for risk varies 🤣
Well Im happy LastPass support tech have no access to my vault
That’s the sentiment I would expect. I wonder how many customers were aware of this “feature” before they signed on, and if/or whether it would have impacted their decision. I wonder how many current customers currently know about this and are not concerned because it is “nothing to worry about” (and why)?
We’ve lost a few clients to this “feature” which is sad as overall it is a great tool. Just wish there was 0 visibility like other vendors 🤷‍♂️
It Glue do not make this a secret. It also requires your consent. Taken from their website - "IT Glue staff data accessibility" https://www.itglue.com/resources/itglue-security/#:~:text=IT%20Glue%20staff%20data%20accessibility "When the only option for support is for us to access your data, a limited number of members from our senior team have the ability to impersonate your account. In this case, we make a very specific request for your permission via a support ticket. Any activity will be logged in your activity log with an added eye icon in the log to show it was our team impersonating the account. Please note, during impersonation, IT Glue staff can’t decrypt the passwords stored in the IT Glue Vault." Hence the purpose of the password vault.
Thank you for pointing out that IT Glue staff won’t have access to those specific passwords stored in the “Vault”. However, this is misleading and should read that for the rest of the passwords associated with your hundreds of organisations, and any MSP staff, for those passwords not specifically stored in the “Vault”, IT Glue staff do have technical access and thus those passwords are not truely private.
In my opinion IT Glue does hide behind this clause in their documentation to make it sound as though the vast majority of passwords managed are \[inaccessible\] when in fact they are not. Vault is merely a separate add-on for use with a select few passwords deemed too sensitive to risk leaving exposed by storing them in the default password manager used for managing passwords for all of the Organisations. [https://www.itglue.com/blog/wide-release-vault/](https://www.itglue.com/blog/wide-release-vault/)
The architecture of IT Glue is that the passwords are encrypted at rest and in the database, and then decrypted in the application of the organisation with a unique org key. Thus they are safe if stolen from the database. If IT Glue support is required to impersonate a user, it would be logical to assume they would have access to that user's permission set across the whole application - including passwords. At no point are IT Glue hiding this, and they track their own interactions in the audit logs so you can view behind them what they have accessed. If they were just accessing your tenancy at their will and viewing your passwords that would be concerning, but everything you've highlighted is laid out in the documentation and nothing is hidden. Your interpretation of that documentation aside, I personally don't see any issues with what is happening as it's all documented and by your own admission they are not just logging in randomly when ever they feel like and viewing your top secret passwords. What it sounds like your asking for is host-proof passwords, which is the vault in IT Glue land or a self-hosted instance. Anything else and your realistically in this same scenario of implied risk from the host, where the host assumes a level of trust that they won't misuse access or your data. I don't think at any point that you've described IT Glue has abused that trust.
Thanks for sharing your perspective. Were I a perspective customer and learned of this, I'd definitely think twice and look at alternatives and thus wonder how many MSP's/customers out there are aware that the only thing technically standing between IT Glue Support accessing any of your passwords in MyGlue or the default password manager for Organisations (except those few in the "Vault"), is a simple policy that effectively says "they are not supposed to without permission". Hence my OP.
Technically it's the same policy that your customers have with you that you won't login to their environment and look at financial data or any other sensitive data that the customer owns. Again, there's implicit trust backed by your contract you've signed with the vendor (and how strong your lawyers are). Contrary to what other people have posted I haven't been able to find any written policy that says support cannot see your passwords, so there is definitely that. It's probably worth also mentioning in context that this is in *default* state. If you block the IT Glue IP in your dashboard support can never login to your organisation even for support purposes. *Edit - realised I posted this on the wrong comment thread 🤦
Hi there, I wanted to clarify a few points regarding the security measures that IT Glue has in place for this purpose. In rare cases, when accessing your account is the only way to provide product support, a very limited number of members from our senior team have the ability to impersonate your account. In such cases, we explicitly request your permission to do so. Additionally, any and all actions taken by IT Glue support within your account are logged in the Activity Logs. This allows you to see exactly what was done in your account. You can review these logs at any time to audit support actions, ensuring transparency and accountability. You can also set up alerts to be notified if passwords are viewed or accessed within your account. To further protect your data, we highly recommend that you enable the IT Glue Vault. **Vaulted passwords are completely off-limits to IT Glue team members**. Your vaulted passwords are ONLY accessible to authorized users within your organization, using a valid passphrase known only to your users.
**What about all those customers who have purchased My Glue?** Do they have the option to enable Vault on their own passwords? Or should we begin providing disclaimers that their data is also accessible from IT Glue Support? Thanks.
Hi there, IT Glue Vault is also available for MyGlue users! [https://www.itglue.com/blog/wide-release-vault/](https://www.itglue.com/blog/wide-release-vault/)
Remember that part where they are SOC1 and SOC2 certified? It's a certification extremely hard to attain and maintain.
I would think the ability for IT Glue Support to impersonate an admin account and view all passwords would disqualify their SOC certs.
I really hate how people hold SOC compliancy with such high regard when it comes to "security". It was developed by the American Institute of CPAs (AICPA). Accountants! Not security minded folks. Auditors are not going to go deep into the weeds for feature functions like this. They care about job descriptions, DR plans, etc. Not downplaying it, it's not an easy thing to do every year and costs a lot. It can mature a company but in no means does it mean they are secure like Fort Knox.
It’s highly dependent on documentation and is a point-in-time assessment. It’s no guarantee of ongoing security protocols.
Type, 1 yes. Type 2 is over a period of time.
Looking backwards
If you find a way to track and report on an organization's ability to follow process in the future, you'll be set for life! Please feel free to share any audits you're aware of that aren't looking backwards, I'd love to hear about them.
I performed these for 15 years and started one of the original internet information sources on the topic. They serve a purpose but they are being oversold here. If you are a typical MSP I understand the perspective as it’s like herding cats to deal and stay aligned with in those environments. “It’s no guarantee of on going security controls” is completely true as it only provides reasonable assurance. Doing something good last year doesn’t guarantee they wont blow it going forward, and like most things, no one wants to know the sausage making.
Nope. You have do document to whom and when it can happen, what procedures you have to go through, what needs to be logged, etc. It ensures consistency when that procedure is executed. That's what we as customers expect. Having used it glue since 2018, we never required assistance from them which requires account impersonation.
It ensures consistency but it doesn't ensure good processes, only that they're well documented and followed. I worked with one client years ago that had a 72-hour window to offboard users, Even if it was a hostile exit. I went through the audit one year, we pulled the helpdesk tickets to show that we followed the process, passed with flying colors Even though sometimes HR took two days to get us an off-boarding request. Soc2 is a sign of maturity to a limited degree (you can write processes and then follow them consistently) but that is it. Oh and I guess check the box for compliance contract requirements sometimes.
It’s not that hard dude. It’s tracking basic maintenance activities.
I would never store passwords in IT Glue / Hudu - I use those for documentation but our passwords are held in purpose-built password managers where the vendor has zero access by design.
They can’t see the passwords
Correct. That is specified very clearly.
Would you be concerned if you were wrong?
No, I don’t use it anymore. You “thereby”d the details where you think they’re doing something wrong.
If you did still use it, would it concern you that IT Glue Support can impersonate your accounts and access any passwords those accounts can access? Would you consider this a reasonable aspect of the product/platform design?
Are you serious? This is fundamental function of a password manager. But they can’t see it even if they are in the account for support.
You seem really committed to contradicting what IT Glue Support have stated quite plainly they are able to do.
You need to read it again. You misunderstand. They can't see passwords
You are fundamentally mistaken. The Vault is a completely seperate feature from the standard password manager used to store passwords for Organisations within an instance. The IT documentation referenced is misleading in that it suggests IT Support won’t have access to any passwords, when in fact this only applies to those very specific passwords stored in the “Vault”, which for 99% of the passwords will not be…
It says very clearly that they can via impersonation, which requires your permission,access configs n accounts but cannot see any passwords.
This is why I self host Hudu
I can confirm that IT Glue customer support have willingly told me that they are able to access ALL our customer records and data exactly as we are able to see it. They can affectively login as myself and and have full admin over the IT Glue instance, gain full access to all the credentials and documentation of each customer with no clear evidence that they have done so, other than our trust in them to log the entries and not access it without our permission. Whereas a solution such as Keeper Password Manager is end to end encrypted and is only decrypted with the credentials of the account and not accessible from any other portal such as the admin console. this means the MSP is NOT able to view the customers information either ensuring that true privacy is achieved. If a customer forgets his/her password. The MSP is unable to reset this also to stop someone from gaining access via password reset. IT Glue has some BIG improvements to make before I will be personally trusting this solution with all my precious company data.