Consider this when switching to an IT Managed Service Provider (MSP)
Alex FitzGerald
There’s a significant challenge facing organizations of all sizes today. They must find and retain IT staff with yesterday’s IT expertise while also becoming subject matter experts (SMEs) on tomorrow’s technology.
The increasing trend is for organizations of all sizes to shift some or all of their IT staff to an outsourced provider. These teams, from IT operations to developers, are outsourced for many reasons. Internal resources may be too expensive to retain, the job’s complexity might outpace the ability scale, or it could be too tricky to find and retain an SME for every type of platform.
Switching to a Managed Service Provider (MSP) means organizations don’t have to worry about hiring, maintaining, and continuously training IT staff. Outsourcing frees internal IT teams from time-consuming, routine tasks and enables them to focus on strategic initiatives with more business value. Managed Security Service Providers (MSSPs) extend analysis and management to security stack platforms, including IDS/IPS, SIEM, and behavior analytics.
MSPs and MSSPs can detect threats and respond quickly to security incidents
MSP and MSSP’s services significantly reduce the risk of downtime, disruption, and compliance problems caused by security breaches. With more knowledge and more advanced tools, they can detect threats and respond quickly to security incidents. Managed service providers offer analysis and support activities that include network, server, system maintenance, administrative tasks, and technical support.
There is, of course, significant risk when handing the keys to an outsourced team. Managed service providers and their staff will likely support a large number of different organizations. However, they rely on the same staff who have direct privileged access to client systems, applications, platforms, infrastructure, SaaS, IaaS, and much more.
Managed service providers are always in the cycle of hiring, training, and retraining staff. So, when an organization contracts and trusts an MSP, there is the expectation that they will demonstrate and meet all compliance mandates.
Here’s where it gets interesting
It gets interesting when we talk about how remote access is set up. Any MSP contracted for managed platform support will require administrative or privileged access to every platform in the stack for which they are responsible. How does this transfer of authority take form?
Authentication requires the creation or sharing of usernames, passwords, and access keys. Do MSP’s create unique accounts on each platform for each MSP employee who needs access and then removes them when they no longer need it? Of course not, unless stipulated contractually. MSP staff will use a shared account or create one for each platform.
The challenge with shared accounts is that it’s difficult to identify who accessed the system. Audit logs on the platform log account activities, but not who accessed the account. It falls on the MSP to demonstrate that through audits and logs. And what prevents MSP staff from having visual access to sensitive data while performing their duties, not just for one organization, but multiple?
These are humans; they are prone to error. How can you be assured they can’t click a button in error and cause an outage? SaaS, IaaS, SecaaS, and the like have compounded the complexity because the data center no longer resides within a controlled perimeter. It also demands that MSPs hire and retrain, which accelerates the cycling of staff resources.
So what can be done to address the challenge of securing access when using an outsourced service like an MSP?
An MSP should already follow protocols that enforce security practices such as the zero-trust security model, just-in-time (JIT) access, and least privilege. However, it isn’t easy to do that when not every application, server, service, or platform has enforcement capabilities.
Not everyone working on the same platform needs the same access
Recording sessions will indicate what the connected user did but not who the user was unless they have a unique authenticated account. If there are individual accounts, then the challenge becomes what they can access and what data is visible. Not everyone working on the same platform needs the same access. Introduce separation of duties and provide users access to just the data and controls required to perform their job. Lastly, connectivity will require remote access. Therefore, modern remote access authentication controls should be in place.
The good news is that Delinea has solutions that address these problems in many different ways
Remote Access Service (RAS) in the Delinea Platform allows IT teams to manage policy-based access controls for MSPs through a central portal with concurrent licensing to support every environment. RAS eliminates the need for a jump host or an agent either on the user's machine or the target server. By using only a browser, you can establish secure connections via RDP to Windows servers and SSH to Linux servers and network devices. To ensure oversight and compliance, you can audit remote access sessions through scheduled or on-demand activity reports.
A flexible, easy-to-use solution for secure remote access from anywhere strikes the right balance between productivity and central control, without compromising either one. With RAS in the Delinea Platform, MSPs gain access securely and easily through their web browser, using vaulted credentials in Secret Server. There's no need for them to navigate VPNs, or install and maintain SSH clients, or RDP client software, or even remember passwords.
Related Reading: Remote Access Service for Secret Server; Launch secure VPN-less browser-based SSH and RDP sessions for remote workers and third parties
