Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Consider this when switching to an IT Managed Service Provider (MSP)

mm

Written by Nick Hunter

December 15th, 2020

There’s a significant challenge facing organizations of all sizes today. They must find and retain IT staff with yesterday’s IT expertise while also becoming subject matter experts (SMEs) on tomorrow’s technology.

The increasing trend is for organizations of all sizes to shift some or all of their IT staff to an outsourced provider. These teams, from IT operations to developers, are outsourced for many reasons. Internal resources may be too expensive to retain, the job’s complexity might outpace the ability scale, or it could be too tricky to find and retain an SME for every type of platform.

Switching to a Managed Service Provider (MSP) means organizations don’t have to worry about hiring, maintaining, and continuously training IT staff. Outsourcing frees internal IT teams from time-consuming, routine tasks and enables them to focus on strategic initiatives with more business value. Managed Security Service Providers (MSSPs) extend analysis and management to security stack platforms, including IDS/IPS, SIEM, and behavior analytics.

MSPs and MSSPs can detect threats and respond quickly to security incidents

MSP and MSSP’s services significantly reduce the risk of downtime, disruption, and compliance problems caused by security breaches. With more knowledge and more advanced tools, they can detect threats and respond quickly to security incidents. Managed service providers offer analysis and support activities that include network, server, system maintenance, administrative tasks, and technical support.

There is, of course, significant risk when handing the keys to an outsourced team. Managed service providers and their staff will likely support a large number of different organizations. However, they rely on the same staff who have direct privileged access to client systems, applications, platforms, infrastructure, SaaS, IaaS, and much more.

Managed service providers are always in the cycle of hiring, training, and retraining staff. So, when an organization contracts and trusts an MSP, there is the expectation that they will demonstrate and meet all compliance mandates.

Here’s where it gets interesting

It gets interesting when we talk about how remote access is set up. Any MSP contracted for managed platform support will require administrative or privileged access to every platform in the stack for which they are responsible. How does this transfer of authority take form?

Authentication requires the creation or sharing of usernames, passwords, and access keys. Do MSP’s create unique accounts on each platform for each MSP employee who needs access and then remove them when they no longer need it?  Of course not, unless stipulated contractually. MSP staff will use a shared account or create one for each platform.

The challenge with shared accounts is that it’s difficult to identify who accessed the system. Audit logs on the platform log account activities, but not who accessed the account. It falls on the MSP to demonstrate that through audits and logs. And what prevents MSP staff from having visual access to sensitive data while performing their duties, not just for one organization, but multiple?

These are humans; they are prone to error. How can you be assured they can’t click a button in error and cause an outage? SaaS, IaaS, SecaaS, and the like have compounded the complexity because the datacenter no longer resides within a controlled perimeter. It also demands that MSPs hire and retrain, which accelerates the cycling of staff resources.

So what can be done to address the challenge of securing access when using an outsourced service like an MSP?

An MSP should already follow protocols that enforce security practices such as zero-trust, just-in-time (JIT) access, and least privilege. However, it isn’t easy to do that when not every application, server, service, or platform has enforcement capabilities.

Not everyone working on the same platform needs the same access

Recording sessions will indicate what the connected user did but not who the user was, unless they have a unique authenticated account. If there are individual accounts, then the challenge becomes what they can access and what data is visible. Not everyone working on the same platform needs the same access. Introduce separation of duties and provide users access to just the data and controls required to perform their job. Lastly, connectivity will require remote access. Therefore, modern remote access authentication controls should be in place.

The good news is that Thycotic has solutions that address these problems in many different ways.

One way is for MSP’s to use Thycotic’s Access Controller products:

This approach can be leveraged by MSP’s to provide a unified access point with granular role-based access controls. Unique identities can then be set up, with modern authentication to validate identity. Through an intuitive portal, MSP staff can access only the platforms they support, and demonstrate compliance through auditable session recordings, access logs, dashboards, and reports.

Access Controller Trial

Secure access to all applications and data with a zero-trust approach, fast.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS