May 26, 2021

MSPs and PAM for access: why it’s a WIN, WIN, WIN

Managed Service Providers (MSP) are an important part of the growing IT ecosystem as more and more enterprises outsource parts or most of their infrastructure to MSPs.

This evolution has led to MSPs getting access to highly valuable targets in the customer environments, typically using what are called privileged accounts. Privileged Accounts are used by IT Admins, DevOps teams and application support  - to name a few groups- to gain administrative access to critical customer infrastructure and applications, including:

  • Windows, Linux and UNIX servers
  • Hypervisors & container management systems
  • Firewalls & Network Switches
  • Databases
  • System Controllers
  • Mainframes
  • Cloud Administration Consoles
  • Operational Technology (OT) Devices

As MSPs grow and take on more customers, it naturally increases the complexity of managing access to these targets and the security responsibilities of MSP. Let’s investigate how MSPs turn this challenge into an opportunity.

WIN #1 - Improve Secure Access to Customer Environments

Mitigating credential risk and staying compliant

Let’s address risks. By compromising MSP access, bad actors can gain entry to many customers’ infrastructure, intellectual property and data. Therefore, it is imperative that MSPs treat their own admin access into customer networks as privileged. If a data breach for a key customer is attributed to MSP access, this will cause severe reputational & long-term revenue impacting damage to the MSP.

In the cloud hopper breach, a hacker group infiltrated MSP systems to gain access to their customers‘ applications, network and infrastructure. The group stole legitimate administrator credentials that granted access the MSP and its customers' shared infrastructure. Such pwerful credentials allowed the group to laterally move in client’s network, penetrating the system even deeper.

MSPs will also need to adhere to the compliance and regulatory requirements (like the EU’s NIS 2.0 and the recently launched US Presidential Executive order) to retain and win new customers. Providing audit trails, session recordings and reports to show exactly who did what, with what rights and when are essential. Additionally, proving that you have controls in place around providing, modifying and removing access to privileged accounts is a must have for many customers.

Privileged Access Management (PAM) tools are purpose-built to manage access to critical targets and manage privileged credentials. It is no surprise that Gartner has placed PAM projects as the #2 most important for business to deliver adequate controls. Deploying effective PAM solutions are proven to be one of the most impactful projects to undertake in terms of reducing cybersecurity risk.

Additionally, Gartner have stated that businesses will mostly move away from using password based access by 2022. Which takes us to the next topic.

Improving security with less credentials to manage

Using passwords and encryption keys (like SSH keys) to provide MSP access to customer environments can be reduced by adopting modern PAM solutions that use Just-in-time security tokens (like ephemeral certificates) for authentication. The certificates are created on the fly upon establishing the privileged connection and automatically expire after the authorization, leaving no credentials behind for misuse.

This approach will reduce the risk of password compromise and the implied dangers mentioned earlier (reputational damage, service outage or data theft). Analysts agree:

“It’s an innovative approach but one that does bring functional and security advantages – access is faster, onboarding and offboarding of privileged users is quick and there are not passwords to issue or lose, since there are no permanent, leave-behind credentials.”

       - Paul Fisher, Senior Analyst, KuppingerCole

Adopting and effective Privileged Access Management solution for access to customer environments should give MSPs peace of mind that they are able to meet the compliance and regulatory needs of any new or existing customer

WIN #2 - Simplify Access Administration

An effective PAM solution should not only improve the security of providing access to customer environments, it should also simplify the processes around access administration and customer onboarding.

One UI to rule them all

A PAM solution with a centralized, easy to use, intuitive web-based UI makes it much easier to launch connections to customer environments rather than using a variety of different clients. The UI is also the go-to place to see which accounts and targets MSP admins have access to. The UI also allows managing access to new accounts with minimal amount of effort and manual work.

Stay in sync with joiners, movers and leavers

Privileged Access associated with MSP admins needs to be easily administered. The joiner-mover-leaver process of MSP admins should be built-in the solution: add, modify and remove associated privileged access automatically without having to use multiple registries or manual steps. Easily providing multi-factor authentication (MFA) to certain admins or for access to specific systems can be made a lot simpler with the right PAM solution.

Auto-discover hosts

New customers and associated hosts should be easily on-boarded. PAM solutions which offer auto-discovery of hosts can reduce the time and effort taken to on-board new customers and to provide access to their IT environment. As new assets (servers/switches/apps) are provisioned, the PAM solution should be able to be easily keep coordinated with the changing IT landscape under management.

Reduce the complexity of credential management

Typically, MSPs have been provided access to customer environments using passwords or encryption keys. These keys or passwords are often exposed to the MSP admins and need to be managed at significant risk, time and effort.

Privileged Access management solution should avoid using passwords for authentication where possible. Modern PAM solutions offer Just-In-Time certificates for authentication which not only eliminate the need for credential exposure, but remove the need for their rotation and distribution. This is a big boost to operational efficiency and a way to keep the environment under management lean and free from unnecessary changes. This approach is also known as immutable infrastructure

Vault when needed

Where passwords are still necessary to use (some environments don’t support passwordless authentication), these should be role-base controlled in a multi-tenant vault. Customers should be able to update the vaulted passwords or keys on the MSP PAM solution without exposing the credentials to the MSP admins. Where vaulted passwords or keys are still used, a PAM solution should allow the MSP admins to use vaulted passwords without being able to see them.

Go beyond VPNs and firewalls

A common approach for MSPs to access customer environments is through the management of many VPN or firewall configurations. Customer VPNs are commonly overloaded, particularly with the dramatic increase in remote working from home in recent times.

Additionally, VPNs and firewalls can grant too much access to MSPs than is required to do their tasks. Adopting a PAM solution with reverse proxy capabilities can eliminate the need for using multiple VPNs altogether and provides a much safer and granular level of access to the MSP admin.

WIN #3 - Increase MSP Revenue Opportunities

MSPs can offer to run a managed on-premise PAM service or a cloud based PAMaaS to existing and new customers. When done right, a PAM service which is fully integrated with customer deployment, service desk ticketing and user provisioning workflows becomes an incredibly sticky solution.

With the right selection of PAM solution, this can lead to significant, long-term services revenue opportunities. We have successfully worked Global System Integrators to develop their own cloud hosted PAMaaS solution for their customers. Just In order to maximize revenue, an MSP will need to select a PAM solution with low TCO (Total Cost Of Ownership).

This is not merely in terms of licensing, but also deploying and maintaining the service. A PAM solution with high levels of automation (user/server/customer on/off-boarding) capability will certainly help reduce TCO, which will lead to higher profit margins for MSPs.

Many large customers have deployed traditional, market-leading PAM solutions and have grown tired of the monster infrastructure and poor performance. There is a growing opportunity for modern & lean PAM service offerings as replacement projects which can be delivered and managed long term by capable MSPs.

MSPs offering a multi-cloud supporting, cloud-native PAM solution will be able to use this deployment to offer additional consultancy services assisting their customers with moving workloads to cloud. New service offerings and revenue opportunities can also be built around cloud migration strategies.


By now, I’m sure you are aching to know how all this can be achieved. In that case, check out the two minute PrivX video below or download our white paper on how MSPs and PAM systems are a WIN. WIN, WIN.



Download here

Tag(s): cybersecurity , PAM , msp

David Wishart

David is an enterprise security veteran with over 20 years of experience working in various enterprise architecture & engineering roles in the financial sector across London, New York, and Sydney. David has been intimately connected with SSH.COM since 2013 whilst working at Deutsche Bank to deliver SSH solutions to...

Other posts you might be interested in