MSPs Shouldn't Pass the Password Buck

Customers trust MSPs with the lifeblood of their businesses. But just how well is this lifeblood protected? In the case of passwords, the answer is, “Maybe not so much.”

A study sponsored by the marketer of password management software, by definition, isn’t the most independent research in the world. But I’ve seen hundreds of these sponsored studies and the data is usually pretty good. It is hard to get researchers to fake it, as their reputations are too much on the line.

PASSPORTAL surveyed Canadian MSPs for its research. On the good side, almost all MSPs, 98 percent, report having excellent security for their systems and internal networks.

But as much care as they take with their own infrastructure, they shirk on client passwords. More than 80 percent of MSPs have substandard client password protection – and far too many have none.

Those that run these MSP organizations haven’t fully thought out how passwords are put at risk by the actions of MSP employees.

“We interviewed hundreds of MSPs and were shocked to learn that over 80 percent of them had little or no protection for storing Client Passwords,” said Colin Knox, PASSPORTAL CEO. “They store Client Passwords on Excel spreadsheets, Word documents, homegrown database solutions and unprotected fields in their CRM or PSA system.  With just one password security breach, a disgruntled employee can ruin an MSP’s reputation and put the business in jeopardy with serious legal issues.”

The MSP issue is the same as faced by IT shops – the internal threat. In an IT shop, an angry or simply evil IT staffer can compromise company passwords. In an MSP shop, an angry or simply evil staffer can compromise the passwords of many companies.

According to the Verizon (News - Alert) 2013 Date Breach Investigations Report, the biggest threat is still from outsiders: “Contrary to popular belief, 86 percent of attacks do not involve employees or other insiders at all. Of the 14 percent of attacks that do, it’s often lax internal practices that make gaining access easier than you would expect.” It is that 14 percent that tools like PASSPORT MSP are designed to contain.

What seems most interesting about the PASSPORTAL tool is it was designed by MSPs for MSPs. While it is not the only password tool made specifically for MSPs, the bulk of password protection and identity and access management tools are made for IT, then put into MSP use.

PASSPORTAL Take 2

The research coincided with the release of a new version of PASSPORT MSP. “It’s a completely hosted, cloud solution that allows MSPs to manage their portfolio of client passwords with multiple levels of security, grouped users for assigning password access and data import wizards that make it easy to get started. It runs on the Web and is available from any mobile device,” the company said. In the year and half since the first version ships, some 1,000 MSPs signed on to use it.

The new tool can create password groups and store these groups in security folders, imports passwords from other sources such as Excel spreadsheets, and has more powerful encryption.

“Solution providers can build containers of passwords and grant separate access for Level 1, 2 or 3 technicians similar to how they manage permissions on a shared network drive.  All access is tracked and restricted to a need-to-know basis,” the company said. “For example, passwords for firewall and security appliances might be restricted to Level 3 technicians while system services like the credentials for antivirus and backups are available to all Levels.”

ManageEngine (News - Alert) Pushes Passwords

In April another option, the ManageEngine password tool, was announced. This tool was originally designed for IT, then heavily reworked for MSP requirements.

Password Manager Pro MSP Edition keeps track of how passwords are used, and then builds an audit trail as to who used the password, and what for.

“Identity theft often lies at the root of modern-day cyber-attacks. Cyber-criminals are increasingly targeting login credentials of employees and administrator passwords to gain access to IT resources through various techniques,” said Rajesh Ganesan, director of product management at ManageEngine, back in April. “Since MSPs manage the IT infrastructure for many clients, the risk level is very high, and they are looking for a secure and reliable solution for privileged password management.”

Like PASSPORTAL, ManageEngine believes in tools specifically designed for MSPs.

“While there are many good enterprise-class privileged password management solutions on the market, they do not cater to the specific needs of MSPs. The ManageEngine Password Manager Pro MSP Edition bridges this crucial gap by offering an easy-to-implement yet affordable password management solution that provides effective security protection to both the service provider and all its customers,” Ganesan said.