Privileged Access Management for MSPs
In a discussion on the Gone Phishing show, Connor Swalm and Nick Wolf explain that privileged access management (PAM) is increasingly vital for MSPs to securely control and limit technicians' administrative rights by verifying not only user identity but also their specific permissions, thereby preventing credential sharing and enhancing security beyond traditional multi-factor authentication within the broader identity access management framework.
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Conversation between Connor Swalm (CEO of Phin Security) and Nick Wolf (Director of Partner Acquisitions at Evo Security):
Connor: Last time we talked about multi-factor authentication (MFA), its benefits, and why people don't want to use it. Today, let's talk about privileged access management (PAM). Why is it so popular now?
Nick: Privileged access management is becoming essential for MSPs and their technicians. It's about verifying not just who you are (like MFA does), but also what you're allowed to do. For example, is Mary from marketing allowed to have admin access, or just basic access? It's about ensuring users can do only what they need to do—no more, no less.
Connor: What are some examples of when privileged access roles make sense?
Nick: Most SMBs don't have admin rights anymore due to compliance and insurance requirements. Instead, MSPs and their technicians have those rights. The challenge is securely sharing those admin rights among technicians. Many MSPs still copy and paste admin credentials from documentation tools or password managers. PAM makes this process more secure. For example, instead of logging in with an admin password, a technician logs in as themselves and requests admin access, which is approved via a push notification. This way, technicians never see the admin credentials.
Connor: What's the difference between privileged access management and identity access management (IAM)?
Nick: PAM is a component within the broader IAM umbrella. IAM also includes MFA and single sign-on.
Connor: Should PAM be implemented at MSP clients as well?
Nick: Yes, especially for co-managed IT customers with internal IT departments. You don't want internal techs exposed to admin credentials. If a tech leaves, they could take those credentials with them. PAM solutions prevent technicians from ever seeing admin credentials, reducing the need for time-consuming password rotations.
Connor: Besides software and hardware, what else should PAM apply to?
Nick: Many are implementing PAM at the endpoint level, where most compromises occur. Cybersecurity insurance policies often require that accounts not be shared. Each user should log in as themselves—no more shared passwords or copying and pasting credentials.
Connor: What are the risks of not implementing PAM?
Nick: Sharing credentials exposes them to technicians and increases the risk of compromise, especially if a keylogger is present. PAM solutions hide credentials and often rotate passwords regularly, reducing these risks.
Connor: Is there pushback against implementing PAM?
Nick: Not much, since it's usually the MSPs who are the admins. It's more about educating MSPs on the benefits and requirements.
Connor: What do insurance and compliance think of PAM?
Nick: It's becoming more common in cybersecurity insurance policies and CIS controls. They require strong, rotated passwords and no shared accounts. PAM helps meet these requirements.
Connor: Any recommendations for implementing PAM?
Nick: Use a PAM tool with an MFA component. Verify the technician's identity before granting admin rights. Some tools create temporary accounts, but those can be compromised. Layered security is best.
Connor: How has PAM adoption looked in the MSP space?
Nick: In the last 2-3 years, adoption has exploded. More vendors are focusing on PAM for MSPs. Many MSPs know their current processes are insecure and are looking to improve.
Connor: What does the future hold for PAM?
Nick: It will become mandatory as insurance and compliance requirements tighten. Not having PAM could result in fines.
Connor: Where can people learn more about PAM?
Nick: Evo Security has resources on their website. There are also discussions on Reddit and IT business owner groups on Facebook. The CIS Controls are a good reference for best practices and implementation guidance.
Connor: Any final thoughts?
Nick: If you want more information, reach out on LinkedIn or check out our resources. Thanks for having me.
Connor: Thanks for joining. If you want to learn more about security awareness training campaigns, check out Phin Security at Phinsec IO or follow the links in the show notes. See you next time.