Privileged Access Management

Addressing MSSP Cybersecurity Challenges with Privileged Access Management

Outsourcing of security is on the rise. The MSSP business grew into a $9 billion category in 2017, and Gartner reports that over 50% of organizations will be outsourcing some or all of their security work to Managed Security Service Providers (MSSPs) by next year.

Getting the most out of an MSSP relationship involves combining efficiency and control, two requirements that are often at odds with one another. Outsourcing loses its value if the client has to work too hard to oversee the MSSP. At the same time, the MSSP must deliver robust security. The following characteristics exemplify a successful client/MSSP relationship:

Efficient coordination – Processes between the client and MSSP should be streamlined and as automated as possible.
Seamless alerting – The MSSP must have a simple, automated alerting process to keep the client notified of security status and incidents.
Follow-through – It’s essential that no task be neglected by the MSSP once it has been identified as required.
Thorough, useful reporting – The MSSP needs to keep the client apprised of security work, the status of controls and so forth.

PAM and MSSP Cybersecurity Challenges

A variety of practices can keep both the MSSP and its client secure and coordinated, with seamless alerting, reporting, and audit trails. However, control over privileged access is arguably one of the most important factors in the pursuit of these objectives. A privileged user, also called an “administrative user,” has access to systems’ administrative back ends. Privileged users can typically set up, modify or delete system settings, user accounts. They can access or alter data. In some cases, a privileged user may be able to override other security settings.

Control over privileged access is arguably one of the most important factors in keeping the MSSP and its client secure with seamless alerting, reporting, and audit trails.

Effective management of privileged users is critical to security. The misuse of privileged access, either accidental or deliberate, can have a major impact on an organization’s security. With access to confidential information and business systems, privileged users represent a point of vulnerability. In cybersecurity terms, privileged access is itself a focus area for controls and countermeasures. Privileged access is also an indirect factor in virtually every other security countermeasure. For example, if security policy dictates that a firewall be set in a certain way, a privileged user can unset the firewall, perhaps even covering his or her tracks by erasing evidence of the administrative session.

A privileged user can be an employee, a contractor, an external third party, or even a machine performing automated administration. MSSP employees are often assigned administrative access privileges. As a result, privileged users working for the MSSP have to be carefully monitored and controlled.

The Client Side: Using PAM to Support MSSPs’ Cybersecurity Challenges

Privileged Access Management (PAM) solutions help organizations stay on top of privileged users. Solutions vary, but most provide the ability to grant and revoke access privileges from a central interface. From the client perspective, a PAM solution confers the ability to control privileged users who work for the MSSP.

Having a PAM solution reduces the risk exposure inherent in giving MSSP employees privileged access.

Having a PAM solution in place reduces the risk exposure inherent in, for example, having a former MSSP employee retain access privileges. Indeed, without PAM it can be challenging to even keep track of direct employees and their access privileges—much less the revolving door of contractor and subcontractor employees that come with most MSSP relationships. A PAM solution such as WALLIX enables the client to assign granular privileges to administrators when needed and easily and securely revoke all privileges when the user moves or no longer needs them.

PAM solutions also give the client visibility into what the MSSP is doing. This capability could be as simple as reporting on the administrative work of the MSSP. However, if there is a security incident, the PAM solution can provide extremely useful information about privileged users who might have accessed the affected system prior to the incident. Who did what? When? The outsourcing relationship can obscure these critical data points if PAM is not well managed.

How PAM Helps MSSPs

MSSP are in the business of cost-effectively delivering security. They have to get many details right and keep the client happy while not overspending on staff salaries. PAM can help achieve this goal by making the process of managing privileged access streamlined and efficient.

Without a PAM solution, the MSSP’s process of requesting privileged access to a client’s systems and tracking privileged users can be cumbersome. It might involve multiple emails, spreadsheets and so forth. PAM automates much of this and provides an overview of who has been granted specific privileges.

PAM gives the MSSP an automated way to report on access privileges and privileged account sessions. This is useful for security, but it also makes the MSSP’s business run smoothly. To understand why consider the example of compliance. Many compliance regimes require detailed tracking of access privileges. If the MSSP needs to prepare documentation of access controls manually, that will be much more time-consuming than the kind of automated reporting available from a PAM solution.

How WALLIX Supports a Successful MSSP-Client Relationship

The WALLIX PAM solution offers a range of capabilities that strengthen the MSSP-client relationship, making it smoother, more profitable, and ultimately, more secure:

Providing granularity and rules for access management – WALLIX lets super administrators define access for privileged users to all systems. They can grant and revoke privileges centrally— with simple yet powerful rules covering full access control to devices, servers, databases, and applications using criteria like IP address, user name, time frames, and protocol. Time delimited access grants are also possible, e.g. the MSSP can access a system back end on a certain date for certain hours.
Avoiding direct password access – WALLIX manages and secures all passwords in a certified vault. This way, users only access services via WALLIX. They do not know the actual passwords for the accounts they are administering. Nor do they know local or direct passwords for physical devices. This feature enables centralized user suspension or termination. If an employee leaves the MSSP (or one of the MSSP’s subcontractors), the client can instantly switch off his or her access centrally. WALLIX also makes it possible for the client to automatically or manually change the privileged account passwords of all administered devices. As a result, WALLIX mitigates the risk of unauthorized privileged access and makes it easier to manage the internal IT team and the MSSP.
Eliminating password sharing – Password sharing exposes organizations to risk. When privileged passwords are shared by employees of an MSSP or subcontractors, the risk exposure grows. WALLIX makes it possible to rotate and enforce password security.
Boosting productivity with Single Sign On (SSO) – WALLIX privileged users can log on with a single username and password to access all their authorized accounts via an HTML5 web portal. With no need for subsequent sign-on or remote access tools, MSSP team members can be productive in their use of time. Users can also connect through native RDP and SSH clients.
Improving security posture with real-time monitoring – WALLIX allows the MSSP to track and monitor all connections and actions by privileged users. It examines all commands entered during SSH sessions in real-time. If WALLIX detects a prohibited string, it sends an alert or even terminates the connection. WALLIX uses built-in Optical Character Recognition (OCR) to analyze all Windows Terminal Server (RDP) and Virtual Network Computing (VNC) graphic sessions, as well as web-based sessions for inappropriate behavior.
Building an audit trail with recording and video playback – WALLIX can record privileged RDD and VNC account sessions in video format. Non-graphical activities (e.g. Telnet) can be recorded in text format. The result is a complete audit log that is useful for both the MSSP and the client in understanding who has done what on a privileged account at any given moment. The system can also provide standard reports on global PAM activity (e.g. connection logs, number of connections, user rankings, etc.). The WALLIX Report Manager can create custom statistical and alert reports according to business or audit requirements.
Simplifying deployment through agentless operation – In contrast with PAM solutions that require the installation of dedicated software agents on each system under its control, WALLIX uses an agentless architecture. This approach has several beneficial effects on the MSSP-client relationship. It simplifies and streamlines the PAM administration process for both the client and the MSSP. The ease of deployment and change management also drives a high level of adoption and adherence to PAM policies. In contrast, complex or overly rigid PAM solutions often get circumvented or ignored when changes in systems or configurations inevitably arise.

MSSP CyberSecurity Pressure

The MSSP sector is heating up. This is good news for MSSPs, but it also means competition is on the way. MSSPs will be under greater pressure than ever to deliver security services economically enough to be profitable but at prices that are competitive. PAM solutions can be one of the most significant elements of an MSSP’s capability to operate profitably and effectively while also enabling clients to maximize the flexibility of an outsourced security solution without compromising security.

To learn more about the WALLIX Bastion for MSSPs, contact our team or request a live demo!

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Addressing MSSP Cybersecurity Challenges with Privileged Access Management

PAM and MSSP Cybersecurity Challenges

The Client Side: Using PAM to Support MSSPs’ Cybersecurity Challenges

How PAM Helps MSSPs

How WALLIX Supports a Successful MSSP-Client Relationship

MSSP CyberSecurity Pressure

Strengthening Cyber Resilience Through Privileged Access Management

Picking a PAM Solution

Related Blogs

Related Resources

Products

Solutions

Resources

About