Addressing MSSP Cybersecurity Challenges with Privileged Access Management
Outsourcing of security is on the rise. The MSSP business grew into a $9 billion category in 2017, and Gartner reports that over 50% of organizations will be outsourcing some or all of their security work to Managed Security Service Providers (MSSPs) by next year.
Getting the most out of an MSSP relationship involves combining efficiency and control, two requirements that are often at odds with one another. Outsourcing loses its value if the client has to work too hard to oversee the MSSP. At the same time, the MSSP must deliver robust security. The following characteristics exemplify a successful client/MSSP relationship:
- Efficient coordination – Processes between the client and MSSP should be streamlined and as automated as possible.
- Seamless alerting – The MSSP must have a simple, automated alerting process to keep the client notified of security status and incidents.
- Follow-through – It’s essential that no task be neglected by the MSSP once it has been identified as required.
- Thorough, useful reporting – The MSSP needs to keep the client apprised of security work, the status of controls and so forth.
PAM and MSSP Cybersecurity Challenges
A variety of practices can keep both the MSSP and its client secure and coordinated, with seamless alerting, reporting, and audit trails. However, control over privileged access is arguably one of the most important factors in the pursuit of these objectives. A privileged user, also called an “administrative user,” has access to systems’ administrative back ends. Privileged users can typically set up, modify or delete system settings, user accounts. They can access or alter data. In some cases, a privileged user may be able to override other security settings.
Control over privileged access is arguably one of the most important factors in keeping the MSSP and its client secure with seamless alerting, reporting, and audit trails.
Effective management of privileged users is critical to security. The misuse of privileged access, either accidental or deliberate, can have a major impact on an organization’s security. With access to confidential information and business systems, privileged users represent a point of vulnerability. In cybersecurity terms, privileged access is itself a focus area for controls and countermeasures. Privileged access is also an indirect factor in virtually every other security countermeasure. For example, if security policy dictates that a firewall be set in a certain way, a privileged user can unset the firewall, perhaps even covering his or her tracks by erasing evidence of the administrative session.
A privileged user can be an employee, a contractor, an external third party, or even a machine performing automated administration. MSSP employees are often assigned administrative access privileges. As a result, privileged users working for the MSSP have to be carefully monitored and controlled.
The Client Side: Using PAM to Support MSSPs’ Cybersecurity Challenges
Privileged Access Management (PAM) solutions help organizations stay on top of privileged users. Solutions vary, but most provide the ability to grant and revoke access privileges from a central interface. From the client perspective, a PAM solution confers the ability to control privileged users who work for the MSSP.
Having a PAM solution reduces the risk exposure inherent in giving MSSP employees privileged access.
Having a PAM solution in place reduces the risk exposure inherent in, for example, having a former MSSP employee retain access privileges. Indeed, without PAM it can be challenging to even keep track of direct employees and their access privileges—much less the revolving door of contractor and subcontractor employees that come with most MSSP relationships. A PAM solution such as WALLIX enables the client to assign granular privileges to administrators when needed and easily and securely revoke all privileges when the user moves or no longer needs them.
PAM solutions also give the client visibility into what the MSSP is doing. This capability could be as simple as reporting on the administrative work of the MSSP. However, if there is a security incident, the PAM solution can provide extremely useful information about privileged users who might have accessed the affected system prior to the incident. Who did what? When? The outsourcing relationship can obscure these critical data points if PAM is not well managed.
How PAM Helps MSSPs
MSSP are in the business of cost-effectively delivering security. They have to get many details right and keep the client happy while not overspending on staff salaries. PAM can help achieve this goal by making the process of managing privileged access streamlined and efficient.
Without a PAM solution, the MSSP’s process of requesting privileged access to a client’s systems and tracking privileged users can be cumbersome. It might involve multiple emails, spreadsheets and so forth. PAM automates much of this and provides an overview of who has been granted specific privileges.
PAM gives the MSSP an automated way to report on access privileges and privileged account sessions. This is useful for security, but it also makes the MSSP’s business run smoothly. To understand why consider the example of compliance. Many compliance regimes require detailed tracking of access privileges. If the MSSP needs to prepare documentation of access controls manually, that will be much more time-consuming than the kind of automated reporting available from a PAM solution.
How WALLIX Supports a Successful MSSP-Client Relationship
The WALLIX PAM solution offers a range of capabilities that strengthen the MSSP-client relationship, making it smoother, more profitable, and ultimately, more secure:
- Providing granularity and rules for access management – WALLIX lets super administrators define access for privileged users to all systems. They can grant and revoke privileges centrally— with simple yet powerful rules covering full access control to devices, servers, databases, and applications using criteria like IP address, user name, time frames, and protocol. Time delimited access grants are also possible, e.g. the MSSP can access a system back end on a certain date for certain hours.
- Avoiding direct password access – WALLIX manages and secures all passwords in a certified vault. This way, users only access services via WALLIX. They do not know the actual passwords for the accounts they are administering. Nor do they know local or direct passwords for physical devices. This feature enables centralized user suspension or termination. If an employee leaves the MSSP (or one of the MSSP’s subcontractors), the client can instantly switch off his or her access centrally. WALLIX also makes it possible for the client to automatically or manually change the privileged account passwords of all administered devices. As a result, WALLIX mitigates the risk of unauthorized privileged access and makes it easier to manage the internal IT team and the MSSP.
- Eliminating password sharing – Password sharing exposes organizations to risk. When privileged passwords are shared by employees of an MSSP or subcontractors, the risk exposure grows. WALLIX makes it possible to rotate and enforce password security.
- Boosting productivity with Single Sign On (SSO) – WALLIX privileged users can log on with a single username and password to access all their authorized accounts via an HTML5 web portal. With no need for subsequent sign-on or remote access tools, MSSP team members can be productive in their use of time. Users can also connect through native RDP and SSH clients.
- Improving security posture with real-time monitoring – WALLIX allows the MSSP to track and monitor all connections and actions by privileged users. It examines all commands entered during SSH sessions in real-time. If WALLIX detects a prohibited string, it sends an alert or even terminates the connection. WALLIX uses built-in Optical Character Recognition (OCR) to analyze all Windows Terminal Server (RDP) and Virtual Network Computing (VNC) graphic sessions, as well as web-based sessions for inappropriate behavior.
- Building an audit trail with recording and video playback – WALLIX can record privileged RDD and VNC account sessions in video format. Non-graphical activities (e.g. Telnet) can be recorded in text format. The result is a complete audit log that is useful for both the MSSP and the client in understanding who has done what on a privileged account at any given moment. The system can also provide standard reports on global PAM activity (e.g. connection logs, number of connections, user rankings, etc.). The WALLIX Report Manager can create custom statistical and alert reports according to business or audit requirements.
- Simplifying deployment through agentless operation – In contrast with PAM solutions that require the installation of dedicated software agents on each system under its control, WALLIX uses an agentless architecture. This approach has several beneficial effects on the MSSP-client relationship. It simplifies and streamlines the PAM administration process for both the client and the MSSP. The ease of deployment and change management also drives a high level of adoption and adherence to PAM policies. In contrast, complex or overly rigid PAM solutions often get circumvented or ignored when changes in systems or configurations inevitably arise.
MSSP CyberSecurity Pressure
The MSSP sector is heating up. This is good news for MSSPs, but it also means competition is on the way. MSSPs will be under greater pressure than ever to deliver security services economically enough to be profitable but at prices that are competitive. PAM solutions can be one of the most significant elements of an MSSP’s capability to operate profitably and effectively while also enabling clients to maximize the flexibility of an outsourced security solution without compromising security.