Bridging MSP Security Gaps: Getting Password Management Right

Managed security services are nearly universal offerings of managed service providers (MSPs). While MSPs and enterprises have long recognized the potential benefits of passwordless authentication, the practitioners involved in securing each client’s data and infrastructure know that passwords aren’t going away anytime soon. Research firm ESG finds that barely half of organizations have started the transition to passwordless.

Accepting that many clients will cling to passwords for the foreseeable future, many MSPs look to add additional security layers. Multi-factor authentication (MFA) is popular among IT admins, but not among clients. Research from N-able finds that only 30% of MSPs’  clients use MFA for all applications. This slow adoption of MFA isn’t surprising. From an MSP’s perspective, MFA is a critical element of the security stack, but it also can be seen as adding operational friction, preventing shared admin accounts, being too expensive, or compounding the difficulty of getting clients to deploy.

Single sign-on (SSO) is another layer used to reinforce client security. But for subscription-based models, SSO is usually a paywalled service reserved for higher-license tiers and can be prohibitively expensive. SSO also doesn’t solve use cases when multiple users share an account, and it can be incompatible with older services or line of business (LOB) apps that remain reliant on locally hosted services.

Password managers bridge the gaps that remain between these layers. For clients reluctant to give up their password systems, password managers complement SSO and can help with MFA adoption since password managers often double as MFA authenticators. At base level, password managers can help improve client security by simply requiring the use of strong and unique passwords for all accounts — in large part because compromised credentials are the leading cause of cybersecurity breaches. Password managers also help meet compliance requirements by keeping records of who, when, and from where IT resources were accessed.

Here are three questions to consider to ensure that the password manager you’re considering meets your business needs — and the needs of each of your clients:

1. Does it support multi-tenancy?

For MSPs managing multiple clients, a multi-tenancy feature is a huge benefit. Admins can have a centralized location to manage different clients’ passwords and their conditional access policies. Managing centrally offers a significant boost in efficiency and reduces administrative burden—all while allowing admins to account for different access needs of different clients. If you plan on growing, establishing multi-tenancy early will make scaling much easier.

2. What kind of architecture does it use?

There are three options for password architecture: offline/local storage, cloud storage, and a hybrid model. Business goals, budget, compliance requirements, security concerns, and user experience are just a few of the factors that can help determine which is best for your organization.

• Offline or local password managers offer an encrypted repository on a user’s device. Because the data is stored locally, this option reduces any potential exposure to sensitive data. Offline architecture requires more manual efforts from admins; as passwords cannot natively be accessed on multiple devices without intervention, there is no way to centralize usage logging or admin controls, and without password-sharing functionality, shared accounts can’t be maintained effectively–or securely.
• Cloud-based password managers also store a user’s credentials in an encrypted vault, but the encrypted repository is online and can be accessed by any device that’s connected to the internet. Such models are flexible, offer easier centralized admin control, allow password-sharing, and give end users access to, and control over, their master passwords. If cloud-based password managers are hacked, there’s the risk that hackers can exfiltrate encrypted customer vaults and attempt to guess weak and reused passwords.
• Decentralized or hybrid models blend features from offline and cloud-based password managers. They don’t require a master password but can be accessed from multiple devices and across shared accounts. Passwords are stored locally, but IT admins retain centralized admin controls and usage logging for better visibility.

3. What is the cost?

Given recent contractions in tech spending, small and midsized organizations and the MSPs that manage them are becoming increasingly price-sensitive. If looking to establish long, successful relationships with clients, MSPs will need to balance feature cost with security. Budget requirements and the needs for scalability and flexibility vary greatly among different MSPs, so cost calculations should consider existing business and projections for expansion.

More than ever, MSPs need visibility and control into clients’ IT environments, across files, devices, servers, applications, and networks. Every access transaction is a potential threat. Password-based systems aren’t going anywhere, and neither are the many weaknesses associated with them. Adopting a layered security approach that includes SSO, MFA, and password management lets MSPs meet clients where they are in their security journey, while also giving them the strongest defense possible given the modern threat environment.

About The Author

Antoine Jebara is the General Manager of MSP Products and cofounder at JumpCloud. His role is to drive JumpCloud's MSP vision and strategy and continuously tailor JumpCloud’s offerings to cater to the needs of partners and their customers. Before joining JumpCloud, Antoine was the cofounder and CEO of MYKI, a growth-stage startup focused on decentralized password & 2FA management for MSPs, which was acquired by JumpCloud in February 2022.