ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Security mindsets of MSPs

    Scheduled Pinned Locked Moved IT Discussion
    29 Posts 6 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Most MSPs act this way for three reasons:

      1. If you go with primarily "gold" partners, that means they are resellers not MSPs. Their specialty is sales, not IT. They are stores. To get to those levels you don't have to be technical, you have to sell gear. So you bar for what good looks like is actually almost impossible for a quality IT firm to hit but trivial for a non-technical salesman to hit. So you are possibly weeding out the secure firms and looking specifically to the insecure ones.

      2. Most customers train MSPs to behave this way. It's true. Customers not only generally don't care, they often actively demand that MSPs be insecure. That someone wants security is often a massive shock to an MSP.

      3. The MSP should only ever, when possible, have their own passwords. Not always possible, but generally. For example, their own domain admin account just like they were a member of staff. Because you need to know when something is done with your account or with theirs. Then they could only give out their own credentials for which their are liable instead of giving out hours for which they are not.

      1 Reply Last reply Reply Quote 0
      • C
        Carnival Boy
        last edited by

        A break glass system (nice term, btw) wouldn't prevent unauthorised access as a result of stolen credentials though. By the time I get the alarm, it is probably too late to do anything.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Carnival Boy
          last edited by

          @Carnival-Boy said:

          A break glass system (nice term, btw) wouldn't prevent unauthorised access as a result of stolen credentials though. By the time I get the alarm, it is probably too late to do anything.

          Nothing will prevent that. The idea is to prevent them being stolen.

          1 Reply Last reply Reply Quote 0
          • C
            Carnival Boy
            last edited by

            I'm not sure I follow you. What's the purpose of the break-glass system? They still have full access, so it is just as insecure, right?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Carnival Boy
              last edited by

              @Carnival-Boy said:

              I'm not sure I follow you. What's the purpose of the break-glass system? They still have full access, so it is just as insecure, right?

              One of the immutable laws of security is that you must always trust your admin(s). Period, no except. Immutable law. Anyone who can act as an admin has unlimited access. That can't be changed.

              So given that, we must do what we can to limit this. There are a few basics:

              1. Audit everything that yo can (if necessary, be warned that auditing is only so useful and can be very counterproductive.)
              2. Be careful whom you trust.
              3. Limit the need to have an admin (break glass, in this example.)

              In the case of the break glass, they only become an admin when necessary. Yes, they could break the glass when not needed, but you'd know about it. There is little alternative.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                One of the most important documents that any IT pro can know....

                Microsoft's Ten Immutable Laws of Security

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Law #6: A computer is only as secure as the administrator is trustworthy.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Carnival Boy
                    last edited by

                    I trust them to work on my systems. I don't trust them to prevent credentials from getting into the wrong hands as a result of their sloppy security procedures.

                    At the moment they can only come in if I let them, by enabling their AD account. The problem is who let's them in when I'm not here. If my colleague does this, how do I make it easy for my colleague? Alternatively, I could enable their accounts before I go on holiday, and disable them when I return.

                    In the days before remote access, they would have to physically enter the building to do any work. There are checks in place to prevent anyone walking in to the building (ie visitor management & security procedures). How do I replicate the physical management procedures in the on-line world? I need a robust system that balances the risk of unauthorised access versus the risk of downtime as a result of no-one being able to access something that needs fixing.

                    scottalanmillerS 3 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Carnival Boy
                      last edited by

                      @Carnival-Boy said:

                      I trust them to work on my systems. I don't trust them to prevent credentials from getting into the wrong hands as a result of their sloppy security procedures.

                      You can't differentiate. Distill what you wrote to "I don't trust them."

                      So, you can't use them. That's your answer there.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Carnival Boy
                        last edited by

                        @Carnival-Boy said:

                        At the moment they can only come in if I let them, by enabling their AD account. The problem is who let's them in when I'm not here. If my colleague does this, how do I make it easy for my colleague? Alternatively, I could enable their accounts before I go on holiday, and disable them when I return.

                        Yes. Or have management do it. Turn it on but have management hand over the passwords. Or have management enable/disable and nothing else.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Carnival Boy
                          last edited by

                          @Carnival-Boy said:

                          In the days before remote access, they would have to physically enter the building to do any work. There are checks in place to prevent anyone walking in to the building (ie visitor management & security procedures). How do I replicate the physical management procedures in the on-line world? I need a robust system that balances the risk of unauthorised access versus the risk of downtime as a result of no-one being able to access something that needs fixing.

                          Well if the building was locked up and they needed to work.... either....

                          1. Give them a key and they can get in any time or...
                          2. Don't give them a key and trust someone internally with that right to let them in and out.

                          Technology doesn't change the choices. It might appear to, but it really doesn't.

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            Carnival Boy
                            last edited by

                            @scottalanmiller said:

                            @Carnival-Boy said:

                            I trust them to work on my systems. I don't trust them to prevent credentials from getting into the wrong hands as a result of their sloppy security procedures.

                            You can't differentiate. Distill what you wrote to "I don't trust them."

                            So, you can't use them. That's your answer there.

                            I don't trust anyone external. But I have to take a holiday.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • C
                              Carnival Boy @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              Technology doesn't change the choices. It might appear to, but it really doesn't.

                              It doesn't change the choices but it changes the solutions. Creating a procedure that allows a colleague to grant admin privileges to external agents isn't a trivial task.

                              1 Reply Last reply Reply Quote 0
                              • alexntgA
                                alexntg
                                last edited by

                                Them emailing you the passwords, for lack of a better phrase, is pretty derpy. Next go around, set up separate users and passwords for your main systems. That'll give you the ability to block their access as needed without having to hand over your passwords. If you want to get rid of them, toast their accounts. If you go rogue, they can still help your company keep control.

                                Also, take a look at the other types of companies that the MSP works with. Ones that have more security-focused clients will naturally lean towards being more secure.

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch
                                  last edited by

                                  Also realize that email may not be as insecure as you think.

                                  Before you went off the handle and wasted all that time changing passwords, did you check if the email had been sent via TLS?

                                  DashrenderD 1 Reply Last reply Reply Quote 1
                                  • C
                                    Carnival Boy
                                    last edited by

                                    Went off the handle, LOL. Firstly, I don't consider changing passwords a waste of time. I probably don't change them enough. Secondly, it's the principle of the thing that annoys me. Bad practice is bad practice. I don't keep passwords listed in Word documents. I don't think they should either.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @JaredBusch
                                      last edited by

                                      @JaredBusch said:

                                      Also realize that email may not be as insecure as you think.

                                      Before you went off the handle and wasted all that time changing passwords, did you check if the email had been sent via TLS?

                                      Not very many SMTP servers use TLS by default (even if both sides have it available).

                                      alexntgA scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @Carnival Boy
                                        last edited by

                                        @Carnival-Boy said:

                                        I don't keep passwords listed in Word documents. I don't think they should either.

                                        In this type of situation, where do you keep the passwords for all of your different clients for all of their different systems?

                                        Personally I don't mind if they use Word/Excel to store these. The best I can hope for is that they are being stored in a safe manor - i.e. not everyone in their company has access to the files, even better if stored on encrypted drives, etc.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • alexntgA
                                          alexntg @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          @JaredBusch said:

                                          Also realize that email may not be as insecure as you think.

                                          Before you went off the handle and wasted all that time changing passwords, did you check if the email had been sent via TLS?

                                          Not very many SMTP servers use TLS by default (even if both sides have it available).

                                          Office 365 does.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            technobabble
                                            last edited by

                                            This is very interesting to me. As a smaller fish in the IT biz I am trying to do right with security and all of you have a different slant on passwords in emails and in documents. My goal was to password protect my SharePoint OneNote page with my clients User/Pass list. For my web/email hosting clients, I was going to delete all passwords I had on file and require them to create new ones if they forget. I still would have to check how secure my services desks were for sending out passwords for users who request the password reset. Seems like you really can't secure it all, or easily. And how many roadblocks do we want to put in the way of people wanting to get work done?

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post