Privileged Access Management for MSSP’s – We understand the differing needs of our Managed Service Provider/Managed Security Service Provider (M(S)SP) customers compared to large end users.
The key difference is the need to scale through repeatability. However, there’s now another requirement: MS(S)P’s need to add strong audit features to their offering so that they can assure their customers that they will comply with GDPR. This needs to be done cost-effectively in a maturing Cloud market where price pressure is ever-present.
Our Service Provider customers run the best physical hardware and deepest levels of virtualisation to provide the uptime security that attracts their customers. All that equipment needs to pay for itself, and these days virtual systems are often available at a monthly fee that is less than the electricity required to run an equivalent physical system.
M(S)SP’s need to meet these security/compliance demands:
- Uptime security: Virtual machines/disks should be able to migrate across the available hardware without interruption to service; and should be backed up in at least three places.
- Data Security: The provider needs to know who has had access to what data and virtual machine resources; access needs to be very tightly controlled at the hypervisor and SAN level because these are the sensitive levels where data can be invisibly stolen; and the provider needs to know precisely where all the backups are, what access has happened, and that erasure is full and complete.
To meet these demands, our M(S)SP customers are employing the most talented cybersecurity staff. But this is an expensive human resource that impacts the bottom line. Therefore, there is a drive to get the very best security from the least number of staff.
We’re fully aware that the providers use outsourcers, particularly in the anti-malware and help desk disciplines. These outsourcers need to be both trusted and proven to be trustable.
Recently, our Sales and Support teams have noticed the change in customer engagements. Two years ago, PAM was driven by compliance and audit, and PTM was a help with time pressures and common IT operations. Our Service Provider customers were at the forefront of using PTM for business tasks. In particular, deploying privileged tasks all the way to outsourced help desks to help deliver ‘first call resolution’.
These days, task and process automation is always on the agenda. Rapid reaction and bulk changes are common discussion points.
For example, a Service Provider may need to make rapid and consistent changes through multiple firewalls, not only for threat management but for service provision. Then there are scheduled tasks, for example, password cycles on SAN and Hypervisors, since these are the ‘crown jewels’ of any Service Provider.
M(S)SP’s are far more likely to be working with Open Source because they need the extra flexibility, proven security and cost benefits of this kind of software. The volume of systems and devices they deal with swamps end-user data centres. We understand not only the volume of systems but also their peripatetic nature as they are stood up and down to keep costs at an absolute minimum.
How we can help
Our understanding is reflected in our product offering in several ways:
- Flexible pricing – We know that all systems are not up all the time, and that access profiles tend to be much lighter on a per system basis.
- Searching – Our PxM client is available on Windows, MacOSX and Linux. It can keyword search across system, device and application names, and well as task names and location metadata.
- Application Dependency Isolation – Our MAP server technology means that complex Windows applications can be installed once and then accessed from any OS – Windows/MacOSX/Linux. It also means that legacy applications with known security issues can be isolated in their own locked down security cells.
- Bulk import – The PxM Platform can bulk import both devices and users. The import can also handle metadata, for example, location, customer, etc.
- Wide Device Support – The PxM Platform covers all the common switches, routers, firewalls, load balancers and content filters. All this, along with the ability for you to create templates for your own systems and applications.
- Auditing – Our PxM platform has plenty of logging and plays well with SIEM systems. For the level of reporting M(S)SP’s require, we’re working on enhancing Elastic Stack to provide levels that go beyond Privileged Behaviour Analytics.