How Privileged Access Management (PAM) Protects Against Breaches

How Privileged Access Management (PAM) Protects Against Breaches

BLOG POST

How Privileged Access Management (PAM) Protects Against Breaches

  1. Home
  2. MSP Resources

February 26, 2025

Read Time: 5 Minutes

Featured Product Tours:

MSP Insights

MSPs manage IT infrastructure for multiple clients, often controlling hundreds—or even thousands—of administrative accounts per customer. With each technician requiring access to critical systems, MSPs frequently rely on shared credentials, creating a massive security risk. If a single account is compromised, it can serve as a gateway for cybercriminals to access an entire network, leading to devastating breaches. 
 
Recent data shows that cyberattacks are becoming more frequent and more sophisticated, making it essential for MSPs to implement strong security measures. CyberQP’s Privileged Access Management (PAM) solutions play a vital role in this defense strategy. 

Alarming Statistics

The rise in security breaches is troubling, especially for organizations that rely on MSPs for IT security. We’ve collected insights from industry experts and vendors across the channel. Here are some key statistics to consider: 

  • Cyberattacks have surged by 50% over the past year, with the financial sector being a primary target.
  • Data breaches now cost businesses an average of $4.35 million, a number that keeps climbing.
  • 80% of breaches involve compromised credentials, highlighting the urgent need for strong access controls.

These figures underscore the pressing need for organizations to improve their cybersecurity practices, and MSPs are in a prime position to lead this effort. 

The Role of CyberQP PAM

CyberQP’s PAM solutions enable MSPs to manage and secure privileged accounts, which are often prime targets for attackers. Here’s how CyberQP can enhance your service offerings: 

1. Least Privilege Access 

CyberQP promotes the principle of least privilege, granting users only the access they need to do their jobs. This approach reduces the risk of unauthorized access and limits potential damage from compromised accounts, giving your clients peace of mind. 

2. Real-Time Monitoring and Alerts 

With CyberQP, you can provide real-time monitoring of privileged account activity. This feature allows organizations to quickly identify and respond to suspicious behavior, preventing breaches from escalating and ensuring that clients feel secure. 

3. Strong Authentication Methods 

Since 80% of breaches are linked to compromised credentials, robust authentication is critical. CyberQP integrates multi-factor authentication (MFA) to ensure that only authorized users can access sensitive systems, adding an important layer of security. 

4. Automated Password Management 

Weak passwords are a common vulnerability. CyberQP automates password management, enforcing strong password policies and regular updates. This helps defend against attacks that exploit weak or reused passwords, which is essential for maintaining client trust. 

5. Detailed Audit Trails 

CyberQP’s PAM solutions create comprehensive logs of all privileged account activity. These audit trails are invaluable for compliance and assist in investigating security incidents. They also help organizations easily adhere to regulations, reinforcing their overall security. 

The Increasing Demand for PAM in 2025

Paul Redding began his career as the CEO of an MSP specializing in clients from highly regulated industries such as healthcare and US Department of Defense supply chain. Following his exit, Paul reemerged as a prominent thought leader and passionate advocate in the IT channel. Leveraging his extensive experience helping organizations navigate and maintain cybersecurity compliance, Paul now collaborates with partners worldwide to help them implement top-tier security practices, streamline support processes by eliminating repetitive tasks, and foster deeper, more profitable client relationships.

Paul Redding

Paul Redding

SVP, Channel Marketing and Community

Paul Redding began his career as the CEO of an MSP specializing in clients from highly regulated industries such as healthcare and US Department of Defense supply chain. Following his exit, Paul reemerged as a prominent thought leader and passionate advocate in the IT channel. Leveraging his extensive experience helping organizations navigate and maintain cybersecurity compliance, Paul now collaborates with partners worldwide to help them implement top-tier security practices, streamline support processes by eliminating repetitive tasks, and foster deeper, more profitable client relationships.

The Latest News & Events

How Privileged Access Management (PAM) Protects Against Breaches

How MSPs Can Secure Their Technicians and Manage Tier 1 Tickets with Their PSA 

BLOG POST

How MSPs Can Secure Their Technicians and Manage Tier 1 Tickets with Their PSA 

  1. Home
  2. MSP Resources

December 17, 2024

Read Time: 3 Minutes

Featured Product Tours:

MSP Insights

Today, Managed Service Providers (MSPs) play a crucial role in not only keeping their clients online, but also keeping them secure.  

However, a challenge emerges when service managers need to delegate admin access to Tier 1 technicians. How can they empower their help desk to resolve manual issues or basic tickets like password resets or account unlocks, without over-provisioning access that could pose a risk in the hands of less experienced employees?  

That’s where an MSP’s Professional Services Automation (PSA) and ticketing system comes into play. While PSAs are most commonly known for streamlining workflows like ticketing and invoicing, security and IT solutions ideally can integrate with these platforms to enhance an MSP’s security posture.  

Achieve Least Privileges for Technicians with Your PSA and CyberQP 

Rather than provision persistent administrator access per technician through Microsoft, operating within a secure dashboard or PSA ticket enables Tier 1 technicians to resolve tickets without issuing new admin privileges. This minimizes the risk of exposure to phishing attempts and unauthorized access. 

Moreover, many PSAs take steps to secure their platforms and ensure that all information stored in MSP tenants is protected. For example, CyberQP partners with HaloPSA, which hosts their data in AWS for security and compliance purposes and aligins with the Cyber Essentials Framework. 

[CYBERQP BANNER AD: Secure by Design. See how CyberQP aligns with the Cyber Essentials Framework.]  

By choosing a PSA that offers capabilities without extending privileges, and ensures end user security, MSPs and help desks can protect sensitive data and instill confidence in clients who prioritize security. 

Drive Greater Efficiency by Empowering Non-Technical Staff 

Moreover, ideal PSA integrations will not only augment MSP security, but also support technician efficiency by eliminating manual tasks. For example, a robust PSA integration might eliminate manual ticket notes by offering automated documentation of actions a cybersecurity solution takes (such as identity verification or account unlocks, etc.) or automatically syncing changed passwords to an environment like Active Directory.  

This enables technicians to achieve lower ticket resolution times, giving service delivery managers leeway to allocate resources and invest in what they need. 

However, the benefits of integrating your cybersecurity tools with your PSA dashboard don’t just extend to your technicians. Ideally, administrative staff should be able to step in to help with ticket overflows, and it should be easy for them to take automated actions and offer detailed instructions to customers or users as needed, reducing technician workloads and streamlining tedious workflows. 

See Why Help Desks Partner with CyberQP  

MSPs must make the most with the technology they have. CyberQP Help Desk Security Automation is designed to fill the security and efficiency gaps help desks face today. With QDesk, Tier 1 technicians and non-technical staff can complete simple tasks that disrupt technician workflows, all while minimizing privileged access to Active Directory, Entra ID, or local admin accounts. 

The Latest News & Events

How Privileged Access Management (PAM) Protects Against Breaches

How CyberQP Helps Partners Align with the CMMC Framework

BLOG POST

How CyberQP Helps Partners Align with the CMMC Framework

  1. Home
  2. MSP Resources

Decmber 9, 2024

Read Time: 5 Minutes

Featured Product Tours:

Passwordless JIT

With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).

In order to run through these last-minute changes, CyberQP’s dedicated information security and compliance team has read the final rule and is working on the best strategy to help IT teams and channel partners who trust us follow these best practices. We’ll also give you a look at how we can help you achieve capabilities you’ll need on your compliance journey.

When Does a Vendor Become Part of a CMMC Audit’s Scope?

Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized – including many of the third-party cybersecurity providers that MSPs and IT professionals rely on to secure their end users and environments.  

However, due to concerns that this sweeping requirements would require organizations to eliminate modern security solutions from their toolbox (and concerns about forcing contractors to rely on cost-restrictive legacy tools) led the DoD to carve out a provision clarifying that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.  

Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.  

While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.  

In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.  

According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.  

The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”  

“In order to clarify and address concerns about the perceived “expansion” of requirements, the rule was revised to reflect that ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do not require CMMC assessment or certification.”

  • 32 CFR Part 170, CMMC Rule 
WHAT KIND OF SOLUTIONS REQUIRE FEDRAMP MODERATE COMPLIANCE? 
Required (solutions that can remotely access or collect CUI – directly or through hosts)  Not Required (CSPs that are SPAs) 
Remote Monitoring and Management (RMM) tools with remote access to hosts with CUI  Endpoint Detection and Response (EDR) providers with remote access and file collection capabilities  Backup Services used to back up hosts and files containing CUI  Privileged Access Management solutions without remote access to endpoints  SIEM providers that do not collect CUI in logs  Managed Detection and Response (MDR) providers without remote access or file collection 

While the final rule does contain some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm this provision exempts CSPs as SPAs from FedRAMP authorizations if they do not access or handle CUI.  

In short – during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data. 

Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.

While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.

In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.

According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.

The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”

How We Help MSPs Align with CMMC

CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we do help partners proactively meet relevant CMMC requirements, and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.  

When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help you align with some requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access, and automated password management.  

Here are some of the CMMC 2.0 Security Controls That CyberQP Supports: 

  • Access Control (AC)
  • AC.L2-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 
  • AC.L2-3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 
  • AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts. 
  • Identification and Authentication (IA)
  • IA.L2-3.5.1: Identify information system users, processes acting on behalf of users, or devices. 
  • IA.L2-3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 
  • IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 
  • Security Assessment (CA)
  • CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. 

Defend Your Sensitive Data with Confidence

CyberQP offers proactive access control capabilities to your help desk, and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in their security program.  

Ready to partner with a cybersecurity company that’s laser-focused on your success? Speak with a product specialist today.

The Latest News & Events

How Privileged Access Management (PAM) Protects Against Breaches

Why MSPs and SMBs Need a Cybersecurity Partner for their Privileged Accounts

BLOG POST

Why MSPs and SMBs Need a Cybersecurity Partner for their Privileged Accounts

  1. Home
  2. MSP Resources

February 1, 2023

Read Time: 4 Minutes

Featured Product Tours:

MSP Insights

In light of disastrous breaches where threat actors successfully stole sensitive user credentials from traditional password managers, many small and medium-sized businesses (SMBs) are asking their Managed Service Providers (MSPs) how they are protecting key client accounts and data.

It’s clear that while password managers are important for storing and sharing passwords internally and externally, they are not equipped to protect SMBs from sophisticated cyber threats, and lack the functionality to enable MSPs to easily protect and manage the various accounts involved in an SMB’s day-to-day workflow.

The answer? MSPs need a security-first partner and platform that integrates across their technology stack to automate help desk technician workflows and streamline the management of privileged, local, and service accounts.

Where Password Managers Fall Short

Although traditional password managers allow businesses to store and share passwords internally or externally with clients, they lack several of the security measures necessary to follow best practices

For example, password manager applications don’t support regular password rotations for privileged accounts, forcing MSP technicians to go directly to Microsoft 365, Active Directory, or Azure AD to manually update credentials, which can become time consuming and difficult as MSPs continue to scale their operations. And as an MSP grows, the number of endpoints with local admin and service accounts to manage will only continue to grow.

MSPs need security automation solutions to help their teams scale with their customers as they continue to grow. That’s why CyberQP Cybersecurity is developing security automation to accelerate MSP operations, including a Privileged Access Management solution that eliminates manual management for MSPs.

What is Privileged Access Management?

Privileged Access Management (PAM) tools offer a set of tools and best practices to safeguard privileged accounts, whether they are local admin accounts across a client’s endpoints or Azure AD/Office 365 tenant admins. In colloquial terms, PAM solutions protect your MSP’s metaphorical keys to the kingdom.

Privileged Access Management enables MSPs to discover, monitor, and manage these privileged accounts using a variety of capabilities including:

  • Automated rotation of privileged credentials to reduce the potential for threat actors to compromise privileged accounts.
  • Temporary privilege escalation to minimize the number of people with access to sensitive information and deter insider threats.
  • Privileged account discovery to identify potential blind spots and align all of your end users’ privileged accounts to your MSP’s best practices.
  • The ability to sync credentials back to a secure password vault if an MSP needs a secure place to store and manage passwords.
  • Create Just in Time (JIT) access to minimize the standing privilege and risk associated with technicians having 24/7 access to privileged accounts.

What MSPs Need in a PAM Partner

In order to address the growing concerns surrounding threat actors targeting MSPs and SMBs alike through these attack vectors, MSPs need a dedicated cybersecurity partner to enable their technicians’ processes.

The right partner will support MSPs with a suite of Privileged Access Management products, including one dashboard that makes it easy to secure your privileged accounts, from your Azure AD (O365), to your end users’ local admin and service accounts. This cybersecurity partner should offer compatibility and API integrations across your technology stack to automatically rotate critical passwords on a daily, weekly or monthly basis and write them back to a documentation tool like IT Glue or Hudu as needed.

A cybersecurity partner should also offer MSPs the ability to randomly generate 99 character passwords or easy-to-read passphrases that can be stored in a secure password manager built for MSPs to give your team peace-of-mind using automated solutions that eliminate hours of manual labor from your technician workflows.

Why MSPs Need Privileged Access Management

There has never been a better time for MSPs to partner with a cybersecurity company to address these cyber criminals. While Privileged Access Management is uniquely positioned to deter threat actors targeting a business’ critical infrastructure, cybersecurity insurance firms are also driving adoption of PAM solutions.

The escalating number of emerging cyber threats and data breaches have caused cyber insurance premiums to spike, and getting coverage has become restrictively expensive for MSPs, if they can get coverage at all.

As more insurance providers begin requiring Privileged Access Management solutions and requiring regular password rotations, MSPs may need to get onboard to avoid impacting their level of coverage, their premium costs, and their eligibility for cyber insurance in the future.

A Privileged Access Management Cybersecurity Partner for MSPs

Many Privileged Access Management providers are designed to support enterprise security teams, and not equipped to support MSPs. At CyberQP Cybersecurity, we’re building Privileged Access Management and security automation solutions purpose built for MSPs.

The Latest News & Events

How Privileged Access Management (PAM) Protects Against Breaches

Why Rotate Privileged Account Passwords?

BLOG POST

Why Rotate Privileged Account Passwords?

  1. Home
  2. MSP Resources

October 20, 2024

Read Time: 4 Minutes

Featured Product Tours:

MSP Insights

Leaving the passwords for privileged accounts static and configuring them to never expire is convenient and ensures that any system that depends on these accounts will continue to run without any intervention. For MSPs doing this can leave your company and your customers at risk from credential stealing. According to ZDNet the PyXie RAT malware can steal passwords from technicians through keylogging and recorded videos.

Targeted phishing attacks can also obtain administrative credentials by impersonating login portals for online accounts such as Office 365 and Azure AD and having technicians willingly provide privileged credentials without realizing it. Static passwords are easier to crack since they never change and if re-used from another online system, they are at risk of being hacked from a security breach.

Lastly, threats can also be found internally from technicians who are laid off or fired and have access to privileged credentials with malicious intentions. According to Huntress Labs a former MSP technician attempted to sell all their customer administrator credentials on the dark web to the highest bidder.

Why rotate passwords when you use MFA?

MFA (Multi factor authentication) is an essential tool to use that adds an extra layer of security to protect your privileged credentials. Some argue that using MFA eliminates the need to rotate passwords. That being said there is mounting evidence that MFA too can be hacked in a number of different ways including man in the middle attacks and network session hijacks according to Secureworld. Also, most recently it was discovered by Proofpoint that a new vulnerability in Microsoft 365 allows an attacker to bypass MFA. Thus, MFA alone is not a silver bullet and MSPs and IT departments should consider it as one layer in a layered security strategy.

How often should I rotate passwords?

Ideally passwords for privileged accounts should be rotated every time they are used or accessed by a technician or at the very minimum when a technician leaves or is fired. This covers internal threats from malicious technicians either employed or fired by an MSP. However, this does not cover if the password was hacked from a keylogging malware or phishing attack. Thus, the need to rotate passwords more frequently such as daily or weekly on a scheduled basis becomes much more essential.

How much does it cost to rotate passwords manually?

The concept of rotating privileged account passwords makes a lot of sense but rotating all these passwords manually can be costly. Let us break this down. Here are the general steps a technician must do when they rotate a password for a privileged account in Active Directory or Azure AD (Office 365).

  1. Look up documentation for current resource password.
  2. Access the resource via remote control solution or web browser
  3. Login
  4. Open Active Directory Users and Computers or Azure AD
  5. Locate the account to reset
  6. Choose a new password
  7. Perform the reset
  8. Update the password on the windows service or scheduled task (if applicable)
  9. Update the documentation
  10. Repeat steps 1 – 9 for the next privileged account.

Let’s assume this takes an average of 1 mins per password. According to Forester research the average cost in technician time and resources is $25 per 15 mins or $100 per hour USD. Then the average cost of a manual password reset is $1.67. Here is how much it would cost every time you need to manually rotate all your privileged account passwords. If your numbers are slightly different feel free to input your own numbers for average time and cost to see where you land.

 

Password rotation

ou could argue that if you had to rotate passwords once a quarter or a year that you would just suck it up and assign the work to a technician. But if you need to do this daily or weekly costs would quickly spiral out of control and let’s be honest no one in their right mind would do this daily or weekly if it was a manual process. Also, when things are busy this is the first task that would get postponed and therefore may be skipped and forgotten.

Why should I automate password rotation?

The numbers don’t lie. If you had to rotate all your privileged account passwords in Active Directory or Azure AD (Office 365) daily, weekly or monthly it would be cost prohibitive or worse would not get done leaving your MSP or enterprise exposed even if you use MFA.

Being able to automate these password rotations in a set it and forget it manner ensures it gets done without manual intervention for a substantial savings and protection your MSP or IT Department needs.

The Latest News & Events