PAM for Managed Service Providers as an Added Value and Security Option

Privileged Access Management (PAM) is an essential component in protecting organizations against cyber-attacks, ransomware, malware, phishing, and data leaks. No longer a tool for protecting admin accounts only; privilege management now extends across the entire organization, from on-premises and cloud infrastructure to every user, no matter where they are working from, or what they are accessing. To assist with this, Managed Service Providers (MSP) are increasingly offering PAM capabilities to their portfolio. This Whitepaper examines the options for MSPs and their customers in the market for PAM as a Service.

Paul Fisher


Commissioned by ARCON

1 Introduction / Executive Summary

PAM software and tools have traditionally been installed and run on-premises by the organization itself. In recent years, the growth in identities operating across cloud and digital services has seen vendors offering cloud-based PAM solutions to assist with this growing complexity and concomitant security challenge.

This experience in cloud-based platforms has led some vendors to offer complete PAM solutions that can be run as a service by Managed Service Providers, in order to protect existing services and client secrets. The advantage to MSP clients is that the heavy lifting of deploying a PAM solution falls to a third party, governed by strict contractual agreements. The result should be flexible, scalable and be automatically updated by the MSP. The security and compliance pressures on organizations is leading more to rely on MSPs for critical access and security functions to ensure business continuity.

2 Highlights

  • MSPs have become an established part of the IT landscape in recent years as businesses look to outsource technical functions normally operated on premises

  • How PAM as a Service can offer technical and business benefits to Manged Service Providers

  • Why Shifting PAM responsibility to a third party is a high-risk operation and requires diligent research and preparation

  • The reasons why ransomware is becoming an existential threat to global business and how PAM can assist in protecting MSPs and clients

  • Why the increase in Privacy and Data regulations around the world is increasing the need for PAM

  • Technical descriptions of advanced PAM capabilities that organizations should look for in choosing PAMaaS

  • What to look for when choosing an MSP to deliver PAMaaS

3 The need for Privileged Access Management

PAM platforms are critical cybersecurity controls that address the security risks associated with the use of privileged access in organizations and companies. It is reckoned that most successful cyber-attacks involve the misuse of privileged accounts. And misuse is enabled by poor management of privileged access using old or inadequate PAM software, policies, or processes. A 2020 RSA Conference report states that potentially malicious privileged access from an unknown host accounted for 74% of all privileged access anomaly behaviour detections. The message is clear: hackers are actively targeting privileged accounts as the best way to get inside an organization.

While PAM platforms have been around for around 20 years, the demands of digital transformation and wholesale structural changes to IT architecture have intensified interest in PAM software and applications – across all market sectors. And vendors have responded to the demand and critical need for advanced PAM that can meet the challenges of the modern computing era. Among malicious activities that PAM must control are abuse of shared credentials, misuse of elevated privileges by unauthorized users, theft of privileged credentials by cyber-criminals and abuse of privileges on third-party systems.

All of these are undoubtedly an issue for organizations looking to manage privileged access within the parameters of their IT infrastructure and endpoints. The role that PAM can play in the internal management and customer service of Managed Service Providers (MSP) is being more widely considered. MSPs have become an established part of the IT landscape in recent years as businesses look to outsource technical functions that they do not have the resources or time to run in-house. Typical managed services might include building cloud infrastructures, data warehousing, IT security and many iterations of software as a service (SaaS), and are purchased on a subscription basis. We are now seeing the emergence of DevOps as a Manged Service, proving that no digital function is off limits as a service.

As the variety of functions offered have multiplied to embrace technical requirements of digital transformation, the demands on managing access to and from assets across clouds and on-premises infrastructure has also massively increased. MSPs therefore must manage and secure access to and from their client infrastructure and how well they can achieve this will impact on the Service Level Agreement (SLA) between the MSP and its clients, and of course their competitive position in the market.

The complexity of managing privileged access within an MSP

MSPs can be hosting thousands of tenants on clouds and data centres and this complexity demands rigorous security to ensure that individual client data and networks are protected and sequestered. That is a major challenge. Many of these clients will also run IT operations that rely on privileged access to data, applications, services, and code. Managing privileged access within traditional architectures requires deployment of PAM platforms by the organization but once privileged access shifts to a managed service, the customer must entrust the security of credentials and authentication to a third party.

Businesses must trust an MSP to properly execute tasks they cannot, although they may not realise that the trust may also include the execution of privileged access management. This puts the responsibility onto the client to ask the right questions and the MSP to prove it has the right answer: yes we have a PAM platform that is designed to protect the data flows of all our clients, with total confidentiality.

3.1 Some good reasons why MSPs should consider PAM

Small and medium-sized businesses (SMBs) with limited in-house IT resources are often MSP customers but are likely to process sensitive data. Larger enterprises may use MSPs for special projects or certain Lines of Business (LOBs) such as HR, Finance or software development. Whatever the size or number of customers, MSPs are under pressure to do more to protect their clients and secure access to privileged information.

The Ransomware epidemic and other malware

Managed Service Providers around the world are being targeted with ransomware by cybercrime gangs. The crime gangs know that the potential payoff is twofold; they can attack the MSP itself by crippling its operations but also use the MSP as steppingstone into the networks of its client base. An attack in Sweden (June 2021) did exactly that and affected more than 1000 companies, including the large Coop grocery chain.

Originally the attackers hacked a bogus update from Kaseya, an IT Management Software provider used by MSPs and enterprises. Their ultimate target was the MSPs and their clients in turn. From the perspective of the hackers, the operation was a great success with at least 20 MSPs successfully breached plus 1000 clients also having data encrypted by the attackers. The Coop group was forced to close all but five of its 500 stores after all payment systems stopped working after its MSP, Vissma Escom, was affected.

A single incident that shows the vulnerability inherent in our multi-connected IT landscapes where an attack on one company can affect so many others. In this incident, the MSPs trusted by their clients proved to be unwitting Trojan Horses. While ransomware is the most serious form of attack today, hackers and cybercriminals will use other forms of malware to spy on organizations and steal data by also targeting MSPs.

Regulatory and compliance obligations

While cybercrime has evolved into a permanent threat to business, a concurrent rise in privacy laws around the word has created a double whammy for organizations; first you lose your data then you get penalised for losing that data by government agencies. This results in fines and reputational damage - then potentially loss of trust in the market.

There are some regulatory rules to consider depending on the type of legislation governing the region where an MPS may store data. In the EU, the GDPR regulation makes it clear that the Data Controller is liable for any breach of privacy – in this case that would be the client of the MSP, which is separately classified as the Data Processor. However, for that very reason it is the best interest of the MSP to ensure that client data is protected, and access strictly governed. While the client may have to pay the fines, the MSP is not going to dine out on a damaged reputation and will probably lose business.

In other regions of the world the legislative picture is more complex. MSPs will also need to adhere to the EU NIS 2.0 and the recently launched US Presidential Executive order in the US. The UK left the EU but still follows the letter of GDPR, renaming the regulations as UK GDPR and any business that processes the data of EU citizens remains subject to EU law. Some local UK changes may apply in future. In the United States there is a patchwork of state privacy laws, each with their own rules and responsibilities – making it hard for MSPs and their clients to keep on top of them. There are similar laws in Brazil, Asia and Australia. In short, the world is moving to ensure that all businesses take greater responsibility for data governance, whether they be Data Controllers or Data Processors. Consumers too are more aware of privacy rights and expect companies to do more to protect their data.

Increased revenue and market opportunities

A Managed Service Provider that can offer proven PAM capabilities in addition to its existing range of services is likely to gain competitive advantage over rivals that do not. In the age of ransomware and organised crime gangs attacking organizations, customers will be looking to technology partners to add the best security possible to protect access and data flows. However, customers should be careful to ensure that the MSP has chosen the right PAM partner, one that has enough technical capability to handle modern IT architectures and the threat actors that hunt for vulnerabilities within connected networks. MSPs need to prove the integrity of the PAM solution in their service portfolio and prove they have with the skills to maintain security standards across their client base. Done right, there is added value in adding PAM for MSP clients and providers.

How MSPs use PAM to protect tenants while allowing authentic access requests to flow freely across networks. (Source: KuppingerCole)
Figure 1: How MSPs use PAM to protect tenants while allowing authentic access requests to flow freely across networks. (Source: KuppingerCole)

4 The PAM challenge as laid down for MSPs

Adding a PAM layer around existing Managed Services, whatever they may be, is fully sensible but implementing this layer is not without challenges for clients and partners. Modern organizations are increasingly decentralized with identities seeking access from thousands of endpoints, sometimes from unknown networks. Therefore, a PAM deployed by an MSP on behalf of clients must meet security, scalability and IT performance targets – scalability is arguably the most important as PAM must scale as capacity and access requirements change rapidly. MSPS have access to client data and secrets and it may not be long before clients start demanding PAM as an option to protect those secrets. They need to be ready.

4.1 Key capabilities for PAM to protect MSP client data and services

Efficient operations management and dashboards

Any MSP should have full oversight of Privileged Access Management across all its tenants, no matter their global location. However, the efficiency and usability of any Administrator environment will determine how successful the MSP is managing the highly complex and multi-tenanted infrastructures that typically inform the operational landscape of MSPs today (see Figure 1).

Therefore, for both MSPs and clients it is important that any PAM platform deployed offers an easy to configure organizational framework which allows tenants to make access and service requests in the same manner as if PAM were running on-premises or controlled from the cloud by on site Admins. It should also allow workflows to be configured for each customer, according to individual security/business policies and processes. Again, given the multi-tenancy nature of MSPs, it is essential the administration module acts as an emollient; flexible and scalable enough to manage the needs of very different hosted environments, applications and access points among the tenant cluster.

Multiple authentication and authorization capability

The PAM used by the MSP should be compatible with as many authentication protocols as possible and support directories such as Active Directory, LDAP, SAML and native cloud directories. Well-known and used Authentication platforms such as Duo, RSA, Safenet or Vasco etc, should also be supported to allow for a mix used by clients and supply chain partners.

Lean architecture

PAM software originates from different vendors, some the result of many years of development or the combination of technology acquisitions. Ideally, to best cope with the complexities of client architecture, PAM should be a lean solution, cloud and microservices native and supported by APIs and connectors to bridge legacy technologies, applications and code. It should also benefit from CI/CD environments to rapidly meet changes in the market and client demands.

Advanced PAM capabilities

As well as high level capabilities KuppingerCole recommends that PAM intended for use by MSPs should also include the following advanced PAM capabilities.

  • Privileged Account Data Lifecycle Management (PADLM)
    The usage of privileged accounts must be governed as well as secured. The PADLM function serves as a tool to monitor the usage of privilege accounts over time to comply with compliance regulations as well as internal auditing processes.

  • Application to Application Password Management (AAPM)
    Part of digital transformation is the communication between machines and applications to other applications and database servers to get business-related information. Some will require privileged access but time constraints on processes means it needs to be seamless and transparent as well as secure.

  • Controlled Privilege Elevation and Delegation Management (CPEDM)
    As the name suggests CPEDM allows users to gain elevation of access rights, traditionally for administrative purposes and for short periods typically, and with least privilege rights. However, some vendors are adapting the traditional role of CPEDM to become more task focused and adaptable to more flexible workloads that modern organizations require.

  • Remote Privileged Access (RPA)
    Since the Covid 19 pandemic, the prevalence of working from home has soared and some PAM vendors have responded by adding capabilities allowing privileged access directly from endpoints, such as laptops.

  • Just in Time (JIT)
    Implementing JIT within PAM can ensure that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user

  • Single Sign-On (SSO)
    Single sign-on is a user authentication system that permits a user to apply one set of login credentials (i.e. username and password) to access multiple applications. Therefore, PAM solutions are increasingly supporting integration with leading SSO vendors to address this challenge.

  • Privileged User Behaviour Analytics (PUBA)
    PUBA uses data analytic techniques, some assisted by machine learning tools, to detect threats based on anomalous behaviour against established and quantified baseline profiles of administrative groups and users. Any attempted deviation from least privilege would be red flagged.

  • Account Discovery
    Some vendors offer modules that scan networks and endpoints to discover privileged accounts in use to enable better security and compliance.

4.2 ARCON PAM solutions designed to run as a service

Founded in 2006 and based in Mumbai (India), ARCON offers its Privilege Account Management Suite to manage privileged access across various delivery models. ARCON takes a modular approach to PAM, and is offered in software, virtual and physical appliances with a PAM as a Service (PAMaaS) option available to MSPs.

ARCON PAM SaaS is based on implementing a zero-trust security framework for privileged accounts and does not lack for any features that are provided in the regular on-premises suite that ARCON also provides. The company proposes four typical customer models for the product: Small and Medium (SME), Enterprise, Managed Service Provider (MSP) and the Partner SaaS model.

These last two sectors are important. KuppingerCole believes there will be significant growth in the number of third-party providers of PAM services in the next five years. While the models are different, the core product is the same giving all customers the option to pick and choose features and capabilities as they need and not worry about updates as these are automatically applied by ARCON.

There will also be significant growth in smaller businesses looking to use an established PAM vendor provider like ARCON to provide PAM as a Service directly. In this instance, ARCON's customers can self-register for the service directly from the ARCON website and take it from there. All connections to Target Devices are via Secure Tunnel (SGW) or via Application Streaming (HTTPS with TLS 1.2) with Session Isolation using the Application Gateway (AGW) Component of the full ARCON PAM Solution.

In the Enterprise Customer Model ARCON suggests that large companies can connect to data centres from locations across the world into a single instance of ARCON PAM and be managed from one central console. Alternatively, customers can separate PAM operations into regions for compliance reasons, for example, and still benefit from all the hosting benefits. The MSP model provides the same functionality but delivers flexibility to the MSP provider to deliver PAM services to clients in the cloud or on premises and the MSP can manage multiple tenants from a single installation of ARCON PAM. To meet compliance demands, multiple partitioning techniques are used to separate client data.

The Partner SaaS model allows larger companies to host PAM services for vendors or other third parties which provides a useful option for modern complex supply chains and gives organizations peace of mind that partners are protecting privileged accounts to the same standard. All cloud-based solutions are designed to run under AWS.

4.2.1 ARCON SaaS in use

ARCON has based all set up and configuration around a dedicated cloud portal that allows customers or partners to create the set up best suited to their own organization or for their clients. The pages within this are clear and easy to understand (full of pop down menus) which reduces set up time to the minimum. The Admin Registration Form is a good example which makes signing up to the service quite a consumer like experience. After that, a series of online prompts will take the user through furthers steps that allow companies to be registered with the service and further divided into Line Of Business (LOBs) if so required. Customers can also set responsibilities for admins within the organization through the same portal.

Those customers running ARCON PAM SaaS as an MSP or on behalf of vendors also benefit. Here they can access data such as number of companies, LOBs and users being hosted as well as the number of services available. Other features include Direct login, multiple sessions in the same window, switching between sessions and custom folder creation.

Buyers of ARCON's PAM SaaS still benefit from ARCON's existing product architecture with built-in high availability, real-time password replication and automated recovery features. These enterprise grade features enable the platform to support multi-cloud, multi-tenancy and third-party remote access use-cases which are now common features of digital organizations. Security and convenience are enhanced by OTP authentication for privileged session initiation and integration with third party biometrics providers. ARCON also supports integration with hardware-based OTP tokens from Entrust and RSA SecurID.

ARCON's tools for privileged user account discovery are also notable for their flexibility. These can be run on-demand & detect all accounts across designated servers and/or endpoints and correlated with existing on-boarded privileged accounts. Once discovery has been completed admins can analyse accounts and refine into Local/Domain or Privileged/Non-Privileged, for example. Privilege IDs can be onboarded in bulk by using a bulk import feature embedded within the solution.

Any leading PAM solution in today's market should provide a substantial range of connectors and ARCON PAM SaaS boasts more than 300 integrations which are available through a GUI making it easier for partners and clients to integrate applications and services.

Smart session monitoring analyses video, images keystrokes and face recognition to detect suspicious activity and provides comparison of live metadate with recorded activity. To further prevent fraudulent access at source, ARCON PAM SaaS features Just-in Time provisioning that provides limited time access, ephemeral accounts and on-demand privilege elevation that also time out. Modern organizations increasingly need greater access flexibility for privilege accounts users such as DevOps and multi-cloud users. Out of sync credentials can be auto healed and integrated within analytics and SIEM solutions. Password rotation tools are a strength and MSPs will benefit from the wide support for many standard enterprise applications such as Windows, SAP, Oracle, Cisco, Juniper, VMware and many others.

5 Recommendations

KuppingerCole recommends the use of an MSP for many IT and security functions in specific circumstances and by extension we welcome the growth of PAMaaS run by MSPs on behalf of clients. However, for the deployment of PAM by a Managed Service Provider to deliver business value, both parties should follow the following recommendations for successful technology partnerships.

5.1 Recommendations for Managed Service Providers

Understand the PAM market

Managing privileged accounts on behalf of clients is a big responsibility. Do not enter this market blind or list PAM capabilities without a full understanding of the market for PAM and the security risks inherent in unprotected privilege accounts.

Put service before profit

While there are revenue opportunities to be had in providing PAM, your priority should be on adding value to clients and improving their security position.

Choose the best technology

Survey the PAM vendor landscape and choose the technology that is most suited to your operations and that of your clients. But consider future needs of scalability and the ability to add advanced capabilities in a modular fashion. Fine grained administration and analytic capabilities are also important considerations.

Draft well-defined service level agreements (SLA)

Consider carefully what and how you will fulfil the service level for your clients. Different types and sizes of customers will demand different agreements based on numbers of privileged accounts, type of business, supply chain and other key criteria.

Keep on top of global and regional GRC obligations
Privacy and other data-related laws are multiplying around the world. While some regions such as the EU have blanket legislation covering all 27 member states, the picture is more complicated in other regions. Such North and South America, Asia and Russia. Although clients will be legally responsible for the security of their own customers data, they will expect any MSP to understand and adhere to regulations.

5.2 Recommendations for clients

Do your research

Handing over responsibility for Privileged Access Management to a third party is a big deal and involves hight levels of trust. When looking for a PAM partner, look at the MSP track record and its capabilities and ability to handle the complexity of the access and identity demands of your organization. Look very carefully at the PAM platform it uses and whether PAM can be customer tailored to your own operating model and market sector demands (e.g. compliance).

Ensure it can undoubtedly do stuff better than you can

This should be the goal of any MSP appointment otherwise it is pointless. If your research proves that any MSP cannot do this, choose one that does.

Will it improve your efficiency and your bottom line and add value?

As well as taking on the technical challenges of PAM, the service should be cost effective and add value. For example, it should be at least the cost of on-premises deployment without the tie up in internal resource but preferably at a lower TCO. Ideally, the best MSP will not add unaffordable extras and not talk you into extra capabilities that are not needed. Typically, a well-established and larger MSP should be able to pass on its own economies of scale to its own customers

Consider the scalability of the MSP and its PAM platform

As your business grows the capacity of the MPS and its PAM platform must have the ability to scale, sometimes rapidly. More employees and customers generate more digital identities that require privileged access to data and services. Endpoints will multiply and more employees will access networks from remote locations. Ensure that the MSP can scale and has a proven record of doing so.

Hire a consultant or advisory service

Outsourcing PAM and security to an MSP is a risky decision, which may need external advice to get right. As proven experts in the field of Identity and Access Management and Cyber Security, KuppingerCole Advisors are on hand to guide you through the process.

6 Related Research

Architecture Blueprint: Hybrid Cloud Security - 72552
Advisory Note: Cloud Services and Security - 72561
Advisory Note: Trends in Privileged Access Management for the Digital Enterprise -71273
Blog: PAM Can Reduce Risk of Compliance Failure but is Part of a Bigger Picture
Blog: Privileged Access Management Can Take on AI-Powered Malware to Protect
Blog: Taking One Step Back: The Road to Real IDaaS and What IAM is Really About
Leadership Brief: Privileged Account Management Considerations - 72016
Leadership Compass: Identity Provisioning - 70949
Leadership Compass: Identity Governance & Administration - 71135
Leadership Compass: Privileged Access Management- 80200
Leadership Compass: Privileged Access Management for DevOps - 80355
Whitepaper: AI, Machine Learning and Privilege Access Management - 80120
Whitepaper: Privileged Access Requirements for Small to Medium Size Businesses (SMB) - 80123
Whitepaper: Understanding Privilege Access Management - 80302

7 Copyright

© 2022 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.