Question:
Background: Worked at an MSSP for around 6 years as Sales/Senior Technical Manager/Service Desk Manager. Currently working in Sr. IT Management for a bank.
No I’m not looking for offers, just giving some general feedback. If you aren’t actually describing what you’re doing in your agreement don’t be surprised if non-mom & pop shops don’t give you the time of day.
If your patching services just say “Managed patching”, what on earth does that mean? Are you patching endpoints, servers, Windows OS only? Does it include common 3rd party apps, how often are you patching, is there an SLA attached?
I get that being overly specific can be an issue, but having no specificity in your agreement makes it look like you’re hoping to get away with the absolute bare minimum and haven’t invested in your capabilities enough to provide transparency on what they are. As a potential client, that would make me very nervous.
Don’t write War & Peace, that’s annoying too, but if you’re providing “monitoring” what precisely are you monitoring? Are you just pinging it to see if it responds or are you setting up SNMP and ingesting logs for alert analysis?
Go read your agreement and pretend you’re an average IT Manager with no MSP experience and see how it reads. If you’re sticking with very small shop stuff, this definitely matters less, but if your potential client base has 30+ employees, don’t be afraid to give some detail…be afraid not to.
Answer:
Very well said! It’s important with contracts to understand the needs of your target client, be able to fulfill those needs and explicitly (and as simply as possible) dictate that in your contract–specificity is key!
Outlining mechanisms that are used to ensure compliance in areas such as HIPAA, PCI or even their cyber security insurance policy is paramount!
ie: each tech with their own unique account to access each network/domain with regular password rotation.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1297340990772134/?checkpoint_src=any
Question:
Answer:
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1297372437435656/
Question: I have a prospect who says that he will just pay the PCI-Non compliance fee and that will resolve the issue of not being PCI compliant. I do not believe this is true but would love if someone had resources I can direct him to show him this. Any relevant article anyone cares to share?
Answer: The issue of being PCI compliant is more about being safe with people’s CC information. Have you found out what parts of PCI compliance he is against doing? Are you sure that you want him as a client? Will you be doing your part in him being PCI compliant (not sharing admin accounts, etc?)
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1303353883504178/
Question:
Answer: I understand it can be cumbersome, but to follow best practices, you really should have admin accounts for each tech. Thoughts?
right. So each tech would have an account on our tenant, and we could grant them admin access to the clients tenant. Akin to Microsoft 365 delegated admin.
What ever the mechanism, delegation or separate accounts manually or maintained by an automated tool (I will shamelessly plug TechIdManager even thought is Microsoft based), a unique account for every tech on every domain is the right way to go.
Where: https://www.facebook.com/groups/itmsp/permalink/1117061965700945/
Question:
Answer: TechIDManager is downtime tolerant
Question:
Named Accounts and Customers
With the growth of our staff, we are struggling to maintain named accounts in all the respective AD domains. Most of the time we are using a generic login (bad – I know) and rely on IT Glue for auditing. This is of course not foolproof but is better than nothing.
Some customers want us to use named accounts, and we oblige. But with a force of 40 technicians, this is really cumbersome to maintain. How do you manage this?
I have seen something link IDSync (https://www.idsync.com/ad-to-ad-identity-synchronizer-software/) but after watching their video with 90’s PowerPoint and low-quality sound, I am afraid of their capabilities. The problem with this kind of tool is that they are given the keys to the kingdom. So it needs to be reliable and respected.
There are also other ways, like CyberArk, but then we lose the integration with Take Control from N-Central AND we have to have RDS connection to the customers, which is also not preferable.
Answer: TechIDManager answers this! Automated, secure, downtime tolerant.
Question:
Any tool known by anyone that can act as a hub for logging into different client portals?
Title is a little vague, but there was no way to easily describe this.
I am not sure if anything out there exists, which is why I am coming to you all.
BUT, my goal is to find an application or better work around to having to log into lets say 3 different O365 Admin Portals.
Right now, I work for an MSP organization and we have many clients with many different set ups. Being that there is an endless number of different log ins for each web portal, I have to constantly have a few different browsers open in private tabs to work the most efficiently. I have an issue that when I would go into a browser normally and open up lets say portal.office.com, it will prefill and what not, so i have to log out and back in. Often times I find that if I click to navigate to lets say the security or compliance areas of the portal, it will go there but I will be signed in with an account that I was previously working with.
I need a better way to keep these separate so that I will not run into that issue. Especially because often times I am working on many clients at once, being signed into a bunch of different portals.
I am typing this quick as its mid day here but wanted to write it down before forgetting. Feel free to ask any questions.
Thanks!
Answer: TechIDManager can help you with this by automating and predicting what credentials you need as you need them and inject all of your log in information into where you need it.
Question:
Server admin account access
Hi,
I’m trying to put some best practice in place for logging onto servers, currently it seems admins log onto servers with the standard account which is a domain admin. This doesn’t sit right with me, I want to implement having server accounts for server admin tasks. First off logging into the server in the first place and then being able to do tasks like reboot after updates etc.
Is the best way for this to create a security group of server admin users with standard non domain admin accounts and make them a part of the local admin group on the server?
Appreciate any advice on the best practices for this
Answer:
Accounts with admin level permissions shouldn’t be opening emails or surfing the web or clicking on invoice PDFs.
In my opinion, best practice would be to have 2 accounts for people with the need to login to server and to do admin stuff. One account has only basic use privilege (email, web, etc…) the other account is what they use when they need to login to do admin stuff. The admin accounts for each person do not have email or other stuff that would allow the person to use the admin account all the time. The admin account is JUST for admin stuff. There should be two different security practices for the two different accounts. The admin account can even be manage by PAM tools to make it more secure.
I hope you find this useful! I enjoy that we all have different takes on how to solve an area of pain.
Question:
Managing multiple servers credentials
How do you guys manage multiple servers with multiple user internal and external . We use Excel but there got to be better way to manage this
Answer: TechIDManager would be a better way x1000. TechIDManager first and foremost would give you the security that using Excel is missing. TechIDManager would also organize and automate a lot of your process in account creation and management.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1312217609284472/
Question:
Answer: TechIDManager provides you a secure way to manage admin credentials with traceability and reports.
Question:
Is there an interoperability movement for password management across the web?
Tl;dr: Scroll down to the list of discussion questions at the bottom of the post. If you’re interested, perhaps read the rest of the post.
Back in the day, I worked with orcid.org to provided unique digital identifiers to academic researchers. The big idea was to provide some standard for the interoperability of different institutional funding bodies and publishers of science. In a similar vein, I now think that all businesses which collect personal information on users and allow them ownership over their accounts should follow an interoperability standard that specifies how users can programmatic modify and update their credentials.
The pain point that I seek to eliminate with the above proposal is our inability to change each and every unique password that we own for each and every login name we control on each and every domain that we’ve signed up for in a simple, and timely fashion.
What I believe we would benefit from is the ability to change all of these passwords to new unique passwords on some regular basis or on demand without needing to manually login to each and every domain and fiddle around with their unique UIs.
One of the biggest benefits that I can see with this approach is that the surface of unknown/unpublicized replay attacks on compromised domains would be decreased (depending on the regularity of a user’s password changes). Also, having such a programmatic way to change many site passwords in a timely fashion would encourage more people to use unique strong passwords across the entire web.
As I see it, the hurdle to such a service is that different domains currently do not follow a common standard that would allow for changing passwords for individual users, and they have no reference implementation to follow even if they did see the benefit to doing so. In short, there is no end-user password management interoperability across the web, and I believe the time is ripe for creating one.
Based on these ideas, I have the following questions for the professional cybersecurity redditors:
-
Is there already a movement that pushes for password management interoperability across the web?
-
Is password management interoperability something that businesses would adopt? Or are there incentives against adopting such a thing?
-
What are the pros/cons of starting such a movement?
p.s. I work in a related field of SRE, but I’m not cybersecurity professional myself.
Answer:
My suggestion isn’t for end user clients but I believe TechIDManager solves what you describe for techs in an MSP- it creates unique IDs for every tech across every unrelated client domain, does so in an automated fashion and rotates passwords either on demand or every 24 hours.
-I am affiliated with TechIDManager but it’s worth a look!
Question:
What is the best Password Manager for Medium Sized Business?
Greetings,
I am tasked with finding a password manager for our IT department of about 10 individuals. Currently we use KeePass and gets the job done but we are looking for something where we can segment and audit the passwords a bit better. A few requirements are
-
Sync with AD (LDAP)
-
Be able to set permissions to certain passwords so specific people can access them
-
Be able to see what passwords someone accessed in a set amount of time (possibly through a report)
-
Self Hosted
Doing some research I really liked Thycotic’s product until we saw the price tag. Unfortunately the free product is to limiting for the amount of passwords we have.
Anyone have any recommendations?
Answer: Check out TechIDManager! It does all that and is automated with routine password rotations. It creates a unique ID for every tech across every unrelated client domain.
Where: https://www.facebook.com/groups/CharTecMSP/permalink/1026137314616698/
Question:
Answer:
piggybacking on what Justin Swall mentioned with not sharing access to passwords; you want a unique account on every domain and ideally, a management tool that creates and generates credentials that rotate every day—- TechIDManager
Where: https://www.facebook.com/groups/mspunleashed/permalink/648491609841353/
Question: What was one purchase or subscription that changed the way you work or operate?
Answer: TechIDManager- completely eliminates the need to share privileged credentials. Easily creates unique accounts for every tech, on every domain with automatic password rotation.
q has anyone done some digging into their security posture ? Do you have a good link/URL for reviews or more info ?
a
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1295730234266543/
Question: What things would like to improve next year for your business and customers?
Answer: Move completely away from sharing admin passwords
Where: https://www.facebook.com/groups/allthingsmsp/permalink/4871051766250493/
Question: What is the 4 best MSP Tool? You think all MSP’s should have.
Answer:
Question:
As a MSP, what new technologies are you talking to customers about in 2022?
We are brainstorming what marketing topics to push out in 2022 (via: newsletter/blogs/emails/Lunch and Learns). I do the marketing for a small MSP in western PA and I’d really appreciate any help (my boss hasn’t loved anything I’ve suggested yet..)
Answer:
With cyber insurance also likely comes added compliance by the MSP (not a bad thing.) Sharing passwords could result in coverage being denied. Each tech needs their own unique account on every domain to be compliant with HIPAA, PCI and to ensure cyber coverage will be validated.
Question:
Best Practices For Privileged Accounts
Is it best practice to assign each IT administrator their own account to be used for administration tasks (separate from their “personal” unprivileged account). Do you assign them by position, say seniorsysadmin, juniorsysadmin, networkadmin, etc. where the accounts stay in place even with employee changeover, with password(s) being changed after an employee leaves? Or is it better to create privileged accounts that are only in existence while that employee works here…eg. billadmin, georgeadmin, sueadmin? …and then disable/remove the privileged account upon termination?
Furthermore, what should happen to the Administrator account on the domain? Should this be enabled with the password hidden offline in a safe, for disaster response? Should it be disabled permanently? Our domain has GPOs to lock out any accounts that have several bad password attempts, but it does not lock out Administrator. If we ever have all accounts locked out due to attempted hacking, should there be an Administrator account or some other type of recovery account to get into AD to start unlocking things?
What about the Domain Admins group? Should this have full access to all the machines, PCs and servers? Should we NOT have a Domain Admins group, and perhaps have a PC Admins and Server Admins? Or should permissions just be assigned server by server? I don’t want to be in a position to lose access after some turnover, or because someone made a small mistake. However, I’m trying to review what is the best ransomware protection, in case a privileged account gets compromised.
Do pen testers and/or security auditors help find these vulnerabilities and help develop plans for the best practices for privileged accounts? Are there any books/classes/articles that take a comprehensive look at this subject?
Answer:
each tech having their own id for each domain and like you said, that credential would be turned on/off depending on the tech’s employment status. That gets cumbersome without a tool to manage it. As far as I know, TechIDManager is the only tool out there that truly accomplishes this, securely.
Where: https://www.facebook.com/groups/ITBusinessOwnersGroup/permalink/4913980128660577/
Question:
Answer: Include TechIDManager for your tech’s access to your clients’ networks
q how does it do with dealing with azure domains and none domained clients
a TechIDManager works with them through the agent you install
Question:
I’ve been pulling admin rights from IT Support staffs main domain account and creating a dedicated admin account when they are prompted for admin rights. One issue I’m trying to work out is when we would use Windows Explorer to browse out to a server file share to adjust rights, now of course our main account that is used to sign into Windows doesn’t have rights to make a change.
What would be the solution other than signing into the server directly with the admin account or into another Windows system as the admin to make the file share change? Running Windows explorer as the admin doesn’t work. Thanks
Answer: creating a dedicated admin account for each of them individually. it’s becoming more of a common practice to have multiple admin accounts. One that has rights to domain controller ONLY. One for servers that are not DCs. And finally one that has admin rights only to workstations. Trust me on this, it can save the day if you get ransomware’d where it gets one of the admin accounts. That way you’re only recovering one realm like the workstations, instead of workstations, servers and DCs.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1317117678794465/
Question:
Average medical malpractice insurance is around $7,500 per physician/year. Surgeons pay between $30,000 – $50,000/physician/year.
MSP insurance (E&O / Cyber) is heading in this direction. This will have dramatic impact on MSPs. It will require adjustments to how clients are charged. It will require proof of cybersecurity safeguards to be in place for both the MSP and clients, it will require strong Managed Service Agreements (MSA) that limit liability. It may require clients to have insurance to limit an MSP’s liability.
Insurance will dramatically change the MSP and SMB landscape. This will happen sooner rather than later. The time to start planning for this is now.
Examine your pricing strategy.
Examine your MSAs.
Examine your security requirements for your MSP and your clients.
Examine cyberinsurance requirements for clients.
Be out in front of this and don’t get steamrolled.
Answer:
In one of the more fundamental areas of security requirements you will see applied to insurance, PCI, HIPAA, and so on, is (your techs) not sharing admin identities and passwords.
We are already seeing this with insurance underwriters putting hard limits on how much they will cover for cybersecurity breaches. The challenge this creates for a lot of SMBs, including ones in our portfolio, is they simply can’t afford the cost of upgrading systems and adding hardware necessary to protect their environment but they can’t afford to run their business without the technology that is putting them at risk. We are working on cloud solutions for as many things as possible but our clients don’t have reliable enough broadband in some areas to make this always feasible. I’m afraid this is a problem that will get much worse before it gets better.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1320546658451567/
Question:
Here are the cruel facts if you are an MSP
Your clients can have a data breach or be a ransomware victim if one of their employees make a mistake.
Your client can be a ransomware victim if the RMM tool you deploy is compromised.
Your client can be a ransomware victim if the NAS or SAN you deploy is compromised.
Your client can be a ransomware victim if one of your techs misconfigures a firewall, RDP or another other piece of technology you deploy at a client.
The risks are incredible and all MSPs need to ensure they are protected if one of these events happen. In some of these cases it is not your fault but you will be forced to defend yourself.
Every MSP needs E&O and cyberinsurance. Every client needs cyberinsurance.
MSPs need to minimize risk through managed services agreement contracts as well as insurance. Insurance is a must for both sides of this equation – MSP and clients.
Insurance carriers will require insurance for your clients as well as strict MSAs. Now is the time to start preparing.
Thoughts?
Answer:
One area an MSP does not want to get stuck defending, is their tech’s access to the client’s privileged domains; PIM is not a PAM solution. Using one of the many password storage tools out there to have a sense of security, only to have techs sharing the identity and password, still counts as “sharing” when it comes to HIPAA, PCI and insurance (among others.)
To be compliant, to rest easy that the method in which your techs are accessing your client’s administrator accounts; each tech needs to have a unique ID for every domain and network (nothing shared.)
Where: https://www.facebook.com/groups/ITBusinessOwnersGroup/permalink/4973784856013437/
Question: Starting 4/12/22 Bitdefender Gravity Zone will enforce 2FA and they only support Authenticator App. We currently use a shared login for our support team, how are you going to handle the transition?
Answer:
by not using shared log ins
TechIDManager is a solution if it seems untenable to manage separate credentials across several unrelated domains.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1325193771320189/
Question:
Greetings all. We are struggling to keep up with all the different accounts that require SMS based 2FA. All too often it ends up configured on a single tech’s phone and we do a painful stramble each time another tech needs to access that system.
Thoughts?
NOTE: This is not about regular Google Authenicator or MS Authenicator authentication. This is about systems that only support SMS based two factor authenication.
NOTE 2… This is in Canada. Canada does have different SMS laws as does the USA. Canada and the USA are pretty strict in regards to SMS automation.
I’m talking about some random web software solution that we have an account on for our clients or ourselves. It could be for just about anything. We have multiple staff members that may need to login periodically when backing up someone else in their role. One login to the website with any number of team members that may need to work on this system. Setting up a login for the 20 different techs isn’t remotely efficient. And the only option is SMS messaging. If this was a OTP 2FA, we just use ITGlue and it works perfectly.
Answer:
One account per tech is the way to go. We do not allow shared accounts unless it’s absolutely not possible to do individual.
Using a PAM tool like TechIDManager that facilitates shared accounts securely when you must have shared accounts. This PAM tool should only give those authorized access to these accounts, the credential and password. The tool should use Zero-Visibility storage for all credentials. This means the private keys needed to decrypt a set of credentials only exist on the tech’s computer who owns the account. Your tool’s staff should never have access to these keys and thus can’t decrypt any of your passwords.
Question:
We’re an MSP with about 9 techs and 3 support staff located in Canada with a strong healthcare focus. Cyber-insurance is cracking down hard and I’ve been tasked with meeting all of the insurer’s compliance requirements. Simple enough, however, I would like to get ahead of the curve and start the process of moving towards a compliance standard, so if we ever need to meet one, or would like to just advertize we are “X” compliant we can.
What framework would you recommend that would not cost an arm and a leg to get audited, and that is an overall reasonable solution to begin to move towards?
Is it a clear violation if the shared account has MFA and rotating password and access to those requires unique accounts and is logged and auditable?
Any input would be welcome!
Answer:
Personally, I think CIS (https://www.cisecurity.org/controls/
) is the “best” standard, because:
-
It’s a lot easier to understand than other frameworks
-
It’s industry-neutral (unlike HIPAA, etc.)
-
It’s a lot more specific (unlike NIST CSF)
-
It’s administered by a non-profit (unlike HITRUST)
-
I’ve found it’s a lot easier for business people to understand, especially the maturity scale
However, the “best” standard is going to be the one that supports your commercial goals, meaning:
-
If you want to work with healthcare companies, you need to do HIPAA (or PHIPA in Canada)
-
If you want to work with government manufacturers in the US, you need to do NIST 800-171
-
If your clients are asking you for an audit to prove you have your shit together, you’d need to do a SOC 2 audit
-
etc.
Clients sometimes ask us about ISO 27001. We definitely see more deman for SOC 2 in the US instead of ISO 27001. However, I think it’s the other way around outside the US. Not sure about Canada.
If I were at an MSP looking for a general, industry-agnostic framework to start moving up the maturity scale, I’d first pick “whatever our clients are telling us we need to do.” If that’s not an option, I’d pick CIS.
When it comes to techs acessing client accounts…
I’m not versed in Canada’s parameters for protected health information but I assume it is a lot like it is in the US. And in that case, when it comes to your tech’s access to your client’s admin accounts, you will want practices in place that truly are a unique account for each tech on each client’s access point(s). Shared in any way (at least in the US) would be a violation.
HIPAA is a framework with many options. The best practice is a unique account for everyone with MFA directly on the client site.
It sounds like you are talking about a compensating control situation. As I understand it, it would not be a clear violation but it would be left up to the auditor to accept that the use of a shared admin account with an external audit log is ok.
I can’t imagine being in a deep technical discussion with a HIPAA auditor after a breach where everyone is looking for someone to blame and trying to defend the choice to use a shared admin account when the best practice is unique accounts and I don’t know how it would go. If there is documentation of a case out there that shows how an auditor ruled in that sort of situation, I’d love to read it!
Question:
2 factor for internal admin access
I’ve got several clients going through their cyber insurance renewal period. One of them (Travelers) is requiring 2 factor auth for internal admin access to servers/routers/network backup. So the be clear they want verification that if we’re already inside the network we also need to 2 factor authenticate to access domain controller, router, nas, etc.
Are y’all encountering this? This is a small business environment (less than 20 users), construction industry so nothing super sensitive data wise via stored PI or PCI compliance requirements. Just seems a little overkill to require so much 2 factor internally.
Answer: If you manage these accounts with a PAM tool such as TechIDManager, the tool will do all the work for you while meeting the security requirements from insurance and your client.
Question: Going to be doing a POC for a few PAM solutions (CyberArk, Thycotic). Looking for major “gotchas” to keep an eye out for, specifically any hidden risks? Our needs (at least for today) are simple service account password rotation and potentially some higher level cred vaulting.
Answer: TechIDManager as a tech solution, uses RSA encryption
Question:
I’m gonna make this one quick since I’m still at work.
So I work for a new hotel chain. They currently outsource all of their IT stuff to multiple vendors almost nothing is handled in-house. This is all about to change.
So I went to my boss with the idea of an internal IT department and they’re all go! We are in the midst of planning now. Now I’ve never run an IT department before nor have I even worked in one, that’s besides the point I understand I am being thrust into the deep end, but I have support.
Since reading of others customer horror stories on here, how do I stop the bullshit before it starts? What rules should I be setting so everything that’s electrical doesn’t become my team’s job?
Answer: what about a co-managed situation with an MSP?
Question:
Active Directory Security Best Practices
The password recommendation is a utterly outdated. 42 days password max age? Enforced complexity? Science does not agree with you. See Microsoft Identity Protection team’s recommendations here: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
Implement MFA and never deal with rolling password resets again.
Answer: There is no question that MFA is a tremendous step in the right direction but I wouldn’t describe it as an end all.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1325193771320189/
Question:
Answer: Sharing MFA invalidates a lot of the security measures you are attempting to implement.
Question:
Current job keeps all passwords in plain text
Hey guys, just started a new job that pays $80,000 with Jr. In the title. It’s a full blown sysadmin job, so that was a little weird but I persevered. Just started extremely recently, and having a bit of a conundrum on deciding what to do.
First day I’m introduced to most of our infrastructure, most of it is in the cloud which is great. I then get shared the dreaded link. An excel spreadsheet that contains all users passwords and emails. It was setup this way so it can all be handled remotely. My trainer saw my eyes turn to dinner plates and he tried to reassure me. I then got hit by another one: all users are local admins on their PC’s since the main software requires it.
We also don’t have any file servers and host everything in SharePoint. SharePoint can suck my nuts if I’m being completely honest.
I’ve been non stop thinking about it for the last few days. I’d like to know what other people would do in this situation? To be honest, I really wanted an environment where I have more control, but this seems ridiculous.
The spreadsheet scares the ever living crap out of me. I asked if there was any way to change that and was told no. Would you stay in this situation?
Answer:
Have you inquired why the spreadsheet situation is unamendable?
Would educating the right person in the right way help change your spreadsheet predicament?
On the surface it looks like they have hired you with the intention of being at a higher level than a help desk employee. It’s not really a good situation to put you in a high role but treat you like the next entry level position.
If you are up for the fight in earning a change in perspective, you should come armed with reasons why they are in need of switching their practice of storing credentials in speadsheets, along with viable solutions. TechIDManager is one of those viable solutions.
Question:
Any cloud password managers with an API that let you create password records?
I’m on the hunt for something that will allow this.
So far, I’m finding CLIs: LastPass, Bitwarden, Keeper Or API’s that require a connect server: 1Password Or only self-install.
Just looking for some options that I might not be seeing.
Answer: You should take a look at TechIDManager. It can do this and a whole lot more.
Question:
MYKI stops services by April 10th 2023
Just received this email. Wow. That is a short timeframe to act on. ————
We Got Acquired! What You Need to Know.
Today is an exciting day for the team here at MYKI! We are delighted to announce that JumpCloud has acquired MYKI’s technology and team. This is a new chapter for us as we turn our MSP know-how, engineering talent, and our technical expertise towards enhancing the JumpCloud platform to deliver superior security, ease of use, and value to both MSPs and SMEs.
What Will Happen to Existing MYKI Products? After careful consideration, we have made the difficult decision to discontinue our existing products: the MYKI app and extensions, MYKI for Teams, MYKI for MSPs, as well as GUARD by MYKI.
While we regret any inconvenience this announcement may cause, we are confident that this is the right course of action to enable the MYKI team to focus on building our next chapter.
We are committed to making this experience as frictionless as possible for you. For that reason, the MYKI platforms will remain fully functional until April 10th, 2022, to allow you ample time to export your data. We have put together an article that you can access here to guide you through the export of your personal, company, and customer data from MYKI in order to import it into other solutions.
We strongly encourage you to do so as soon as possible to avoid any last-minute difficulties. On April 10th, 2022, we will remove our apps and extensions from their respective stores, turn off our platform servers and delete any data stored on them.
What About Paying Customers? For our monthly paying customers, you will no longer be billed starting today and will maintain access to your vaults until April 10th, 2022. For our yearly paying customers, we are ready to issue refunds on a prorated basis for the remainder of your subscription period. To inquire about a refund, email us at info@myki.com and we will work with you on issuing your refund.
Will the MYKI Team Join JumpCloud? MYKI’s founders, leadership, as well as most team members will join the JumpCloud organization to help carry the vision forward.
Who is JumpCloud? JumpCloud is a US tech company with a global footprint. The JumpCloud Directory Platform centralizes the management of user identities and devices through SSO, MDM, MFA and more, enabling small and medium-sized enterprises to adopt Zero Trust security models.
JumpCloud® has a global user base of more than 150,000 organizations, with more than 5,000 paying customers including Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. JumpCloud has raised over $400M from world-class investors including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian, and CrowdStrike.
You will be receiving multiple emails over the course of the next 45 days to remind you to take the appropriate steps to export your data securely onto other platforms. Until then, we want to thank each and every one of you for choosing MYKI and growing with us as a company. We are confident that you will encounter our products again in the future albeit under a different shape or form.
Does anyone know which product does NOT store data in the cloud? Myki used syncing between devices so data was always stored locally and always available
Answer: TechIDManager only uses the cloud to rotate passwords, so data is never in jeopardy of being unavailable. Further there is both cloud and self hosting options.
Question:
Just had the alert through that Jumpcloud have acquired MYKI and have decided to discontinue the MYKI application and extension. I’ll post the email below but basically;
- You won’t get billed anymore from today
- You’ll have access to your password vaults up until April 10th 2022
- After April 10th the app will be removed from the Apple/play stores
how do you handle cloud-only clients (M365 or Google Workspace)?
Do you have anything for LAPS?
Answer:
You might want to consider looking at TechIDManager where we solve what Myki does on the tech side– biasedly (I do work for Ruffian Software/TechIDManager) I believe we do it in a much better way, both in execution and from a security standpoint; we believe every tech should have their own unique account on every domain.
LAPS, yes.
Our Azure piece is in beta testing right now and our developer believes it will do M365 management, but wont speak authoritatively on that yet.
Question: Creation of tech workers named accounts
As we are moving into the larger client space, we see that clients (rightfully) wants us to use Named Accounts to deliver support. For the day-to-day tickets this is doable, as they are named in the ticket. But whenever an engineer to login to the customer environment, he also needs a Named Account.
With over 30 techs, this is almost impossible to maintain. We are now limiting the amount of people that can help a certain client. Which hinders the SLA, flexibility and is a pain-in-the-*** for resource planning.
How do you cope with this? I am looking for something that can create Just-In-Time admins to do what is needed. Any ideas?
Answer:
You might want to consider looking at TechIDManager where we have a tool that creates a unique account for every tech, across all unrelated domains. Further, you can striat domains and permissions to fit what each tech has access to. The automation we do this with really alleviates how untenable it would be to try to acomplish this in the MSP setting otherwise.
I am probably a little biased, working for Ruffian Software/TechIDManager but this really does solve a need in our space that isn’t properly being solved from both a security and sustainability standpoint otherwise!
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1338925893280310/
Question:
My shop was a Myki shop until they dropped the news yesterday that they are shutting down effective April 10 – and we have until then to be moved into another product.
So, I’m evaluating several and am down to:
LastPass (waiting on their sales)
Keeper (currently doing a trial, doing a formal demo Wednesday)
Password Boss (currently doing a trial, did demo yesterday, follow up coming on Wednesday)
Bitwarden (waiting on their sales)
I want to have a decision made by Thursday.
My first impressions of Password Boss were really good. I like the way backups work. I like the way we can enforce various policies such as the ability to force credentials with our domain name in it in the vault. So far, support has been reasonably good – but that could be them trying to bait us in. I like the import process. I like the plugin setup process. I like the way tenants are managed. However, I have seen several negative remarks in this group indicating that it can be buggy. I would be interested to know what people have experienced.
My first impressions of Keeper, absent a demo, are pretty let down. I think it’s a bit awkward the way we have to switch from our vault to management. I’m pretty disappointed with the lack of enforceable policies. So far as I can tell there doesn’t seem to be a ‘personal’ vault which it seems many of the others have. I don’t like how the plugin setup works – but that’s because I’m comparing it to others that seem much easier.
Answer: TechIDManager to be worth a look for your techs. It is a solution that provides every tech a unique account on all unrelated domains with automated management of their access.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1339841083188791/
Question: Anyone have a good replacement for MyKi
Answer:
For your techs, I recommend looking into TechIDmanager. It’s a awesome tool for your privileged accounts.
ruffiansoftware.com
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1341515679687998/
Question: How is everyone handling managing multiple O365 / Azure tennants? Dealing /w MFA on multiple clients /w multiple employees (obviously) can be a hassle… There has to be a better / easier way…maybe something I’ve overlooked here? We are *considering* setting up an admin portal that has *all* clients in there for eaiser access, but – of course, that also comes with a big risk security wise, should it become compromised. Keeping companies separate seems the better route, but – of course, that’s a lot of MFA to deal with… Thoughts?
Answer:
For your tech’s access- TechIDManager ruffiansoftware.com
It is an automated solution that creates and manages a unique account for every tech across all unrelated domains.
Where: https://www.facebook.com/groups/mspsalesrevolution/permalink/947189499323700/
Question:
Is anyone else affected by Myki Password Manager being discontinued?
What tool is MSP friendly and what do you recommend?
Answer:
For your tech’s access- TechIDManager ruffiansoftware.com
It is an automated solution that creates and manages a unique account for every tech across all unrelated domains.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1342038252969074/
Question:
The next area we need assistance with is Technicians, specifically the level of access they have to 1) Your internal servers and 2) their company laptops.
I manage the servers and patching myself for all internals systems ie DC, DFS, 3CX, backup DC acting as local backup server. Do you give your Techs full access to your servers and potential access to your HR & Finance files?
The Techs do not have local admin rights to their laptops, and they state this causes them difficulties, i.e., installing printers to test at client sites. What level of access do you provide, and also, how do you control what they can and cannot install?
Answer:
TechIDManager ruffiansoftware.com
It is an automated solution that creates and manages a unique account for every tech across all unrelated domains.
Where: https://portal.thetechtribe.com/community/topic/11634-cyber-security-stack/
Question:
Our current security stack consist out of:
- Office365 Emails and Sharepoint Backups
2. Anti-Virus endpoint protection
3. DNS web content filtering
4. Email spam & virus filtering
5. Huntress (detecting malicious footholds)
6. Threatlocker
I thought this was a good setup! However, some clients that have cyber insurance come back to me asking if i can fill in the details of their current stack on the insurance proposal, and i come across the following items that i dont (yet) cover.
Continuous incident detection and response
2. Host-based intrusion detection/prevention system
3. Endpoint detection and response software
4. Have and regularly test a business continuity plan
5. Have a regularly test a disaster recovery plan
What are some of the recommended tools to be used for these items? It doesn’t look good telling the client, sorry we don’t support these 5 items. We feel like we need to catch up, and learn asap about tools that can help with these 5 points above.
Would love to hear anyone’s though on how they are managing this part of the cyber stack.
Answer:
In regards to items #1 and #2, be sure to be thinking about how you are handling privileged accounts. Many forget to factor in secure PAM when considering intrusion prevention. Many cyber insurance providers are starting add the requirement of unique accounts for this reason.
Where: https://www.facebook.com/groups/ITBusinessOwnersGroup/permalink/4913980128660577/
Question:
we are rebuilding and repackaging our security stack
What would you recommend we include or stay well away from
Answer: You should include a PAM tool that can offer zero-visibility storage so that only your techs can see their passwords and no one else. TechIDManager offers this.
Where: https://www.facebook.com/groups/1097606263748491/permalink/2101647993344308/
Question:
Anyone use Quickpass? We had a demo and liked it.
Any feedback would be helpful before we make the decision
Answer:
my concern with using Quickpass for tech access would be if you are sharing admin credentials among techs.
In all security frameworks, HIPAA, NIST, PCI, cyber insurance, the base requirement for proper security posture is a unique account for every individual.
Question:
How does your MSP practice handle client AD Administrator accounts
We’re bringing on our first tech. hire and I’m wondering what best practices others find acceptable regarding logins to client AD networks? Keeping in mind that it’s simple to change Admin passwords with simple scripts incase of an employee leaving,
Do you:
- Create a user for each tech on the client’s DC
- Create one Domain Admin account and keep it in IT Glue
- Use rolling passwords integrated somehow into IT glue
- Other ideas
Looking forward to any ideas and practices.
Answer:
consider looking at TechIDManager where we have an automated tool that creates a unique account for every tech, across all unrelated domains.
Further, you can striat domains and permissions to fit what each tech has access to. The automation we do this with really alleviates how untenable it would be to try to accomplish this in the MSP setting otherwise.
I am probably a little biased, working for Ruffian Software/TechIDManager but this really does solve a need in our space that isn’t properly being solved from both a security and sustainability standpoint otherwise!
Q how does this work? Is it a full Cloud Solution? What happens when you are breached? Do we all have issues then?
Having a tool that much “power” also requires some due dillegence
A There are three pieces to the software and only one piece (the management console) that possibly sits on the cloud (there is a self host option.)
This one piece that sits on the cloud, never keeps the private key (RSA encryption,) therefore only holds encrypted information without a key to decrypt. The private key stays with the tech on their computer (within the techclient piece of the software they use.)
We commonly say- we don’t keep keys.
Also, even though the managment console sits on the cloud (assuming not choosing to self host,) TechIDManager is downtime tolerent, as there is only short periods of time each day that the managment console needs to communicate with the other two pieces.
If it cannot communicate the changes it is compelled to make, the changes are just not made and the data needed to keep working is still with the tech client piece (on the tech’s computer.)
Q Do you guys have a cloud-only M365 solution yet?
A yes
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1354381271734772/
Question:
What’s the tools you are using in your MSP business?
PSA, RMM, CRM, Invoicing system, Password manager and others modern msp needs.
Answer:
An MSP with several techs, needs a true PAM solution (not using a PIM solution as a PAM solution or a password manager as a compensating control.)
All security frameworks require that a login credential should only tie back to one individual
Question: We have been using MYKI as our password manager, but we got the ‘closing doors’ email and are trying to find a replacement.
One of the major features we loved and our techs used all the time was MYKI mini, their auto type feature. What password manager do you guys use that has this ability on Datto web remote and Splashtop?
Any help is greatly appreciated.
Answer: TechIDManager is a great replacement for MYKI. TechIDManager works well with all software used to remote into your clients. With TechIDManager, you can inject your credentials into your log in windows.
Question: How many admin accounts do you have?
Hi,
Our department head is trying to find a way to restructure our domain admin accounts into 3 different level admin accounts with one of these admin accounts having MFA using a virtual smart card.
This was prompted by our cybersecurity insurance company saying we need our domain admin accounts to have MFA which is 100% reasonable.
Do you have more than one admin account that does specific tasks or do you have a single domain admin account that allows you to do all? I’m just trying to figure out if this is a good idea or not and if not how hard I need to push back on it.
Thank you! I greatly appreciate any suggestions/insight on this matter!
Answer: A PAM tool could help you with the security and organization that your insurance company is looking for. TechIDManager in particular can facilitate all of these things while keeping the manual human lift light.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1355857898253776/
Question: The White House gives guidance on how organizations should protect themselves to counter Russian cyberattacks.
MFA leads the recommendations. Training employees and monitoring the Dark Web for leaked credentials both make the list.
The list of steps that the White House says all US organizations should apply with urgency are below:
Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
Back up your data and ensure you have offline backups beyond the reach of malicious actors;
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
Encrypt your data so it cannot be used if it is stolen;
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
Answer: They always miss the one they assume is being done- don’t share administrative credentials.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1360749684431264/
Question: For the people that are using IT BOOST for Documentation, where do you save the One-Time-Password, now with ITglue we keep them with the password, but IT boost does not have that option.
Answer: I would encourage you to explore what is meaningful about MFA. Putting OTP information in the same place as the username and password is removing what is meaningful about MFA. By putting all that information in one place it is easy to exfiltrate that information from a single location and break all that MFA is supposed to do to protect an account.
The most likely reason to put OTP with username and password is because that account is shared between people. People should not be sharing accounts, and definitely not sharing MFA between users.
Best practice for MFA is a different device/source for the MFA from the username/password location to ensure that information stolen from a single location is not sufficient to take over the account.
The proper solution is to have unique accounts and unique MFA
If you really need to store OTP in a tool for efficiency, look at using TechIDManager where this privileged information can be protected by end-to-end encryption.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1361337074372525/
Question: Lame -right when I really need ITglue they are down!
Answer: TechIDManager is downtime tolerant
Question: One of the narratives that has to be addressed, in my opinion, is the thought process of the client decision maker. In their mind, we have always been able to resolve their issues and outages. Why spend additional money? Why invest in more security when I know, when the chips are down, they’ll fix the problem.
One of the most dangerous statements in the MSP world is, “just help them this one time“. It builds a narrative of responsibility on the MSP to resolve whatever happens with proper compensation and risk mitigation.
We work hard to help the customer understand Cybersecurity decision making is the responsibility of the business and we are to act upon that decision. The responsibility lies with them and hopefully the MSP is prepared to counteract that shift in ownership without compensation. The MSP can guide and recommend but that’s it.
In my experience, a hold harmless agreement that details both the decline of service and the detailed explanation of what protections they are missing and the potential exposures that decision creates. It’s also recommended to explain the financial components of a IR and remediation effort should one take place. Adding metrics related to the risk inherited are also important, if they can be located.
A hold harmless agreement can be a really difficult thing to present to a customer. It feels just… wrong… BUT it’s the best way to ensure you have protected yourself with a documented recommendation and refusal. These are incredibly valuable in litigation.
Answer: I have experienced conversations elsewhere where there was a desire for an all encompassing hold harmless (meaning even when the IT entity knowingly chose to ignore something agreed upon in the security framework, they would not be on the hook.)
I know the current focus has been on MFA but what about what comes before MFA? What about the admin credentials of the techs of an MSP?
A compensating control is not a mitigating control. It is meant to be a temporary situation until the proper mitigating control is available. Sharing admin credentials via a password manager is a compensating control. Assigning a unique account for every tech on every domain is a mitigating control. All security frameworks are clear that admin credentials are not to be shared.
I have seen several instances where IT entities have been deemed a “business associate” and been the responsible party when data has been compromised.
Question: Ug….
This makes me sad.
How can we as a community “raise the tide” with regards to MSP’s buying tools without knowledge? In the end that’s the root cause of this issue and many more in our space. MSP’s buy tools to solve problems they think they have (and in some cases do have) and they don’t understand them OR the tools they are buying to fix them. They basically get sold.
I’m actually speaking around this at ITNS I believe – original talk title was “MSP’s get your shit together” but *shockingly* Connectwise won’t let me swear in a talk title they have to publish
Exporting 2FA secrets is a BIG security compromise concern. The issue is exactly as described above. The 2FA Secret, exported, is no longer tied to audit logs. Very strange.
Answer: I see several of you here in agreement that Threatlocker is not as secure as they make themselves out to be.
And then moving the conversation to using documentation tools to store/share credentials for admin access to clients.
I suspect this is a leftover of historic practice, or a slight modernization of what you have always done to make admin credential access tenable, but does it fall short when compared to major (or modern) security frameworks?
I would love to hear feedback on if you feel this is satisfactory to you when it comes to operating securely and with fidelity to security frameworks, specifically admin credential sharing (since these frameworks are clear that only one person should be connected/accessing one account.)
Response: It is not. But unless you’re gonna suggest something it’s a largely unsolved problem. We rotate passwords and vault them.
Answer:
I would love to suggest looking at TechIDManager where we have a tool that creates a unique account for every tech, across all unrelated domains.
Further, you can striat domains and permissions to fit what each tech has access to. The automation we do this with really alleviates how untenable it would be to try to accomplish this in a secure way, in the MSP setting otherwise.
I am probably a little biased, working for Ruffian Software/TechIDManager but this really does solve a need in our space that isn’t properly being solved from both a security and sustainability standpoint otherwise!
I would love to here your opinion, here on what you think, whether agreeable or disagreeable.
Response:
To expand on that a little. Not trying to knock a useful tool that fills a specific requirement for some.
There’s a real explosion of SaaS apps as I’m sure we’re all aware. The need to secure admin credentials for these, especially when most seem to lack multi-tenant management with SSO, is why storing and sharing passwords is not going away any time soon.
If all of our techs have their own admin account for every client’s Airtable for example, at what point do we have an unmanageable number of admins per app, causing a different problem.
At least with IT Glue and KeeperSecurity we can audit which tech accessed what password and when
Answer: At end of the day, this method is still sharing credentials. While you are handling it with a compensating control method, the whole premise of a compensating control is to be a temporary solution until a true mitigating control can be in place.
I’m not a fan of SSO 😔 Yes, a lot is done to limit access with “least privileged access” but if a hacker breaks into one internet facing account, there is a possibility for access to all the customer tenants that account has been granted.
Response:
Agreed. It is the best of the worst options available to us as MSPs. Because of the explosion of SaaS apps, we cannot literally have every tech listed on every one of our customer’s many apps (that creates a bunch of other issues such as hitting the limit for admin accounts – and making it basically impossible to handle offboarding a tech if they leave the company).
I know some MSPs are helping clients get setup with SSO using Msft-AAD and Okta and other tools… which would be a true mitigating control. However, many apps don’t have SSO, or they have a hefty “SSO tax” – so it is not an option for all clients. Even if I were to put the heat on them and force them to switch every SaaS app to an SSO supporting one, neither the client nor us would have the bandwidth to handle transitioning so many apps. It would take a year or more just for one client.
Therefore, the temporary turns into the semi-permanent. Until we get a more unified digital identity system which becomes ubiquitous across internet-based applications and is supported by 90% of software vendors.
I have heard that point before and it is fair one… (cough, cough, Okta)… However, the reason SSO is such a good method overall (I am sure the stats on this back me up) is it reduced the account sprawl across so many services. Your average person these days has hundreds of passwords. It is completely impossible to know if those are all secure across an enterprise and before you say “Password Manager’s” – those are great but subject to the same single point of failure as an SSO system.
Inevitably there will be a single digital identity used by each person for every work or school or personal transaction and that will be the ultimate SSO – verifiable on the blockchain with Quantum-grade security probably 😎
I really appreciate your perspective.
It’s all math at the end of the day…and I’m not a mathematician. But breaking into an account that has JIT least priv access set, that is behind CA enforced MFA and/or passwordless, possibly using a FIDO hardware solution is monumentally less statistically likely than breaking into one account with a password and MFA alone. Also, keep in mind they’d have to also compromise the account that grants the elevated permission, assuming that option is set. We’re talking about probabilities that are hard to even comprehend. Does it mean that it’s impossible? No, nothing is. Does it mean that there aren’t other solutions? Of course not. There is not yet an empirically vetted industry solution that is considered standard. There is always a possibility of combining solutions. Those like yours sound very promising and would work well in concert. I just don’t yet agree that 5/10/100 separate accounts with weaker auth is demonstrably more secure in-total than one with proper auth in place. You see one breach gives access to 100 accounts, while I see 100 opportunities to breach. I guess it’s just a different perspective. You guys have been on my list of demos for a minute and I’d love to see it in practice.
I want to like these sorts of tools, but I’m really weary of running ANOTHER agent on end user systems.
Answer:
this is one of the thoughts in mind when TechIDManager was created.
As I am sure you know, there are two choices for getting something to happen on a machine.
1. connect to it and force it to do something. This requires open ports and something (standard or custom) listening on that port.
2. something running on the machine reaches out and asks for information about what to do. This requires no inbound traffic and nothing open for a hacker possibly exploit.
Our security model choose the 2nd approach because we believe it is more secure. This requires an agent to run on just the DC. The install is fully command line driven and meant to be scripted for each install/uninstall.
we don’t directly create accounts in SaaS apps or webapps.
We DO create local AD and AzureAD accounts that can probably be tied to SaaS apps for authentication. If authentication is done in this way, then every tech’s unique account is disable with ONE button click when they leave and they lose access everywhere.
By Creating a unique account the AD (or AzureAD) for a client for each tech and then authenticating the SaaS app against that, you get all the benefit and all the convenience.
This is predicated on the types of authentication that the particular SaaS apps support, and is probably different for all of them.
Setting this up might require some work on the MSPs part, but security is worth it. And the ease of offboarding a tech’s access is worth it.
Question: Our office shares login info for multiple websites. Oftentimes, 10-15 people will use a single person’s login info to access a given website. Most websites we use are antiquated, and they only offer SMS-based 2FA. We are getting really tired of texting the account owner to retrieve the 2FA SMS codes, so we are looking for a solution.
I have considered setting up a dedicated google voice number to receive these codes, but I would rather implement a solution like 1Password. Does anyone know if 1Password, or any other password management / 2FA software, has a solution for retrieving SMS-based 2FA codes?
Answer: They need their own accounts. This should stop being done. The reason you are having trouble finding a solution that allows you to share MFA for shared accounts is because both actions of sharing go against all modern security frameworks while both actions are meant to provide security.
Reply: That would be great, but it is not possible in this case. We have 20 clients with records stored on “John’s” account on Example.com. These records are only accessible through his account.
Answer: Using a PAM tool like TechIDManager could help you accomplish what you are looking for. Whether it be unique accounts for every tech or secure shared LAPS accounts, using TechIDManager. Both would offer end-to-end encryption and passwords would be automatically rotated every 24 hours.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1367066280466271/
Question: What do you like for an MSP password management system? We were using Myki and really liked it, but they got bought and the new company shelved the product.
We really liked that clients had their own portal and access to everything as well as the MFA function.
Hudu has been great internally.
Answer: If you want an internal use solution that doesn’t rely on sharing credentials among techs (all modern security frameworks say that you shouldn’t,) you should look at TechIDManager.
Where: https://www.facebook.com/groups/ITMSPBOG/permalink/1369499723556260/
Question: What service/s do you see a need for But can’t find a solution for or the current solution is inadequate?
Answer: Storing/sharing credentials for admin access to clients is something that is widely being done as a “compensating control.”
But is not complaint with modern security frameworks; “accounts should not be shared.”
I know you said something that doesn’t have a solution but I believe this is all worth mentioning since the compensating practice is so egregious and widely practiced.
TechIDManager is a tool that addresses the security shortcomings in an automated way.
Question: How would you tackle the challenge at MSP with this set:
- Internal + outsourced ServiceDesk
- Several customers in different sizes
- Credentials used include M365, network devices, local AD, SQL etc
The actual nightmare is to keep up with all the accounts including the priviledges who has to access which systems. Using ’global’ accounts is not an option since most customers require personal accounts for several reasons.
Role based groups could be one way, but the maintenance can be very risky considering 200-300 customer enviroments with all the possible systems and services they might be using.
There are some tools which can track what access certain user has been using at certain time period but these tools would still miss a lot of things.
Answer: The challenge you describe—managing diverse credentials across multiple customer environments while ensuring proper access control—is precisely what TechIDManager is designed to solve. Here’s how it addresses your specific pain points:
1. Centralized Identity & Access Governance
TechIDManager provides a single pane of glass for managing all user accounts across M365, network devices, local AD, SQL, and more. It eliminates the complexity of manually tracking who has access to what, reducing administrative overhead.
2. Role-Based Access with Granular Control
While role-based groups can be risky due to constant changes in large environments (200-300 customers), TechIDManager offers automated role management that dynamically updates access permissions based on predefined policies, ensuring accuracy and compliance without excessive manual intervention.
3. Seamless Integration with Internal & Outsourced Service Desks
TechIDManager integrates directly with ITSM platforms, allowing both internal and outsourced teams to request, approve, and provision access without violating security policies or creating bottlenecks.
4. Personal Accounts & Customer-Specific Requirements
Many customers require personal accounts rather than global ones. TechIDManager enforces personal credential management while maintaining visibility over every user’s entitlements, ensuring auditability and compliance.
5. Automated Privilege Tracking & Compliance
Unlike tools that only log access events after the fact, TechIDManager proactively tracks and enforces privileges across all systems. It ensures that users only have the necessary permissions at the right time, reducing risks of excessive access.
6. Self-Service & Lifecycle Automation
With built-in self-service workflows and approval chains with just-in-time accounts, technician users can request access as needed, while automated provisioning and de-provisioning ensure that permissions are granted and revoked in a controlled manner.
7. Scalability for Large MSP Environments
Handling 200-300 customer environments manually is unsustainable. TechIDManager’s policy-driven automation scales effortlessly, keeping access control secure and manageable without constant human intervention.
Bottom Line
TechIDManager isn’t just another access tracking tool—it’s a complete identity governance solution that simplifies complex MSP credential management, ensuring security, compliance, and operational efficiency.
Where: https://www.facebook.com/groups/itocompass/permalink/3144219762506267/
Question: Storing client’s passwords, account details, IPs, MACs, Licenses etc. in an Excel sheet is not wise, a password manager also won’t provide a clean interface for such purposes! why do you use for this purpose?
Answer: For your tech’s access, TechIDManager will answer your need to securely store and manage privileged credentials, using a clean and very searchable interface.
Where: https://www.facebook.com/groups/itmsp/permalink/1196317527775388/
Question: What stacks are you using to make a company PCI Compliant?
Answer: One area that a MSP needs in order to be PCI compliant is to not share admin accounts among techs.
So in that respect, most MSPs need TechIDManager to be a part of their stack to achieve compliance.
Where: https://www.facebook.com/groups/itentrepreneurship/permalink/1479079872506513/
Question: Looking for suggestions for those that work with MSP. I’m looking to learn how you are managing access to customers environment. For example access to their on-premise environment like servers or Active Directory and cloud services like Office 365, Google Workspaces, etc.
Are you creating individual accounts for everyone in your team (level 1, level 2, level 3) or are you using generic shared accounts? For example if you help create user accounts for your clients how do you keep accounting on who is doing what?
One of the issues we struggle with is when someone leaves our team, having to remove accounts from all our client environments. It’s just time consuming and not easily tracked.
Answer: TechIDManager was specifically created to address all of these needs;
- Managing access into your client environments
- Through automation, creating unique accounts
- Securely sharing accounts
- Documenting access
- Being able to remove a tech from all environments with one click of a button
Where: https://portal.thetechtribe.com/community/topic/13081-thycotic-delinea-secret-server-anyone-using/
Question: My group has historically been almost entirely System Admins (sorry if you have heard me say this in multiple posts) and I am now building a Tier 0/1 help desk to resolve super low tier issues (think password reset, account creation, etc.). I expect the employees who fill these roles to be high turnover not unlike any traditional call center. The difficulty is that I need to grant them some high level access to do scripted low level tasks like change passwords, create/modify AD user objects, etc. At present we use DUO to secure the environment which works well, but we also use a single account for administrative privilege that has a password accessible via Keeper MSP password manager. Historically only System Admins were allowed domain admin rights at client sites, but now we are needing to give some elevated rights to low tier employees. Although all administrative access to client systems requires DUO MFA which secures remote access it doesn’t prevent the user from knowing the root password which I am not fond of. It appears that Secret Server has the ability to change the password after a user logs and creates a record of the user’s login (among other things). This seems like a good solution to layer onto our current security settings.
Question:
- Anyone using Thycotic and your thoughts?
- Is there a better/secure way to grant elevated access to low skilled employees?
- I’ve been told that I am overthinking this and should just give access to my low tier employees and move on. Do you agree?
- Do you use any other tracking software or solution such as ActiveTrak on low tier employee systems?
Looking for some advice as giving admin access to high turnover Tier0/1 employees is giving me night terrors and the occasional dry heave…
Answer: Thychotic is an amazing enterprise solution but doesn’t address the multi- domain needs of an MSP.
2. I believe TechIDManager answers all of the needs you describe with very little effort
- Giving low level techs low level access
- Access reports
Techs using TechIDManager are assigned individual accounts on all (or as many as you want them to have access to) domains and you have the ability to striat their permissions to fit your needs.
You also have the ability to give and remove the tech’s access with one click of a button.
3. I don’t agree that you should grant them unfettered access and move on. You already said you assume this to be a potentially high turnover position.I know from reading some of your previous interactions, this idea probably goes against everything you are striving towards for your business. TechIDManager really does solve a need in our space that isn’t properly being solved from both a security and sustainability standpoint otherwise
Where: https://www.facebook.com/groups/ITBusinessOwnersGroup/permalink/5308451429213443/
Question: PAM – AutoElevate vs Delinea/Thycotic
Pros/Cons for those of who used it?
Answer: Thycotic in particular is an amazing enterprise option when you only have one domain. It does not meet the multi domain needs of an MSP.
I would suggest checking out TechIDManager (made for MSPs.) It aims to handle the challenge of managing privileged and admin accountsacross many domains and tenants without introducing the overhead a traditional PAM platform.
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
Where: https://somewhere.com/post
Question: This is a question
Answer: This is the answer
