Why ‘Just-In-Time’ Admin Privileges Are Just What MSPs Need: Exec

Helping MSPs to achieve ‘zero standing privilege,’ through implementing account privileges that expire after a period of time, can offer massive risk reduction, according to an executive from CyberQP.

With threat actors increasingly going after account credentials as part of their attacks, the risk to MSPs of “always-on” privileges for administrator accounts is massive, according to an executive from identity security vendor CyberQP.

A better way: Implementing “just-in-time” admin privileges that expire after a certain amount of time, making it far less likely that a malicious actor can exploit an MSP’s account credentials, said James Hatzell, vice president of revenue at CyberQP.

Hatzell spoke Monday during a session at the XChange August 2023 conference, which is hosted by CRN parent The Channel Company and being held this week in Nashville.

[Related: MSPs Seeing Record Sales With Big Growth In Security Services: XChange 2023]

The ideal for MSPs should be to achieve what’s known as “zero standing privilege,” Hatzell said. That’s in contrast to the too-common default setting of privileges that are persistent and always-on, or “standing privilege,” he said — which are frequently exploited by attackers seeking access to data and systems.

A specialist in offering MSP-focused privileged access management, CyberQP — formerly Quickpass Cybersecurity — has brought a major focus on enabling just-in-time privileges as part of its platform. The capability has been adopted in many enterprises but is newer to MSPs, Hatzell said.

Even so, just-in-time privileges bring a lot of unique value to MSPs because of their need to manage numerous client environments, he said.

“When you’re an MSP, you’re logging into so many different environments, with so many different technicians, that just-in-time accounts just make perfect sense as a model to move to,” Hatzell said.

Bernard Robinson, an MSP executive who attended the CyberQP session, said he was intrigued by the capability and planned to follow up with the company. “I didn’t know that kind of capability existed,” said Robinson, founder and president of Midlothian, Va.-based Networking Technologies and Support.

Managing access privileges is a major problem and a “very complicated” issue to address, due to the volume of privileges needed, he said. And so, having a “comprehensive” approach to solving the issue, like the one that CyberQP promises to provide, could be very beneficial, Robinson said.

During the session, Hatzell demonstrated how a technician might use CyberQP to set up account privileges that are only valid for four hours.

“When that four hours is expired, the technician will lose access to that account, and the password will be rotated and the privileges will actually be removed from that account,” he said.

The risk reduction of taking this approach is massive, Hatzell said: “It’s a no-brainer to move towards this model.”