Transcript – Multi-tenant best practices and getting admin accounts secured

hey good afternoon everybody welcome to this week’s edition of Team Tim oh my goodness it’s March 1st hard to believe we’re heading into that last part of the first quarter so as msps those that are listening you better start prepping your qbrs right because we’re heading into that new quarter right and if I was a VC so qbrs would be part of what we would be doing I’m Tim golden uh founder of compliance scorecard where we help msps solve for the new NIS 2.0 function we’re here with our good friends from Tech ID manager but before we get into that Mr schner vciso inquisitive it say hello my friend yeah absolutely Tim schner uh VC so focused on privacy IP malicious Insider threat and cyber security um enough about me Jesse do you want to go then we’ll we’ll talk to our guests absolutely my friend from my Chicago accent on there little quick today um no yeah Jesse Miller with uh Power PSA Consulting we help msps build and scale Security Programs for profit focusing on VC cell services and I was laughing at your uh your intro there Tim because I remember as an mspc so this would be about the time of year when I realized oh we have made zero progress on our okrs for 2024 and we need to get those going because we’re still playing cleanup from the beginning of the year so I’m assuming that’s what’s going on in a lot of people’s heads right now yeah that Martin why don’t you say hello yeah I’m Martin white founder and CTO of tech ID manager super glad to be here you want to go Emily sure uh Emily with tech ID manager I am the engagement manager for Tech ID manager keeping my finger on the polls awesome awesome awesome thank you so much for the in introduction so I don’t know this feels like it kind of half up my alley today talking about all these I am Pam no actually I’m Pepe right identity access management privilege access all the acronyms around who what where when how why right um you know as we think about this you know sort of identity piece and having just gone through a Rebrand I have a different identity crisis not that kind of identity crisis but around who are the people what can they log into you know administrative access you know all the things that like we should be considering when we’re working with our customers as an MSP and so you know today’s talk is kind of all around that like you know what if I you know as an air traffic controller that is in charge of all of the planes flying around right and uh as Jesse went up and got his cup of coffee I can run over there or as Matt Lee does right with the lock it up look someone hasn’t Protected Their computer right and being able to take over those devices and like so anyways that’s today’s topic uh all around identity access management let’s just Dive Right In yeah yeah so I you know I anyone who’s been in MSP for a while or in cyber security for a while like a lot of these identity access vendors are relatively new right um OCTA on the Enterprise side uh cyber cyberfox right like uh all of a sudden identity uh services or vendors um you know are are new and and Tech ID manager as well right like why and why is it right like you think about 2020 covid right like perimeter cyber security was all about the perimeter now identity is the new perimeter uh I think I think I’ve heard Jesse say that before so um you know zero trust access right like giving only and Wes had a great post about this like what is zero trust access mean to anyone and got some pretty wild answers if you if you check out that post this week um really about providing the least amount of access to the least amount of people right so that siloing your business siloing uh your your vulnerabilities and your exploits as well and uh you’re you’re more resilient that way so um really you know so today’s today’s episode as Tim said identity what it means we’ll talk about all the acronyms hopefully read read through those and uh also talk about um you know where things are going so uh Martin I think I I kind of wanted to start with you first but um I know we don’t usually talk about uh we don’t we don’t have to talk about vendor names but we we’ll talk about like you know what what gets you up in the morning and why you you know kind of founded the the utility or the functions that you’re providing to uh call it multivendor you’re not only dealing with msps I’m guessing but you’re also dealing with anyone who needs uh multi-tenant identity access right yep anywhere where you have multiple people and need access to multiple things and specifically when those multiple things should not be connected so if you’re like specifically that’s msps and vars where multiple technicians and access to multiple clients um why did I think this is important well I worked at an MSP for 12 years and this is the only problem I didn’t see any software that came out to solve so quit and like there’s a lot about multi-tenant access which is different than like normal single company access that’s different like the need that the at a single company when somebody logs in it’s their account they know it they use it they rotate their password regular it’s only one thing to remember but when a multi-tenant access situation has some significant different things going on yeah and Kyle Hanson and uh you know this this connectwise vulnerability this week talked about like most of the outside world didn’t really fully recognize like the one to many relationship with this multi-tenant aspect right of msps and um people using connectwise tools right same thing people using Tech ID manager right like the one to many uh it’s not simply a CIS admin or you know an infos team just provisioning identity out to one right you’re many different companies they’re managing so um that that aspect like if you screw up if you screw up identity management screw up authentication um you’re not affecting only one but many so um yeah Jess yeah I just I I guess I wanted to go and take a a a quick step back because I was thinking about this leading up to this episode and how fundamentally different the landscape is around identity and how it drives almost everything we do in cyber security today right you think and it’s funny how I feel like as it providers cyber providers manage service providers whatever type of service you’re providing you know we kind of tend to put things on the back burner until they become really important and I think we had clients coming up to co and I think think Co just accelerated the trend but we had clients on VPN you know using they weren’t using identity to drive the security of their organizations and then all of a sudden we got hit with this title way like oh we got to do something about that but Martin I’d like to hear your perspective or Emily if you have one as well um do you think that it was covid or are we just kind of projecting that when did this when did this shift really start historically as you see it I saw it shift in 2015 2016 when the and that was really specific to my purview on the space was working on MSB at that time and that’s when the MSP I was working with when we went from six technicians at the beginning of that year to 18 technicians at the end of that year and then we just kept growing from there and that’s when people started coming and going and when you lose somebody and you don’t have proper identity management right they had access to all these systems all of a sudden you’re like oh wait I can’t revoke their access they walked off with like some important information and then Co did exacerbate that because of all the work from home and Co specifically exasperated it with the school systems and proving that kids were who they were taking tests and all the cheating that went on and like you know our kid didn’t cheat much KS out of school at that point so yeah the schools had all kinds of identity management things that they tried to put in place does anybody like any of the audience here have identity that they have in place now that like really they think is the right way to do it that applies if so put the comments down in the comments yeah awes it’s interesting that you bring that up because my mom uh who’s now retired was a teacher for you know for her career and I remember when they started going to Google workspace and having to do the identities and segment that all on the phone and of course you know I was uh I was de facto it support for M those questions came but but I do remember that though and you’re right that that that’s around when that shift started happening and then of course Co really accelerated it but I think people want to say well it was Co that did it no I think Co was just an accelerate to a trend that was already in motion right yeah yeah you co wasn’t accelerate for lots of things you start putting somebody behind a computer screen and they’re not in front of you then you really have to address that who is this person who is this identity well well it does become a massive problem right especially if you don’t have a um a process or systems in place to you haven’t thought through the ramifications of as your identity sprawl happens right because you’re just playing you’re playing hot plate right you’re just kind of catching balls as they come but uh you know just an example like you said as you grew logging in and out of Microsoft tenants for clients as an MSP right like that is just a nightmare and then uh you know you have a a client or two has security controls that says you can’t be logged into another client or have those tokenized creds on your device and and you can’t log into theirs until you clear your cash Boot and come back so becomes a big time waster in a lot of ways too so how did you see not only uh you know increasing security but how can this increase a multi-tenant approach increase efficiency for msps right and save them money or make them money yeah the efficiency comes with the the automation that you can put around stuff like the when you can automate logging in when you can automate creating those credentials and you can automate rotating passwords and you can automate as much of that as possible so when the technician sits down they’re able to focus on the work they do not on getting to that point where they do work right yeah so when you do things like push MFA versus top that’s it’s real minor but like they just click on their phone say yes go instead of scrolling their phone finding a number typing it in it’s a difference between two buttons and eight buttons but it’s a pretty big difference when you do it like you said 30 times a day there’s that there’s that mental fatigue that comes in right it’s only it’s only two seconds versus half a second but um I think you’re you’re expending brain bandwidth while you do those kinds of things right yeah yeah like the the automation I think that as much as I hate to use this phrase AI is going to help MSP technicians do this by like recognizing what they’re working on helping them find how to get there and getting them there more quickly context aware yeah that’s that’s a great Point yeah um you know I want to real quick to ztna because I think this is maybe you can tell me if I’m wrong but I think identity and um and zero trust are kind of part and parcel right um you know we let’s talk about all the acronyms too right like right so go ahead Jessie I would thank you Tim because you know I generally Jim in when somebody an AC right it says acronyms are you know they keep people you know it’s like all right of the circle you know you don’t want to you don’t want to exclude anyone is what ACC P Pam is management there actually two for Pam there’s two pams all right let’s hear there is privileged access management which is what we all talk about all the time that’s what you see all over the Internet there’s also privileged account management oh right yeah good point well that’s a good that’s a good segue um Emily what do you see uh you know cuz you guys are kind of at the Forefront right msps bring you in they’re like hey we want you to solve this problem they buy your product then you’re working with them where do you see the biggest pain points as you go and start helping these customers that they’re just behind the ball they’re just trying to make like they’re growing and they don’t have time to think about these things so to even bring on a new product is a big time spend for them the biggest problem we have like we’ll have clients that we or future clients that really want to use us but we’re like we just don’t have the time right now we’re implementing these two things we’ll put you on the list we’ll see in a couple months and that definitely happens but yeah it all the time to just almost catch up but you’re not really catching up because once you’ve caught up you’re still behind how are they you can answer this Martin how are they doing it now like P is there like basically five admins in a room and they’re like five passwords and and credentials and they’re just kind of passing them around on a notebook or like you know so I have I’ve seen many ways to do it uh the the worst way is there’s one admin account and one password everybody everywhere that everybody has memorized so when a technician comes on board you just tell them that password I’ve also seen uh password vaults with a different password per client that never changes I have seen Excel spreadsheets I we helped a guy go from an Excel spreadsheet that literally had every user name and password in it and the admin password to their Network just he brought it up on the screen and showed it to me and I was like H I don’t want to see it and then there are other Solutions on the market password vaults um like you mentioned some of them Evo cyber QP us psychotic delenia cyberark Beyond trust pass portal used to be one ID identifier ID agent yeah id id portal I think was one there have been a lot of people that attempted to address this and like msps kind of get left in the in the wake because it’s a much more difficult problem because the multi- tendency cyber Arch Beyond trust and thycotic they are great for one domain one Enterprise and do you want to break down kind of like where all those tools fall right so I mean like there’s aspects of identity access management right there’s authentication which is like a bunch of other players like Duo and you know fishing resistant M MFA which we’re really excited about and always kind of talking about here um but how do they all how do they all kind of fit together right like with those with those admin tools um I know there’s some crossover because I’ve seen demos from you know some of the ones you’ve mentioned but like how do they how do they fall like is it the is the yeah talk about service accounts um so but you know how do they how does it all fit together right like and is it necessary to have is there one tool to solve them all or is there not that you can think of right like there you’re going to have to use a couple so for an MSP there’s no one tool that just fits all for most msps if you’re an MSP who cookie cutters all your clients and says You must have this machine with this type of C you have these type laptops and you only have this type of access and you only have this type of software if you Cookie Cutter your entire all of your clients they could all match you could have one solution but most msps that I’m aware of they have different clients different architectures so you need a multiple of tools I need tools that best scale out have the biggest option pool on what things they do but you’ll definitely need more than one tool set because there’s no tool set that does it all and there’s the starting point for which tools you need really needs to be your compliance your cybercity compliance your cybercity posture how do you think it should be done what controls do you need to meet and then like go forward from there do I need Justus in time access do I need accounts do I have machines that are always online do I have machines that might be offline that I still need access to and if that’s the case then those are two different types of accounts and two different types of access you need so like yeah go back to that Justus in time access because I think that’s like complex concept that you know it it sounds relatively new as well it is the it is like the latest hottest thing the shiny object when it comes to privilege account management it has some benefits it also has risks um Jus in time access is where when a technician wants access to a client they do something on their side over the internet then that account access gets created that is means that you don’t have standing privilege we do this cybery does this Evo does this psyonic does this Delia does it cyber does it everybody does it they do it in different ways what’s the advantage of that you said standing privilege so like standing privilege means it’s just like always on means the account’s always there yeah and the accounts like there advantages and disadvantages to that if you have an account that’s always on with standing privilege and you’re rotating the password it can be just as safe the standard attack vectors the the reason people downplay standing privilege is because of attacked vectors with stale passwords or somebody looking over your shoulder and seeing you type in a password there are all types of ways to mitigate that MFA conditional based access um even AI that looks at where you’re coming from and make sure that your current access matches the access patterns you’ve used in the past all of that can protect standing access just as well as Justus in time access and even just in time access has issues related to it with token interception hash catching internet based attacks where there’s some internet entity that is telling this machine to make the account that’s just one more vulnerable Point yeah the standing access just in time they’re really six half dozen one or the other you look at your position what your clients need what cybercity Frameworks you need to up here to and then pick your approach from that that that’s great to know yeah so it sounds like it’s a little bit overhyped as you said like there’s uh what do they call that um offsetting control right that can basically make one uh you know there’s as you said advantages to both any more acronyms in here Tim uh Federated is one I hear SSO right like single sign on right SSO Federated gaap there are a bunch of acronyms talk about Federated and what was that Gap I don’t think I’ve heard that one uh Gap is or Federated is where one or multiple authentication things all go back and ask one Authentication thing is this person allowed to log like all the computers on a Dom are Federated to the domain controller they all ask it for the authentication you can also do Forest trusts and do Federated trust that way um SSO is single sign on single sign on is a type of federation where you have one account that you sign on the thing gives you access to all these different authentication sources um gdap is Microsoft or was Microsoft’s thing where you logged into one Azure tenant and you connect client Azure tenants to your Azure tenant and then use that to get access the G Suite has a very similar thing for federat access from msps to their client networks the Google Suite one is really good the gdap one for Azure has some issues where you can’t do everything via gdap so you still need an account directly in that Azure tenant to do lots of things there are tons ways that Gap so is this granular delegated admin privileges I’ve never heard that yeah yep really a lot about gdap when we talk about um dealing with uh Microsoft graft and uh our good friend Kelvin has sip CIP the new partner portal just do that and be done with that part because he’s got that nailed when it comes down to it but as far as Federated access y’all know when I was at the MSP I dealt with federal government contracts and I progressively watched them over the years so a year or less maybe two years um as we not only Built our web app applications to support the things that we were doing for the feds they started to roll out login.gov right if you don’t know what login.gov it is a Federated system for identity access management I am to deal with all of those disjointed things all of those you know identity places of where people live to bring it into one centralized location and here’s an interesting piece you know as a military veteran I set up my id.gov to get into id.me which allows us certain benefits right so I had all signed up under my personal email address it posed a really unique challenge when I needed to build that system out again using my government ID using my government stuff and associating with it’s still me but I had a.gov email address like so it was really a bit of a challenge for me personally but here’s the thing and I kind of brought this up in a couple of the you know isso the security officer meetings and and and maybe Martin you can or or Emily or can talk a little bit about it right a fear that I had was great they’re taking all these disjointed pieces across the internet internally externally and they’re putting them all into one bucket one Federated system right what is that Federated system doing to make sure that it’s protected because you know bad things happen stupid things happen people click on wrong stuff if that one system gets compromised this was that multi-tenant conversation what happens you know we just Federated hundreds and hundreds and hundreds of like things into one point of failure yeah it uh it’s a very interesting question when you tie all those things together that even scales down to the MSP where they’re if you do Federated single sign on access to your client networks and you have like lawyers dentists doctors and body shops you’re depending on the security at the body shop to protect your Federated account that’s single sign on that into a doctor’s office so it’s a really tough decision to go single sign on because it’s tricky it’s hard and like every week you’ll read though like single sign on with MFA and like conditional access is very easy to protect but every week you can read about hackers who can easily bypass MFA and they can use vpns to get by conditional access and they’ll use MFA fatigue attacks to get people to click on yes this is me when it really wasn’t and then social engineering things so like it still comes down to that person protecting their single sign on account and all the things around it and so I think it’s a big r love that right because I’m going to take this a little step further with login.gov now that I’m no longer at the MSP and I’m not dealing with any of that on mygov addresses you know I wanted to go and rent a car because you know it’s one of the benefits blah blah blah blah I get a little discount and now when I logged in as me it actually went and had me go through a whole new process and I had to use my face and my driver’s license to re not recreate but sort of reenable and reset up my account I had to give them a government photo ID and my webcam to set up my account so plus my two Factor plus my password it was almost like you know four levels of are you who you really say you are and do you have an ID to prove that and does your face match and I think even now with ozero for example we use o zero that we standardize on I see that happening at ozero I see that happening more and more frequently where it’s give us some kind of valid zero as well like what they do yeah keep going yep keep going you know give us some kind of third-party validated photo identification and match it to your face which is really scary in the context of the AI image generation and video generation going on I know iPhone the old one’s better with the fingerprint yeah yeah maybe well maybe maybe so anyways it’s just been interesting to kind of watch these things progress over the last couple of years um you know as as I think we talked about earlier identity is like the new perimeter right you know I we have a whole list of acronyms here right our uh our back role base access controls zero trust blah blah blah you know I kind of want to maybe get into and Tim you know correct me is uh so rewrite you know some people can only read some people can write right like that’s basically uh what level of uh privileges do you have with rbac role based Access Control go ahead yeah no I was just I’ve always thought of no just a quick writer on that it’s like with our back and the principle of lease privilege right it zero trust really is a framework to try and actually have principle of least privilege deployed in your network that’s the way I see it or deployed in your systems right yeah um zero trust network access just simply says you can’t just connect to the VPN and get everything although if you take a Zer trust network access product and configure it that way you’re not doing anything really special so really what you’re doing with zero trust is you’re defining limits in context around what resources people are accessing and then putting Authentication rules around that and so really the the goal of zero trust is to actually enact a principle of lease privilege or you know role based to access control so sorry Tim go ahead and and and bring that up no I was just gonna say that dives right into Martin’s right so least privileged on service accounts like there’s no human behind that quote unquote so like maybe talk a little bit about that service accounts yeah so like the service accounts I have two thoughts on that and one of which is a little controversial service accounts are those accounts that you run something Auto automatically on and it needs to have access to some set of resources something like that um so you most people will set it up they’ll create a user they’ll give it some rights usually full rights to anything it wants and then they’ll set a password and just put it in that service entry and let it run and then they document that password somewhere and move on with life well that service entry password is readily readable from anybody who has administrative access on that machine so it becomes this entry point so there are several things you can do from a rights and roles perspective to protect that service account you can make it not long aable you can make it have to change its password you can put some automation around rotating that password and not telling it to people or if you do do it more regularly um but the second thing there is a little more controversial and less known is when you run a service on a machine you can actually have it authenticate as that machine and then you can give that machine access to the resources it needs access to so there is absolutely no human usable account associated with that service it’s running which is the way you should do it but it’s also less known and most people don’t do that so the and then one more thing to go back to that zero trust I really I love the zero trust mentality but I also want to point out that there are three ways to identify something to confirm who you are you can do something that you and this is like long-standing philosophy on computer interaction something that you know something that you have or something that you are are the three types of authentication zero trust is the ma machine implementation of one of those three factors for doing something so like for the VPN zero trust is often often implemented as it has to come from this IP address well that’s something that you are you are at this IP address you know so those three those same three principles something you have something you are something that you know are really just need to be applied more multiactor just picking two of them you have B yeah something you have phone yeah yeah fingerprint something you have facial recognition something that you are so what’s the biggest I guess the biggest risk of not doing it correctly like as an MSP is it having one service account that everyone’s sharing is that what you’re you’re getting at and they with multiple machines right so it’s not tied to like oh this there’s only one browser or one machine that can the biggest issue with a service account that runs some service on a machine is that a hacker will get access to that machine in some way even some minimal access and then that will grant them access to see the service account and service account password and if that service account is Miss set up and has domain admin privileges to log in anywhere all of a sudden they can go anywhere they want from breaking one machine minimal access on it is that escalation of privilege is the biggest issue with a service account so before I don’t want to beat a dead horse I laugh because Tim Tim you’ll Pro go ahead yeah oh sorry guys no Tim I was just laughing because uh you’ll probably you’ll probably remember this is oh you know offboarding a client or offboarding a client it guy or something like that you get those emails oh the client domain admin password is changing across all the customers today everybody update your update your your password managers right and that’s unfortunately that’s the way we were doing it you know 10 years ago but um talking about I’m sorry I have a little anecdotal story if we’re if we’re okay with me taking two minutes so we good with that so oh yeah yeah so I was leaving the MSP right obviously to build a compliance scorecard I was at a conference you know planned blah blah blah and you know when you like you close your l your laptop you pack it in your suit your your your bag because you’re going to open it on the plane you close it back anyways you get that so I hadn’t turned it off and I got to the hotel got settled in I got a a message like hey I gotta deal with something so I flip open the laptop you know turn on the VPN get on the Wi-Fi and like everything else things start connecting to the internet right teams and this and that and this and I’m like I got 10 minutes to fix this thing before I to go and I control alt delete to try to disable this disable that turn that so I can just go do the thing I needed to do because all the things are starting to connect and I couldn’t control alt delete like what and then fine reboot and then I was like and I couldn’t open this and I couldn’t open that and I couldn’t do they pamed me while I was away so the minute that the minute that device connected to the network and connected through the VPN and it pushed down the the new stuff they revoked all my administrative PR and I guess I taught them well but I was like now I can’t work so the the the note here hit is you know privileged access making sure that the right person has the right level of access at the right time right and so I left I was leaving the MSP I was traveling outside of our general area you even though I had a job to do I might have been the right person in the wrong spot right whe and whether or not it was the right time so you know for us as msps that’s the kind of thing we want to try to make sure we’re dealing with right you know Jesse you said you know so and so is leaving update your password manager I’m like oh my God where the hell is that right you know when we wanted when we decided to start rolling these things out it I was astonished at Global admin like the regular admin account in the entire domain where it was just inventorying where it was and the quickest thing that we did was like let’s just disable it and see what breaks and boy that was a bad day yeah that’s that’s where a Sim is helpful right because you can see what passwords are being used or what logins are being used where and and things like that but no I think to your point you know I was talking about that when we started making our push and and pushing pushing for SSO pushing with clients it’s something I wanted to talk about with you Martin and Emily because um this is something that’s an added expense right it’s for our client safety it’s for our we do gain some efficiencies out of it but I know when we started going to our clients and starting to talk about we need to sell you an additional service for SSO that was the always the question we got right is well I don’t want all my passwords linked to one thing because what if they get access to one thing they have access to everything and so overcoming that objection was a big part of it uh there was the additional cost because you know doing an SSO uh offering and wrapping services around it is not cheap it’s an additional expense and how do you uh how do you show the value of that to a client so I guess I wanted to talk to you guys today and see how are your partners positioning this how are they selling it how are they having success selling managed identity and delivering this type of service to their clients the biggest piece is the Cyber insurance and the cyber security requirements that the msp’s clients are running into like they’ll the Cyber Essentials or cyber 8 guidelines in Australia like they and clients are actually coming to the MSP and saying hey we had an audit done and we saw a single admin account that looks like it’s used by multiple people you have to change that we failed the AUD AIT or we got this uh exception on the audit because of this let’s fix this in a lot of cases it’s really the clients coming to the msps after an audit or after some sort of cyber security look and they’re saying hey we need to this needs to be changed and then that MSP is then going to all of his other clients and saying hey look we’re fixing this we have quite a few clients who actually use it as a very a small part of their security posture they’ll say hey let’s look at your network now the current MSP you have there’s one admin account how many people using that we as an MS and they’ll say we as an MSP we have unique accounts you can clearly see John from our MSP 10 for MSP they’re the one that did this thing we have traceability and accountability all over the place so it really and it elevates as Matt Lee is always saying we raise the tide raise the tide for all the msps when one of them just starts going out there and says look we have those traceability and then clients are much more on board with it what other Martin you probably answer this as well but in terms of the extra layers the conditional access the MFA do you guys have recommendations to complement your tool right like what what other things do you strongly recommend that they do are you using like UB Keys like fishing resistant MFA are you um any other kind of you know some password managers like right you can just kind of go down the list of of all the things that are kind of no-brainers right just the complex passwords are are a thing of the past right when you’re using a password manager so yeah so like for us like uh complex passwords some sort of MFA and unique accounts for everybody are really the basis of it complex passwords unque MFA and a managed account and a regular password rotation pattern the issue with passwords always has been is they’ll get stale somebody will steal a file they’ll spend time offline breaking that and how long does it take to break a password nowadays it’s super short so you have to have regular password rotation and then you layer on top of that MFA or some other identity access thing some some components are like not for rotation just because like you end up with the same I don’t know I guess with the password manager it doesn’t matter you’re not going to know it anyway but like they’re against rotation because you’re just like oh I’m doing Jesse 123 now I’m doing Jesse 124 like whatever yeah so like there you just that is one of the like hot buttons for me is uh and I I will I I I’ll try not to rant about it but I will point out that that don’t rotate your passwords is the headline for an article and very few people have actually read that article yeah that study actually said Don’t force people to make up new passwords and rotate them because they fall into those jesse1 123 situations the article also says for good security use complex passwords and rotate them very frequently and then use a password Vault to remember them or password manager because the best security the reason to rotate passwords is that if the password file is stolen it can’t be hashed offline or broken offline and used rotate passwords but the psychology of people says Don’t force people to manually rotate and make up passwords so there’s a a big distinction in the market and a big misunderstanding in the market about what that or one article from Microsoft probably seven or eight years ago now the research work behind it what it really said it was I mean but there is there is a nist there isn’t there a nist update or a nist note on this as well saying that it’s not that you like there’s I thought there was a nist update right Tim where they were they were saying that yeah but to your point Martin yeah to your point Martin I think that that’s exactly right it’s not like oh we don’t have to rotate passwords job done you know it’s we we create complex passwords we create unique passwords that’s a big piece of we don’t have to rotate passwords is that we have a unique password for every single account right because that way if a password’s compromised then we rotate that one right and that stops us from like oh we have Jesse one 123 exclamation point you know to meet the the complexity requirement so so I think you’re you’re dead right about that and just um uh oh yeah Tim Tim just uh was talking about past phrases right and I was going to bring that up as well so yeah um a passphrase style password if you have to create one like for your master Vault for your um for your password Vault that’s a good way to go about it but Tim why don’t you to expound on that a little bit no I mean I so in working with my family and talking about passwords right and so you know we have a new granddaughter we’re setting up like the the things and and I’m like you know we need to create a password to you know a past phrase to protect you know I don’t want somebody logging into the camera whatever right the things and so you know and we’re having this conversation and I’m like yeah you can’t use that but here’s the interesting part as she was trying to set this up right and she was putting in you know the you know some variation of things that she’s used in the past and the app kept telling her you can’t use that not enough characters not enough letters not enough randomization you can’t use you know Tim Pepe 123 like it was really interesting that the app was literally forcing her into like creating a phrase like creating something Beyond just the you know Tim one two three there you go thanks Dre yeah that’s funny but truth be told you know I everybody either has a favorite book or a favorite song or a favorite artist right and so I’ll use this as an example and it is not the password that I use but the phrase when I’m teaching people about good past phrases is that’s one small step for me man one giant leap for mankind and changing a couple of those letters and a semicolon here and there and you know zeros with a with an O like pick a phrase pick a favorite book that’s a big risk though because like they’re gonna use the same phrase like multiple places right so is possible password manager still kind of has that complex uniqueness like yeah yeah OB obviously using a password manager is ideal and and you know there’s always lots of conversations on which one to use I have my favorite we all have our favorites but pick one yeah as long as it’s not last pass you know I I had I had a question that I wanted to ask um that I wanted to ask Martin here and say because I think this is a good way to think about it you know you you worked as an MSP you know what msps deal with you’ve lived that world that’s probably what in a lot of ways spawned you to build this product that you did um let’s talk about if you had to go build an ident identity um an identity framework for an MS you’re starting an MSP and you got to build an identity framework for it talk about high level how you’d set that up and how you’d be thinking about it to give some people some tips as they do this the uh I think my thoughts on that are a little unique because I am Uber security focused and I’ll actually give up some efficiency for security uh msps because they access so many different clients M you don’t want to any movement laterally between clients that would be the death of an MSP my old boss at the MSP used to say like we don’t want to end up on the front of the newspaper for having one of our clients hacked into and then another one hacked into so I would start with a framework that was SSO for everything internally to a company then I would Silo every company and use some automation to make the accounts and automation around identity management tying it to people at the MSP so that it’s from a msp’s perspective when you fire a technician you need before they can walk from your office where you say You’re Fired to the front door well that’s what it used to be nowadays it’s like on a zoom screen when you say you’re fired you need their access to all be revoked before they can move their Mouse over to some other window and start stealing data well well now Martin we’re supposed to say we’re transitioning you out of the business now kid just joking no no so that makes sense to me so as you were talking I’m thinking like okay then how do we handle the rmm right because yes we can cut off their access to the rmm but the rmm has hooks into every single client and sidest steps that SSO piece how do you handle that um if I had my brothers I would make the rmm only execute as the individual who suggest who requested that command to be run the rmm would spawn from a technical perspective rmm would span off a separate task that it would then change its user to be the user that requested the thing to be run and it would run as that user and the user would have to put in their credentials for that environment so that rmm could convert the executable to that user then the authentication mechanism and the security mechanisms in that environment would be protecting that environment from whatever the rmm Ran So if you trusted that individual in one place only that’s all they got access uh yeah so I see what you’re saying uh keep the the keep the SSO segmented but then Federate the SSO for that client through the rmm requests and almost like a Pam type of yeah some sort of account management IDE yeah that’s yeah that’s wild that’s can can we get that feature when can we get that we don’t have an rmm but like that is the way it in my opinion that’s the way it should be done when you execute good idea execute should execute is you right yeah that way all the logs match any sort ofic audit on that client Oh Martin did that Martin requested that was the RM transition to Martin Martin did that yeah I like that then you’d also be like there’s a lot that goes into that but no rmm does that right now like they all just execute a system and then they make logs about who did what that you have to go look somewhere else for how how about I really take us down a rabbit hole and say do you see the death of the rmm on the horizon because of this no I do not the efficiency scale for an rmm is just the efficiency is just too massive what’s happened to my camera you knocked it down it got so irritated with me getting off topic here yeah just came up isn’t that an AI camera didn’t something about AI killing Society slowly all right there we go damn thing I thought you were gonna yell at me and tell me my camera was messed up so so that so that’s interesting then pragmatically what’s a good way for msps to start thinking about you know we you don’t have that ability with our rmm but what’s a good way for msps to start thinking about protecting this and doing things that can mitigate those types of risks from an identity perspective make everybody their own identity everywhere they need access never share an account okay stop sharing admin accounts like that is when you get to that from both a technical and a psychological perspective there’s a lot of security when you when you realize that you even though you might not mentally comprehend it subconsciously if you know everything you’re doing is Trace to you you’re a little you had that a little bit of extra edge of I’m gonna do this securely I love to point out the Uber hack that happened last year like the point of escalation for that Uber hack from what I read was a script that had a shared administrative username and password in it where they got in but they didn’t really do any damage until they saw the script which had a plain text password in it and that’s where it escalated and took off if everybody had their own identity they would not have put their name and their password in that script yeah if there was something like yeah like multi right like multi if there was multiple admins that how like would that be a I think that might be like a a little bit of a compensating control like if you had shared admins not like 10 people sharing it but five or you know three or um you know there are still some benefits right but how do you kind of as you said like you’re you’re striving for efficiency and Lease friction so like how do you get to kind of like a happy medium so automation computer efficiency yeah it’s funny because you know the guys from Shield Teddy um he always talks about when they do pen tests he’s he’s like it’s almost it’s like 90% that you’re going to find a service account with the password and notes for it in a pentest and I will say one of the largest incidents I worked guess what we found we were doing our forensics so that’s more prevalent than you would think and so I think simple things like that like I I like your your point about changing the culture and changing the way we think about like we’re doing things securely and we’re going to do that extra two minutes to make sure that we’re being secure and once you get to that point and you’re you’re um executing it from a swallow the Frog perspective then the the benefits and the efficiency games with tools and everything else start to fall into place right so I think you’re right about that and I think that’s a good approach um oh what what do we have here from John there was a secret server admin that proves password and plain text so uh since the account was a secret Ser oh geez wow yeah that’s wild I think he was referring to the MGM thing right is that yeah yeah yeah oh for the for the Uber um so yeah as we wind down here I know we wanted to get to this and we I kind of took us on a little walk about but you know Martin I just want to hear a little bit more about your story um how you came from working in an MSP to starting Tech ID and uh just tell us about the the journey here I always like to hear people’s Journeys and to how they got where they’re going in their entrepreneurial Journey so I’d love to hear that from you yeah yeah so like I graduated from Clemson University with a computer engineering degree many years ago I uh I worked in software literally all over the world in Europe and Malaysia and the US I wrote automation software for Industrial Automation um robots making things I wrote software for Business Systems accounting systems web pages things like that my entire career has been automating things to integrating things to make people more efficient and then for 12 years I was the head of a development Wing attached to an MSP in those 12 years I saw security grow from something nobody cared about out to something I was really hyperfocused on MH privilege account management in my opinion was completely missed in that security transition every MSP I talked to had one administrative account that they shared with all the technicians so in 2017 2018 I looked around the market and said hey I’d like to fix this for the MSP I’m working with what is there to fix it I figured I would find some software apply it to MSP and move on and find the next problem to fix um I found thycotic cyber Beyond trust all phenomenal products if you have one domain and 100,000 users you should go buy those products they do some phenomenal things but for an MSP where you have multiple technicians access to multiple different environments different machines domains Azure tenants all different things those products did not apply very well so 2019 I quit my job I started Ruffian software and rewrote Tech ID manager to do privilege account management under that aspice that you shouldn’t share admin accounts everybody needs their own account for an MSP to do this requires a significant amount of automation so we that’s what tech manager does we automate that privileged account management account creating accounts keeping them standing or managed creating them just in time setting passwords and rotating passwords and setting rights so that you truly have least privilege access on every person’s account specific to that person that role-based access thing that zero trust thing and we do all this with a significant amount of encryption and security because we have really several founding tenants to my favorite founding tenants are we don’t keep keys to your networks your kingdoms and we are not going to be the point of Ingress like we can’t see any of your data we don’t keep Keys like yeah we don’t we don’t insert ourself in the authentication process a lot of other subtle things like that that really help you know that’s that’s my background story that’s what we do come check us out so it was uh so it was like a lot of other things I hear from MSP folks who started the entrepreneurial Journey it was out of frustration to boil that there’s nothing there’s nothing here for this I’m gonna start it that’s great and like and there was a moment after I left after I left the MSP I was driving down this I live way out in the country I was ding on this back road and I pulled up beside this old like Tim’s little Side Stories here I pulled up beside this old 1950s truck and there was a a guy in overalls with his arm hanging out the window and he had a tattoo on his arm and the tattoo on his arm happened to be the admin password that I last knew at the MSP I was working with W he tattooed on his arm aesome the owner of the MSP like to take Bible verses shorten them up and then put the like the chapter and the verse number after the name of the book right right and that happened to be what was tattooed in the guy’s arm exactly wow I took a picture and sent it to my friends who are still working on like uh is this your password vault that’s wild Emily so I was gonna just give Emily the floor here for a couple seconds a minute or two so we’ve been talking we’ve been geeking out on all the acronyms and all the fun Tech stuff here you know from from your perspective from an account management like what what are some of the challenges that you’re seeing you know msps are asking you about maybe talk a little bit about like your side of it please um it’s always the new features that they want um Justin time is new for us it wasn’t part of our product in the beginning now it’s the buzzword it it definitely does a thing that they need um I think they focus on that too much sometimes they really need to it’s kind of like when your math teacher says this is great this is the right answer but show your work understand how you got there interesting yeah and so do you feel or do you see like a lot of your msps you know coming like do they even have a process in place or the people in I know you mentioned time is a challenge for them earlier right um but you know as they operationalize this do they have the people do they have the process do they have like a plan to roll these things out I see it all over the place um sometimes they do sometimes they don’t sometimes they think they do and then they read some of our literature and they say oh that isn’t quite the way I thought I was doing it and make the changes they need I see it’s a really good point yeah go ahead Tim no I was just gonna say you know we talk a lot about here on team Tim about people in process right and so you know selling a gym membership without ever talking to the personal trainer or even setting in you know setting in in the gym to use the equipment right and so you know as we look to try to help better protect our customers better protect their identity bring these different tool sets into place you know as we start to wind down here right now uh I’m gonna kind of B bounce around and give everybody their opportunity to give their one key takeaway because that’s how we roll here so uh Jesse are you ready with your one key takeaway you want to kind of start with you or do you want me to move others no I’m ready I got it for you so you know as we were talking today and thinking through this and I was thinking through my journey um building an identity service for or service and product for the MSP that I worked as a ceso for it really occurred to me that this is something and from what Emily said this is something that you can’t just kind of just put the tool and figure it out later you have to take some time and really think through the approach think through things like how does this work with our rmm if we’re doing SSO and we have a wide openen rmm configuration or wi wide open tool configuration it’s not we’re not doing anyone any favors so I think it really needs to be what both Emily and uh Martin have said of taking a holistic approach to it making sure it’s part of the culture part of the process part of the way we govern from a uh Personnel perspective but then using the tool to facilitate that after we’ve decided on what the approach looks like so to shorten that tactics over tools tactics over tools thank you so much uh what about you Mr Tim yeah so uh I’m the one that made that comment CIS controls four and five uh very low of 1 through 18 here so this is something that’s incredibly important um you’ve got you’ve got a submarine you’ve got multiple compartments and you don’t you don’t want them to all get flooded at once so how do you segment and that’s what zero trust is all about so uh this is incredibly important uh you know Jess said tactics over tools and this is more important than things that are further down in that control list so uh if you don’t have it enabled in some form don’t share admin accounts and then do all you know all the other compensating controls as Martin mentioned as well and Emily your one key takeaway please I’m gonna go back to um show your work understand what your products are doing I think we all feel like at some points that things aren’t working like even with the new connectwise um issue in the last couple weeks things weren’t exactly the way we thought good stuff and Martin last but not least let me bring you up on here the uh I am way deep in the whole Pam identity management thing and there are lots of different ways to look at it and anything that always need to learn and look and like there’s always a lot a lot of different viewpoints to the situation a lot of different ways to solve it and it’s important to look around good stuff and you know my key takeaway is make sure you have a really good password like Trey was saying over here move from you know the password to the Past phrase and whatever you do don’t tattoo it on your arm like Martin had shared earlier oh my goodness hey team Tim here uh let me just bring this up real real quick I think next week next week we have we have something really interesting going on here next week I won’t be there but we’ll have Mr Miller running this on for us next week and Tim as well so uh next week uh Rody so uh Mr Rody Burger on right so he’s been uh definitely someone very notable in the channel um who uh worked at some some big cyber security outfits and uh you know this is a conversation that we started at it Nation last year talking about really getting get selling security to someone who doesn’t who’s not technical right and like constantly having that conversation so excited to follow this one up from you know something we pounded pretty hard on in 20 2023 I’m a little bummed I won’t be there to join you all next you might be there I don’t know we’re right we’re at right of Boom next week it depends if I can if I can pop in live from right of Boom who knows go so uh we’re a minute over I all you know the the the time crunch guy here thanks everybody uh thank you so much uh do the you know do the things no wait here do this subscribe now