CyberQP Exec On How MSPs Are The Superheroes In Cybersecurity
'When you took over [your customers’] environments, you walked in and almost magically took over all the computer systems, all the data, all the things that make their business run and function, you with seemingly zero effort, just manage, and I don't even understand how the heck this stuff works, right?' he said. 'Like, it’s a complete mystery to them.'
Providing privileged access to IT systems only to technicians or help desk personnel who absolutely need it to do their jobs and then taking it away once they don’t need it anymore is an important part of protecting not only MSPs’ customer IT environments but also protecting the MSPs themselves.
That’s the word from Paul Redding, senior vice president of channel marketing and communities at CyberQP, a North Vancouver, British Columbia-based provider of technologies for privileged access management (PAM), help desk security automation, and end-user privilege elevation to MSPs.
Redding, a former MSP executive himself, compared MSPs to superheroes, noting that like superheroes, they are able to do things that customers do not understand.
[Related: Panelists Weigh In On AI, Security: ‘They’re Really Perfectly Intertwined’]
“When you took over [your customers’] environments, you walked in and almost magically took over all the computer systems, all the data, all the things that make their business run and function, you with seemingly zero effort, just manage, and I don’t even understand how the heck this stuff works, right?” he told a group gathered at the XChange March 2025 conference, which is currently being held by CRN parent The Channel Company in Orlando, Florida. “Like, it’s a complete mystery to them.”
The difference, Redding said, is that MSPs are actually given their power by the people whose environments they are protecting.
“When I walked in and I took over a client environment, the first thing they did, without vetting me, without understanding anything about me at all, was hand me a giant stack of all their passwords, all their credentials, the keys to their kingdom, and be like, ‘Hey, Paul, here. This is yours. Now I want nothing to do with it. You got this, right? You got it?’” he said.
Redding, quoting Spider-Man, said that with great power comes great responsibility. MSPs have the keys to their customers’ entire business.
“Now I have the responsibility not only of protecting them and running the complex system, but they’re doing all the weird, little tiny stuff that nobody wants to deal with, all the little tiny stuff that is minuscule, like functions, day-to-day password resets, line of business application updates,” he said.
All that now becomes the MSP’s problem, Redding said.
“Not only do you have the responsibility for what you took in, you have the responsibility for all the actions of all your people every single day, day in and day out,” he said. “That’s the superhero problem that you face.”
Those actions are varied, Redding said. They include things like customers creating service accounts but not disclosing them, having poor or non-existent password policies, or not even knowing what their own personnel or their MSPs are doing with their data.
“Anybody remember the Chimera incident a couple of years ago?” he said. “An MSP hired a guy. This was the ultimate hire. This guy looked so great on paper. He's an Army veteran. The MSP themselves only hire veterans. For them, the owner is helping this guy get through getting his benefits from the military. He’s helping. And it turns out, one day ConnectWise calls with the FBI and says, ‘Hey, we found your technician selling access to your system on the dark web.’ The dude got the job to do it. It wasn't that he had worked there for years. He'd been there less than a year. He got his job to get in and get access to the systems that you owned. So you, in that case if you're that MSP, you literally walked the bad guy in and gave him the keys to the kingdom.”
Not only is it hard keeping up with what customers are doing to their environments, it is getting more complicated by changes needed to meet compliance requirements, Redding said.
For instance, he said NIST (National Institute of Standards and Technology) used to recommend changing passwords every 90 days but now says that passwords need only be changed if they’ve been compromised.
“Guys, every time one of your techs uses a password, it is immediately compromised,” he said. “It’s in their clipboard. It’s in their head. They’ve taken action with it. The passwords have been used, it's been compromised, and when those techs that have access to it get fired, leave, get hit by a bus, or win the lottery, it doesn't make any difference. Here you go again, rotating that password.”
Redding said his company, CyberQP, rotates all of an MSP’s passwords every single day or every time they get used for all those break glass accounts.
“I call them break glass because those super admin passwords, that stuff sitting there that if you use it, it should be like the fire alarm where you're going to smash the glass, and the bells go off and the lights flash because you're not even supposed to work in that environment,” he said. “But every day, you need to rotate those because the one time you touch it, or the one time the tech leaves, I don't want to have to deal with this.”
Beyond password protection, Redding suggested that MSPs use what he called “just in time accounts,” which he said means ensuring that technicians are only given the absolute minimum authority to do their tasks rather than giving them full administration authorization.
“The first question we’re going to ask is, well, how much admin access do you need?” he said. “You don’t need to be a super admin to reinstall this printer. You don't need to be a super admin to update QuickBooks Enterprise. Most actions that your techs take do not require domain administrator access.”
Redding said he doesn’t even trust technicians to turn off the lights and close the door on the way out of the office every day.
“When you're done and the time limit runs out, we strip all privilege away from the account,” he said. “It is now a standard account, absolutely useless, and then we disable it. It doesn't exist. … You only give your team the access that they are required at the time they’re required to have it. That’s zero standing privilege.”
Another area MSPs need to watch is customers’ own employees. Redding cited the data breach that hit MGM in 2023 that cost that company $100 million in transactional losses. That breach, he said, came from the attackers merely calling the company’s third-party help desk provider, which did not validate the caller before providing administrative access.
“Back to my superhero analogy, Lex Luthor dressed up as the bank manager and asked Superman to rip the vault doors off and let him in,” he said. “And Superman said, 'Well, you look nice,' and ripped those vault doors off.”
Such attacks can be prevented by verifying who contacts the help desk every time someone attempts to enter, Redding said. CyberQP has an application to do that task that works with Microsoft authenticator to make sure that people are who they say they are when they call the help desk.
While taking away administration privileges and forcing password rotations helps improve customer safety, it also makes for some very angry users who got used to doing what they needed without someone looking over their shoulders, Redding said.
However, he said, it takes an average of 20 minutes to do a password reset. That is why CyberQP provides a self-serve password reset capability.
“Yes, I realize you could do it with [Microsoft] 365, but it's a science experiment,” he said. “[Users] get locked out of their account. They can’t get to their emails. It’s a big nightmare. We take that away. We allow them to do that.”
CyberQP is also just now releasing EPM, or endpoint privilege management, Redding said.
Altogether, technology can help protect MSP customers’ environments without making those customers’ lives more complicated, he said.
“What we do is we protect you,” he said. “We eliminate all that arduous stuff, making your help desk more efficient and work better.”
Cynthia Stiles, a system engineer at Cenetric Network Services, an Olathe, Kansas-based MSP, told CRN that she likes the idea of having a guaranteed way that ensures passwords are being changed and that the help desk isn't trying to get into the firewall unnecessarily.
“Only having enough access to do the job is really what I’m kind of taking away from here,” Stiles said. “This is very important for us, because I feel like businesses use the domain admin account for everything. We've taken on clients for other MSPs and we found that they often have that same practice. One client had the same password for everything for 15 years, and just never went back and changed it because that discovery process is painful and very manual.”
It is important to understand that customers or level one technicians making changes they should not have or who didn’t patch something that should have been patched can cause major issues, Stiles said.
“That ability to know that someone hasn’t changed something they shouldn’t have makes that troubleshooting session and finding the solution so much easier than having to go back and try and figure out who made a change, fix that, and then go forward, because you're just duplicating that much more work,” she said.
This is especially important as Cenetric does more with compliance, Stiles said.
“We work with a lot of non-profits, some of which have situations where they can't give out information on who they take care of,” she said. “That information should remain secure and away from my technicians and from me.”