Securing Remote Access for Your MSP Clients
Humans aren’t machines, and naturally, they make mistakes. In fact, Verizon’s most recent Data Breach Investigations Report found 68% of breaches involve a non-malicious human element.
This is a statistic MSPs know far too well. They’re aware the human factor is one of the most unpredictable within the security mix. Combine this with remote working practices, and MSPs have a lot to manage. How can they help customers get secure access right?
Security or productivity — that’s not the question.
A hybrid workforce typically relies on a variety of devices, and the rise of Bring Your Own Device (BYOD) policies can create problems for security. Often, these devices are unmanaged and outside of an MSPs control, restricting the level of insight for making access decisions.
But hybrid work is here to stay. It has been adopted in 62% of workplaces, according to Zoom, and has catapulted remote access security to the top of the agenda. Associated threats include:
Password spraying — A type of brute-force attack where a hacker attempts to gain unauthorized access by systematically trying a few commonly used passwords across many accounts. We have seen an increase in this method towards Remote Access VPNs, or as a common attack vector for Remote Desktop Protocol (RDP) abuse.
Fraudulent Device Registration — An attack where an attacker uses stolen credentials to register a new, fraudulent device to an adversary-controlled account with access to MFA to gain persistent access.
Push spamming — An attack where attackers repeatedly push second-factor authentication requests to the target victim's email or phone, frustrating them to the point where they accept the false request.
Other MFA-targeting attacks include push phishing and MFA interception, where an attacker steals a one-time code that is sent through an SMS (short message service) or email and proceeds to log in with the user’s credentials and MFA code.
Yet when protecting against these risks and managing access securely, it’s crucial that it’s not a security vs. productivity argument. The two do not have to be mutually exclusive. Organizations still want a seamless experience to access their digital environments, and an MSP shouldn’t simply be adding more barriers to entry.
A three-step process
To provide both positive and secure experiences for organizations, MSPs can focus on three areas. The good news? Duo can help MSPs deliver quality security practices with all of them.
1. User trust
We always hear the saying, “never trust, always verify.” This starts with multi-factor authentication (MFA) and should evolve to include continuous verification, to stop attackers even after the point of login. Following the principle of least privilege, MSPs can create custom remote access policies and controls, defined by roles and user groups to prevent lateral movement.
For Duo MSPs: MFA is one of the strongest security protections, but not all MFA is created equal. Breaches demonstrate instances where traditional MFA like SMS and phone calls have been subverted. Duo protects against MFA-targeting attacks with anti- push-spamming features and a wide range of authentication types, including number matching and phishing-resistant FIDO2 options to help you transition clients away from the less secure methods.
2. Device trust
If an organization has embraced hybrid working practices, they’re likely running applications across a mixture of cloud environments. For consistent security, MSPs can’t miss security across VPNs, cloud apps, web apps and any custom services.
For Duo MSPs: Duo secures remote access protocols (VPN, RDP, SSH) by providing flexible access solutions used in conjunction with existing VPN solutions, reverse proxies and bastion hosts. When managing security remotely, MSPs can use tools like Duo’s free Helpdesk Identity Verification to ensure they’re talking to the right person on the other side of the phone.
Show your clients that stronger security doesn’t have to be cumbersome and improve productivity with a more straightforward administrative experience. Duo MSP helps service providers buy, sell, and grow Duo’s leading access security solution. To learn more or get started with a free demo, visit our Duo MSP page.
For more ways to protect remote work for your customers and solve other common client pain points, get the partner-ready Duo MSP Sales Playbook.