4 Password Management Mistakes that RMM Admins Must Avoid
Many of my most successful MSP clients depend on their remote monitoring and management (RMM) tool for the success of their business. RMMs are growing more and more popular with MSPs across the board, and it’s easy to see why. RMM platforms like Kaseya (the market leader) and N-Able, Continuum, etc., allow MSPs to effectively manage the needs of multiple clients and systems, all from the comfort of their own home or office.
When they don’t have to run from office to office or work on-site for every maintenance and troubleshooting task, MSPs can maximize their time and efforts. Plus, today’s RMM platforms provide advanced analysis and monitoring tools—offerings that go far beyond mere convenience.
But these same MSPs also worry about the security of their RMM. After all, these tools are so effective because they allow for unprecedented remote access—access that is incredibly useful in the hands of a skilled IT pro…and incredibly dangerous in the hands of a skilled hacker. Should a malicious party gain access to RMM, they would have access to all client systems and resources. It’s a scary thought.
For instance, Kaseya Live Connect (KLC) is a powerful tool that has earned the praise of all loyal Kaseya users. If a criminal is able to access your Kaseya infrastructure, they can use KLC to access all systems with the touch of a single button.
Fortunately, today’s IT security technology makes securing your RMM a no-brainer. By avoiding these four common password management mistakes, you can ensure your RMM is virtually hack-proof:
Mistake #1: Not regularly auditing RMM usage
Do you know what your users are doing? Auditing is key to protecting your RMM. With today’s password management and security options, you can easily automate daily and weekly audit logs and set up alerts for any “red flag” behaviors, like repeated remote logins or multiple failed logins. These auditing tools are not only helpful, they’re often required under compliance regulations like HIPAA, CJIS, or PCI.
Mistake #2: Not adding an extra layer of security to Kaseya Live Connect
As I mentioned earlier, KLC—while crucial to MSPs trying to handle the needs of their clients—is certainly a security hot spot for hackers trying to worm their way into a Kaseya instance. Hackers understand IT security and are always looking for more bang for their buck, so to speak. Full remote access with one button? It’s like hitting the jackpot. This is why it’s so important to find security software that provides the option for an additional KLC security check, where the user will have to present another security credential before gaining access.
Mistake #3: Not securing RMM with two-factor authentication (2fa)
When a system is protected by 2fa, the user must not only enter a password (something they know) to gain access—they’ll also need to provide another security “factor,” like a one-time access code generated by a mobile app on their smartphone (something they have), or a matching fingerprint scan (something they are). 2fa is really a must-have for RMM, because it makes the system nearly impenetrable to an outside attack. Just think, even if a hacker is able to get their hands on a compromised password, they won’t be able to provide the needed second credential, so they won’t be able to get in. 2fa is quickly becoming standard in enterprise IT security, especially in terms of remote access. Regulating authorities like HIPAA, PCI, and the FBI’s CJIS have already included it their compliance guidelines.
Mistake #4: Not simplifying strong password security for your techs
When it comes to password security, your #1 weak spot is most likely human error. At some point, someone (or everyone) is going to get frustrated with password policy and not follow it. Whether it’s using an easy-to-guess password (“password1”), storing all their passwords on a very swipe-able Post-it note, or sharing passwords with co-workers, people and passwords just don’t mix. By using a smart, centralized password management system that automates password-related tasks, and protecting your RMM with 2fa, you’re taking human error out of the equation.