Your RMM System needs it's own Secret Service
Today is Presidents' Day in the United States. It may seem like Presidents' Day would have very little to do with IT security but, when you really consider it, the president is at the core of the government just like how a Remote Monitoring and Management (RMM) system is at the core of most IT service providers. The parallels shouldn't stop there though. Just as the president has his own protection, so too should your RMM system.
It's virtually impossible to get close to the president without consent. That's because the Secret Service has such a security focused perspective. Security is the only thing they focus on. This means that no corners are ever cut, and their agents are trained and equipped to deal with threats of any shape or size.
As a user of an RMM system, you should have similar security concerns. Your RMM system is the President of all of your technological processes. Unfortunately, many businesses are unable to offer their RMM systems an acceptable degree of security, much less an exceptional degree. While many businesses fall below this aptly named "Security Poverty Line", for some businesses, being able to see that line would be an improvement. Standard things, like password management, are a daily struggle.
According to the 2014 Trustwave Global Security Report (link), 31% of their investigated breaches were the result of weak passwords.
If an attacker was able to gain access to an RMM system through a compromised password, then they could do as they desired with the systems it managed. Data could be exfiltrated, systems could be overclocked to the point of failure, and managed systems could be brought down in more ways than one. As such, the protection of these systems is the highest priority. They need their own IT Security Secret Service.
Does your business have such a group in place? If not, then that should be the first step you take towards protecting your RMM system. It's not enough to just hire someone for this role. They also require the training and equipment necessary to do their job. They also need to be actively thinking and evaluating the security processes in place around your business. That alone is a tall order.
In addition, every business should establish who has the authority to engage and solve your businesses security problems as they arise. If the president was under attack, it would be his protective detail who had the ultimate authority over how he would be protected. If your business had it's RMM system compromised, is your security advisor the person with the authority to take command over the entire situation? Should it be the same person? Why? While the Secret Service does a great job protecting the president, is that necessarily the best approach to follow from an IT security standpoint?
Unfortunately, there's no easy answer to these questions. Half of the security value gained by answering them comes from considering the questions themselves.