password risk | password managementThese days, no one stays in their jobs forever. Try as you might to hold on to your most talented techies (or, let’s face it, your less talented ones), eventually, life circumstances will take them away from your managed service provider (MSP) business, and with them, all the passwords for the customer accounts they worked on. Earlier in 2013, we surveyed the attendees of a webinar we gave. I was not at all surprised to learn that 74 percent of the IT companies attending the webinar had experienced staff turnover in the past year. When a staff member leaves your business, you can take away his key card, but you can’t erase from his memory the passwords he used to access your clients’ systems, applications, and networks.

Data is more valuable than it has ever been. Many businesses are a single data breach away from a business-closing disaster. Your clients put their trust in you that your IT services will protect them from that risk. What would they think if they knew someone—your former IT technician—was out there with the key in his head to unlocking their data and exposing it to the world? As an MSP, you must take the security of your passwords and your customers’ passwords very seriously. To protect the passwords that protect your customers’ data, you need a plan.

Password Management Best Practices

I say you need a plan because so many businesses I work with don’t have one. They may or may not have centralized systems where they store password information, like on an Excel spreadsheet or even just a Word doc, but that hardly qualifies as a plan. Among its many shortcomings, storing credentials on a spreadsheet, Word doc, or out-of-date personal password managers requires human intervention to change passwords. This is an opportunity for human error, either through entering the wrong information or not doing it at all. Too many times, the MSPs I work with tell me they spend an inordinate amount of time reconciling the passwords internally with the passwords used in an actual application, if they bother to try to keep them in sync at all. It’s really difficult.

When I talk about password management best practices with MSPs, there are three must-haves I always highlight: access control, auditing, and change management. Each of those broad categories can be broken down further:

Access Control

A good password management system should have:

  • A way to control who can access passwords.
  • A way to control what someone can do with passwords (create/read/write/delete).
  • A way to centrally store and access passwords from virtually anywhere (where practical and appropriate, of course).

Password Auditing

This is the element of password management that involves checking that everything in the system is as it should be. It should include:

  • A way to see who has accessed the passwords.
  • A way to check that stored passwords meet complexity and compliance rules.
  • A way to check that stored passwords actually match what is being used on systems and services.
  • A way to inform those with authority when something is wrong or goes against the password management process.

Change Management

This comes back to the former employee situation I discussed as the beginning of this blog post. Best practices for change management include:

  • A way to automatically change passwords when required and is possible.
  • A way to inform those with authority when a password requires manual intervention to be changed.

It’s clear from these password management best practices that a spreadsheet just isn’t going to cut it when it comes to protecting your customers’ valuable data (and your own, for that matter).

This was just an overview. We’ll dig deeper into these best practices in future blog posts. If you’re looking for more information right away, download our free eBook “The 10 Essential Requirements of a Great Password Management System”.