The 74% Failure Point
Privileged Access Management failures are involved in 74% of data breaches. CISA research identifies administrative credentials as the primary vector for serious compromise. When MSPs manage your infrastructure, they hold the keys. The question becomes: who controls those keys, and what happens when the relationship ends?
The access control problem extends beyond security. It encompasses ownership, authority, and the fundamental question of who controls your technology stack.
The Credential Custody Problem
MSP technicians need administrative access to manage systems. That access must exist somewhere. The location and control of those credentials determines power dynamics in the relationship.
| Credential Storage Model | Control | Risk | Exit Complexity |
|---|---|---|---|
| MSP-managed vault | MSP | Dependency, opacity | High |
| Client-managed vault | Client | Operational friction | Low |
| Shared vault with audit | Both | Balanced | Medium |
| Federated identity | Both | Technical complexity | Medium |
The model chosen at engagement persists through the relationship. Changing models mid-contract requires significant effort and cooperation.
The “Hostage Ware” Contract Trap
Twenty percent of MSP contracts effectively function as hostage arrangements. Full payment of remaining contract term is required to release admin credentials at termination. The practice isn’t disclosed upfront. It emerges when the relationship ends.
Contract language enables this through:
Ownership clauses. The MSP owns accounts created during engagement.
Transition fee provisions. Knowledge transfer requires additional payment beyond contract terms.
Credential release conditions. Credentials release only after full account settlement, including disputed charges.
Tool dependency. MSP-proprietary tools contain configurations that can’t export to standard formats.
Review termination provisions before signing. The leverage you have before engagement disappears after signing.
Orphaned Accounts: The 30% Ghost Problem
Orphaned admin accounts remain active in 30% of offboarded environments. The previous IT person left. Their account still works. The MSP relationship ended. Their service accounts still authenticate.
Each orphaned account is a potential breach vector. Former employees remember passwords. Former MSP technicians retain access. The accounts persist because nobody inventoried them at departure.
Account lifecycle management requires:
Complete inventory. Every account with privileged access documented.
Ownership assignment. Each account tied to responsible individual.
Regular recertification. Periodic verification that access remains appropriate.
Departure protocols. Checklist execution at every termination, including MSP termination.
The organization that “mostly” manages accounts has unknowable exposure through the accounts they missed.
The Admin Access Audit Trail
Who accessed what and when? If your MSP manages systems, can you answer this question independently?
Audit trail requirements:
Independent logging. Logs that the MSP can’t modify or delete.
Administrative action capture. Every privileged action recorded.
Retention adequate for investigation. 90 days minimum, longer for regulated industries.
Regular review. Someone actually looks at audit data, not just stores it.
MSPs that resist independent audit logging have reasons. Those reasons may not align with your interests.
The Data Ownership Legal Reality
Who owns the data in managed systems? The answer seems obvious: you do. The implementation is messier.
Data in MSP-managed backups. If the MSP manages backup infrastructure, data resides on their systems. Contractual language must address ownership and access.
Data in MSP-proprietary tools. Ticket histories, configuration databases, and monitoring data may live in systems you can’t access directly.
Derived data. Analytics, reports, and insights generated from your data may be claimed as MSP intellectual property.
Copies and exports. Can you export all data in standard formats? Or does leaving require abandoning historical records?
Contracts should specify data ownership explicitly, including derived data and the right to export in usable formats.
The Termination Data Extraction Problem
“Data hostage” fees for exporting your own data can range from $5,000 to $50,000 depending on volume. The fees materialize at termination, when leverage has shifted.
Data extraction challenges include:
Format dependency. Data exports in proprietary formats that require MSP tools to read.
Incomplete extraction. Some data “can’t be exported” due to technical limitations.
Extended timelines. Extraction takes weeks, extending transition period.
Quality degradation. Extracted data loses metadata, relationships, or historical context.
Pre-negotiate extraction terms. Define formats. Establish timelines. Agree on costs. The conversation is easier before signing.
Multi-Tenant Security Boundaries
MSPs serve multiple clients from shared infrastructure. Your data sits near other clients’ data. The separation depends on the MSP’s security practices.
| Separation Model | Security Level | Cost | Common Implementation |
|---|---|---|---|
| Shared infrastructure, logical separation | Lower | Lowest | Small MSPs |
| Dedicated tenant instances | Medium | Medium | Mid-market MSPs |
| Physically separated infrastructure | Highest | Highest | Enterprise MSPs |
The model affects breach impact. A compromise at the MSP level could expose multiple clients’ data. Understanding your MSP’s architecture informs risk assessment.
Access Control During the Relationship
Beyond termination, access control during active engagement requires attention:
Principle of least privilege. MSP staff should have minimum access required for their role. Junior technician access should differ from senior engineer access.
Access request process. Elevated access for specific tasks should require request and approval, not standing privilege.
Access removal at role change. When MSP staff change roles or leave, their access to your environment should update.
Regular access review. Quarterly review of who has access to what catches drift.
Trust doesn’t replace verification. Even trusted MSPs benefit from access controls that prevent accidents and limit blast radius if trust is misplaced.
The Shared Responsibility Gap
Cloud environments add complexity. The MSP manages your cloud infrastructure. The cloud provider hosts it. Shared responsibility models define boundaries, but gaps emerge.
| Layer | Cloud Provider | MSP | Client |
|---|---|---|---|
| Physical security | ✓ | ||
| Network infrastructure | ✓ | ||
| Virtualization layer | ✓ | ||
| Operating system | ✓ | ||
| Applications | ✓ | Sometimes | |
| Data | Partial | ✓ | |
| Access control | Shared | Shared | ✓ |
| Identity management | Partial | Partial | ✓ |
The “shared” and “partial” designations create gray zones. Explicit agreement on who manages each layer prevents assumption gaps.
Building Defensible Access Controls
Access control that survives relationship changes requires:
Written access agreements. Documented understanding of what access exists, why, and under what conditions it terminates.
Independent account ownership. You control the root/administrator accounts. MSP uses delegated access.
Audit capability. You can verify MSP activity independently.
Exit provisions. Credentials and data return in defined formats within defined timelines at defined cost.
Regular verification. Periodic testing that controls work as documented.
The investment in control infrastructure pays when relationships change, whether through planned transition or unexpected termination.
Sources
- PAM failure in breaches: CISA (Cybersecurity & Infrastructure Security Agency)
- Contract provisions and hostage patterns: MSP contract analysis
- Orphaned account rates: Identity management industry research