MSP Security Checklist: 7 Essential Controls for Your Next Audit

Is your managed service provider the weakest link in your supply chain? Granting administrative access to a third party means their security posture effectively becomes your own. Verifying technical safeguards is critical for protecting your environment and maintaining compliance with modern standards.

Centralised MFA and Identity Management

Multi-factor authentication is the most effective way to prevent account compromise, but the specific method of implementation matters. Many providers still rely on "shadow MFA," where authentication secrets are stored on a technician’s personal smartphone. This creates a dangerous single point of failure and a significant visibility gap for the organisation.

A mature provider should use a MFA management platform to store and manage authentication codes. This centralised approach ensures that:

• Secrets reside in a secure, encrypted repository rather than on unmanaged personal devices.
• The provider maintains Authentication Assurance Level 2 (AAL2) alignment as defined by NIST.
• Control of the codes remains with the organisation, ensuring that no single employee "owns" the authentication secrets.

Per-Client Vault Isolation

Cross-tenant contamination is a high-risk scenario for any service provider. If a provider uses a single shared vault or password manager for all customers, a breach of one set of credentials could expose every client they manage. This lack of isolation is a primary target for attackers seeking to move laterally between different organisations.

When auditing your provider, ask about their MSP-specific security principles. They should be able to demonstrate that:

• Each client has a dedicated, isolated vault for credentials and MFA seeds.
• Technicians only have visibility into the specific clients they are assigned to support.
• Permissions are granular, preventing any single user from having "god mode" access across the entire portfolio.

Comprehensive Audit Logging

Visibility is a core requirement for mitigating risks associated with external service providers. According to CISA guidance, organisations must have the ability to verify who accessed their systems and what specific actions were performed. Without detailed logs, forensic investigations following a security incident become nearly impossible to conduct.

A compliant provider should be able to produce records of:

• Every instance where a staff member retrieves a shared OTP code.
• Changes to Identity and Access Management (IAM) privileges within your cloud environment.
• Login attempts to critical infrastructure such as Microsoft 365, AWS, or Google Workspace.

Instant Access Revocation

High staff turnover is a common reality in the IT industry, making offboarding a critical security event. When a technician leaves a provider, their access must be terminated immediately across every client environment they once managed. Manual rotation of every password and MFA seed is rarely feasible in a fast-paced setting.

Modern providers mitigate this risk by using platforms that allow for instant revocation of access. This allows the organisation to kill a technician’s access to the central vault in seconds. By doing so, they immediately cut off the ability to generate any client MFA codes without the operational burden of rotating the underlying secrets for every client.

Alignment with Compliance Frameworks

While no single certification covers every aspect of MSP operations, several frameworks provide a baseline for essential cyber hygiene. Verify if your provider aligns with the following standards:

• SOC 2 (Type II): Specifically the Security Trust Services Criteria, which ensures they have controlled access and continuous monitoring in place.
• ISO 27001: Focuses on systematic risk management and the security of supplier relationships.
• CIS Controls v8.1: Implementation Group 1 (IG1) defines the essential safeguards for basic cyber hygiene.
• PCI DSS v4.0: For providers handling payment data, compliance requirements for MFA mandate multi-factor authentication for all administrative access into the cardholder environment.

Privileged Access Management (PAM)

The Principle of Least Privilege (PoLP) dictates that users should only possess the minimum access necessary to perform their job functions. A secure provider should implement a robust privileged access management framework to govern elevated permissions.

Key PAM features to look for in a provider's internal workflow include:

• Just-in-Time (JIT) Access: Permissions are granted only for the specific duration of a task.
• Session Monitoring: Real-time recording of administrative sessions for forensic investigation and accountability.
• Credential Vaulting: Storing all administrative secrets in repositories protected by high-level AES-256 encryption.

Incident Response and Recovery

You must know exactly how a provider will react if they – or you – experience a compromise. CISA recommends performing regular tabletop exercises to test these scenarios. A provider who cannot clearly explain their role in your incident response plan is a significant liability.

Your audit should confirm:

• A documented Incident Response Plan that clearly defines the provider's communication and remediation responsibilities.
• Regularly tested backups that are stored in immutable storage to protect against ransomware and accidental deletion.
• A transparent communication chain for reporting and escalating security events in real-time.

Moving away from ad-hoc processes and personal devices is essential for a secure MSP-client relationship. By enforcing centralised MFA management and strict isolation, you ensure your provider remains a secure asset to your business.

Protect your client environments with Gatera’s team-based MFA vault. Try Gatera free for 14 days and bring centralised control to your MSP's authentication workflow.