The £36 million fine imposed on British Airways following its 2018 data breach sent shockwaves through every sector that handles client data. For Managed Service Providers (MSPs), the message was unambiguous: credential compromise affecting customer environments now carries existential financial risk. Yet three years after NIS2 came into force, most MSPs remain fundamentally exposed to the same attack vector that felled BA—compromised credentials that auditors cannot trace, control, or revoke.
The MSP credential complexity crisis
MSPs face a unique credential governance challenge that traditional enterprises do not. Where a corporation manages credentials for its own employees accessing its own systems, MSPs must govern credentials across multiple client environments, each with distinct security requirements and regulatory obligations.
Consider a mid-sized MSP managing 200 client environments. Each technician requires administrative access to client systems, backup platforms, monitoring tools, and cloud infrastructure. Multiply this across shift patterns, contractor access, and emergency response scenarios, and the credential count rapidly exceeds 50,000 active credentials. When SOC 2 Type II auditors examine this environment, they require evidence of credential creation, distribution, usage monitoring, and revocation for every single access point.
The regulatory burden intensifies under NIS2, which explicitly requires "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems." For MSPs, this translates to demonstrable control over every credential that could impact client systems. ISO 27001 certification, increasingly demanded by enterprise clients, requires similar evidence under control A.9.2.1 (User Registration and De-registration) and A.9.2.6 (Access Rights Review).
The data tells a stark story
Recent research from the Ponemon Institute reveals that 61% of data breaches in managed services environments involve compromised credentials. More concerning for MSPs: the average time to identify a credential-based breach is 287 days, during which attackers maintain persistent access to client environments.
Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involving managed service providers used stolen credentials as the primary attack vector. The financial impact extends beyond direct losses—MSPs report an average 23% client churn rate following a credential-related security incident, according to CompTIA's 2024 MSP Trust and Security Study.
Regulatory penalties compound these losses. Under NIS2, fines can reach €10 million or 2% of global annual turnover. For MSPs operating on typical 15-20% margins, a single significant breach can eliminate years of profit growth.
The compliance burden generates hidden costs too. MSPs report spending an average of 40 hours per quarter preparing credential governance evidence for SOC 2 audits, according to Service Leadership research. ISO 27001 certified MSPs spend 60% more time on credential documentation than their non-certified counterparts.
Why current tools fall short of regulatory requirements
Identity and Access Management (IAM) platforms promise credential control but typically delegate password creation to users. When auditors examine IAM logs, they see access events but cannot verify who actually created or knows the credential. SOC 2's CC6.1 control requires evidence that logical access is "restricted to authorised users"—difficult to prove when users generate their own passwords.
Privileged Access Management (PAM) solutions create another layer of complexity. While PAM tools can vault and rotate passwords, they still rely on users creating initial credentials. Under ISO 27001's A.9.4.3 control (Privileged Access Rights Management), organisations must demonstrate that privileged credentials are "allocated and used on a restricted and controlled basis." User-generated passwords cannot meet this standard.
Single Sign-On (SSO) centralises authentication but does not address the fundamental issue: users still create and know their credentials. Multi-Factor Authentication (MFA) adds security layers but phishing attacks increasingly defeat SMS and app-based MFA. Microsoft reported a 74% increase in successful phishing attacks against MFA-protected accounts in 2024.
Zero Trust architectures assume breach and verify every transaction, but verification relies on credentials that users control. If the underlying credential is compromised, Zero Trust becomes a sophisticated system for authenticating attackers.
The common failure point across all these technologies: they conflate identity with access. Users prove who they are using credentials they created and control. This fundamental design makes credentials inherently phishable and governance inherently incomplete.
Separating identity from access control
The solution requires recognising that identity and access represent distinct concepts. Identity establishes who someone is; access determines what they can reach. Current systems blur this distinction by letting users create credentials that serve both functions.
MyCena Technologies has developed a patented approach that separates these functions entirely. Under this model, organisations generate all credentials using cryptographic processes. These credentials are encrypted and distributed to authorised users, but users never see the actual password. When authentication occurs, the credential is decrypted automatically without user visibility or input.
This architectural change makes credentials unphishable—users cannot reveal passwords they have never seen. For MSPs, it creates complete credential governance: every password is organisationally generated, cryptographically distributed, and centrally revocable. Auditors can trace the complete lifecycle of every credential without relying on user testimony or behaviour.
The compliance implications are significant. SOC 2 auditors can verify that all credentials are "restricted to authorised users" because unauthorised users cannot create them. ISO 27001 requirements for "controlled allocation" of access rights become automatically satisfied. NIS2's "appropriate technical measures" standard is met through cryptographic proof rather than policy documentation.
The path forward for MSPs
MSPs cannot afford to treat credential governance as a technical problem solved by layering additional tools onto user-controlled passwords. Regulatory frameworks increasingly require evidence of organisational control over credentials, not just monitoring of credential usage.
The shift toward organisational credential generation represents a fundamental architecture change, not a product upgrade. MSPs evaluating this transition should assess their current credential count, audit preparation costs, and client security requirements. The question is not whether credential governance will become mandatory—NIS2, SOC 2, and ISO 27001 have already made that decision—but whether MSPs will implement proactive solutions or await the next regulatory penalty.
The British Airways fine demonstrated that credential compromise carries existential risk. For MSPs managing hundreds of client environments, the stakes are proportionally higher. The technology now exists to eliminate this risk entirely. The only question is timing.