One stolen engineer credential. Every client you serve.

The MSP access model is the highest-value target in the threat landscape. A single compromised engineer credential touches every client environment that engineer worked on — simultaneously. Kaseya demonstrated this across 1,500 downstream businesses in hours. MyCena closes the cascade entry point and turns credential governance into a new revenue line.
Book a partner briefing →
0
Downstream businesses hit in Kaseya — via fewer than 60 MSPs, in hours
0
Of MSPs reported at least one security incident in the past year — 60% ransomware-related
0
Client churn risk per credential incident — one lost client, one contract review triggered
0
Industry average to complete engineer offboarding — the live exposure window per departure
The cascade pattern

Three incidents. Same architecture. MSP credentials as the multiplier.

The MSP threat model is structurally different from every other sector. A breach at an MSP does not affect one organisation — it affects every client that MSP serves. The attacker’s calculation is simple: target one set of credentials, reach dozens of enterprises simultaneously.

Kaseya VSA — July 2021
1,500
REvil exploited a vulnerability in Kaseya’s MSP management platform.
Fewer than 60 MSPs were directly compromised — but those MSPs served 1,500 downstream businesses. A Swedish supermarket chain had 800 stores closed. New Zealand kindergartens were affected. A Swedish pharmaceutical chain. The MSP was the multiplier: one breach, thousands of victims.
Entry point — MSP platform credential and vulnerability, client cascade
Sitel Group / Okta — 2022
366
LAPSUS$ compromised a support engineer at Sitel Group — a large BPO/MSP — and used that credential to access Okta’s customer support case management system.
Because Sitel engineers routinely accessed multiple enterprise client environments, one compromised credential affected 366 of Okta’s enterprise clients. The credential was in the engineer’s possession. There was nothing structurally preventing it being taken.
Entry point — support engineer credential, client environment cascade
Operation Cloud Hopper — 2016–2017
14+
APT10, a Chinese state-sponsored group, systematically targeted MSPs across the US, UK, Europe, and Asia Pacific — specifically because MSP credentials provided simultaneous access to multiple enterprise clients.
At least 14 named MSPs confirmed compromised, with downstream access to clients in aerospace, defence, pharmaceuticals, and government. The MSP was targeted because it was the master key.
Entry point — MSP engineer credentials, multi-client lateral access

The common architecture in every MSP breach: an engineer holds credentials that touch multiple client environments. When those credentials are compromised — whether by external attack, phishing, or the engineer’s own actions — every client environment those credentials can reach is exposed simultaneously. The MSP’s scale is the attacker’s amplifier. An engineer who accesses 8 client environments is 8 simultaneous entry points if their credential is taken.

The access architecture

How engineer credentials work in MSP environments and where the gaps are

Every MSP runs a version of the same access chain. The credential control gap is always at the same point: the engineer’s hands.

Current access chain — the highest risk is at step 2
1
Engineer joins — provisioned on identity platform
Active Directory, Okta, or similar. Access rights assigned.
2
Engineer receives or creates credentials
A credential to the jumphost or Zscaler gateway. A local admin account on a client server. An SSH key. A service account. Some are issued, some the engineer creates themselves. Either way, credentials are now in human hands.
This is the highest risk step.
3
Engineer connects via jumphost or Zscaler
The gateway credential reaches every client environment behind it. One login. The full estate. It is the entry point to every gap that follows.
4
Engineer opens client’s PAM, copies the server password, uses it manually
If the client has CyberArk: the engineer retrieves the password from the vault. If no CyberArk: a shared password manager — visible, copyable, and uncontrolled at the point of use.
Visible, copyable, photographable, shareable.
5
Engineer leaves or client is offboarded
The identity platform is updated. The PAM is updated. The credentials the engineer created themselves — the ones nobody knew about — are still live. Average revocation time for known credentials: 3.2 days. Revocation time for self-created credentials: never.
One missed revocation is an audit finding. One exploited dormant credential is a client breach — and a contract at risk.
The four pains this creates
Pain 01 — Highest operational risk
Access revocation — manual, slow, incomplete
When an engineer leaves or a client is offboarded, every credential across every client environment must be revoked. With the current access chain, this is manual, takes hours or days, and is rarely complete. One missed credential is an audit finding, a potential breach, and a client contract at risk.
Pain 02 — Visible commercial cost
Password resets — billed to clients, resented by both sides
Password expiry, lockouts, and rotation events create a steady stream of service desk tickets. Clients pay per reset. They resent the cost. The MSP carries the overhead. Both parties are aware the problem is unnecessary — but nobody has removed the mechanism.
Pain 03 — Invisible until the audit
Shared credentials — the finding that triggers contract review
Shared credentials are a fact of MSP operations. When the engineer who knew the shared password leaves, every system using it must be updated — manually, across every client environment. Auditors check for shared credential use. Failure is costly. Not just the fine — the client relationship.
Pain 04 — The commercial consequence
Audit failure — the result that matters more than the cost
A client access governance audit finding can trigger contract review, remediation requirements, insurance impact, and at the extreme — contract termination. The cost of the audit is manageable. The cost of failing one is not. A lost client at £150K–£500K ARR is the financial consequence of a credential governance gap that costs a fraction of that to close.

“An MSP engineer who accesses 10 client environments is carrying 10 simultaneous entry points if their credential is compromised. The attacker’s ROI on targeting an MSP is 10x better than targeting a single enterprise. MyCena removes the credential from the equation entirely.”

Before and after

What changes when credential control is deployed

Not just security. The operational overhead, the audit exposure, the client relationship friction — all of it traces back to the same architectural problem. All of it is resolved by the same architectural fix.

Without credential control — today
Engineer copies client password from CyberArk or shared vault. Credential is visible, copyable, and in their possession for the duration of the session — and potentially beyond.
Engineer leaves. Manual offboarding ticket raised. IT works through the list. Average 3.2 days to complete revocation. Multiple client environments, multiple systems, multiple credentials — each one a potential live exposure.
Client auditor asks for access log showing individual engineer attribution per session. IT compiles a report from SIEM logs over 48–72 hours. Evidence is incomplete. Findings are raised.
Password expiry triggers lockout. Service desk ticket raised. Client billed. Both sides frustrated by a problem neither can easily eliminate under the current architecture.
A compromised engineer credential provides access to every client environment that engineer was provisioned for. One credential. Multiple clients. Simultaneous exposure. The Kaseya architecture.
With MyCena credential control
Engineer clicks to connect. MyCena injects the credential at authentication. The credential is never visible, never copied, never in the engineer’s possession. Nothing to phish. Nothing to share. Nothing to sell.
Engineer leaves. One command. All access across every client environment revoked in seconds — not days. Timestamped log generated automatically. Auditor evidence ready immediately.
Client auditor asks for access log. MyCena produces the complete, attributed, timestamped log on demand — every session, every system, every engineer. Generated continuously. Not compiled before audit.
Password expiry and lockout tickets disappear. Engineers never hold passwords — there is nothing to expire or forget. Service desk reset volume for credential events drops to zero.
Credential compromise affects one engineer’s session — not every client environment they were ever provisioned for. The cascade architecture is closed. Kaseya-style blast radius is structurally impossible.
The commercial case

Credential control as a managed service revenue line

Credential control is not a cost for MSPs. It is a managed service line that reduces operational overhead, eliminates audit exposure, and differentiates the MSP in client retention and new business conversations.

“The hardest thing in MSP operations is not provisioning access — it is revoking it. Every engineer who leaves, every client contract that ends, creates a multi-system revocation problem that no single tool currently solves cleanly.”
Credential Control As A Service
Generate and distribute encrypted credentials to clients’ users — employees, contractors, vendors don’t know your clients’ credentials. So no more password resets.
Monthly access report — every credential event per client, timestamp. Formatted for client auditor submission.
Revocation log — every access removal event with timestamp. Proof of timely offboarding.
Insurance evidence summary — quarterly summary formatted for cyber insurance underwriters. Supports premium negotiation at renewal.
How it works

Credential control to access every client environment

MyCena deploys at the MSP level. Every client environment is governed by the MSP. No client system is modified. No client PAM is replaced.

Step 01
MSP generates all engineer credentials centrally
Every credential for every client environment is generated by the MSP centrally through MyCena. No engineer creates their own access. No credential is copied from a client PAM and held manually. Credential ownership is the MSP’s — not the engineer’s — from the moment of generation.
Step 02
Click to connect — invisible injection, nothing to hold
Engineers click the client environment icon. MyCena injects the credential at the point of authentication — it is never displayed, never typed, never visible on the screen. Nothing exists in the engineer’s clipboard, memory, or device that an attacker could capture or the engineer could share.
Step 03
Real-time access log — client audit evidence generated automatically
Every credential event across every client environment is logged — which engineer, which client system, timestamp to the second. The audit log exists continuously. When a client auditor asks for access evidence, the MSP produces the log immediately — not compiled over 48 hours, not assembled from SIEM queries. On demand.
Step 04
Single-command revocation — engineer or client, all environments
Engineer leaves: one command, access revoked across every client environment in seconds, timestamped log produced. Client offboarded: same command, same speed. The 3.2-day average offboarding lag — and every exposure window it creates — is eliminated. The audit finding category does not exist.
Regulatory framework

The client audit questions MyCena helps you answer

Enterprise clients are beginning to require credential governance attestation from their MSPs as a condition of contract renewal. Every relevant regulatory framework creates this requirement. MyCena generates the evidence automatically.

ISO 27001:2022 — A.9 Access Control
A.9 access control and A.12.4 logging requirements demand continuous credential event logging and demonstrable revocation capability. MSPs supporting clients under ISO 27001:2022 certification programmes must provide technical evidence of access governance — not policy statements. MyCena’s continuous log satisfies this directly.
✓ Continuous access evidence — technically demonstrable
SOC 2 Type II
Client-facing SOC 2 requirements for access governance and offboarding controls require continuous control demonstration — not point-in-time snapshots. MSPs with Governed Access provide continuous evidence that access is governed, attributed, and revocable. SOC 2 auditors receive logs, not policies.
✓ SOC 2 continuous control evidence — available on demand
FCA / DORA
SYSC 8 and DORA Article 28 require documented ICT third-party risk management including access governance and instant revocation capability. Financial services clients are required to demonstrate their MSP’s access controls. MyCena provides that demonstration automatically with every monthly access report.
✓ DORA Article 28 third-party access governance — satisfied
Cyber Essentials Plus
MSPs serving UK government clients or supply chain requirements must demonstrate Cyber Essentials Plus controls — including access control verification and user account governance. MyCena’s architectural credential control satisfies CE Plus technical requirements structurally rather than through self-attestation.
✓ CE Plus access control — architecturally verified
HIPAA (where applicable)
MSPs accessing ePHI systems on behalf of healthcare clients must satisfy HIPAA 164.312(a)(1) unique user identification and 164.312(b) audit control requirements. MyCena individual credential generation and continuous access logging satisfies both requirements architecturally — no shared credentials, every event attributed.
✓ HIPAA access control and audit — individual attribution structural
Cyber insurance
MSP cyber insurance underwriters are assessing engineer access governance and client credential controls as material rating factors. Third-party access governance evidence — timestamped revocation logs, quarterly access summaries — directly supports premium negotiation. MyCena includes this evidence pack as standard.
✓ Underwriting evidence pack — included as standard
MSP partner briefing
A 45-minute briefing on Credential Control as a managed service line
Book a partner briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.