Key Points
Guide to Managing Shared Credentials
- Managing Shared Credentials: A strong MSP workflow includes defining shared credential requests, standardizing processes, performing risk reviews, enforcing controls, and evaluating usage.
- Why Managing Shared Credentials Matters: Safely managing shared access enables collaboration when needed, while also reducing unmanaged access risks and maintaining compliance and audit readiness.
- Use Cases for Shared Credentials: Elevated access for shared systems and temporary access for third-party vendors.
- NinjaOne Capabilities for Credential Management: NinjaOne can create and manage technician accounts, offer Credential Exchange for IT admins, and set up role-based access controls.
In modern IT environments, credential management extends beyond passwords. MSPs also tend to take the point in managing privileged accounts, enforcing MFA, secrets management, and handling access requests (for example, shared access). In this guide, you’ll learn a dependable MSP workflow for managing shared credentials requests without breaking security policies.
Five-step process for managing shared credentials
Sharing credentials always carries risks, but it may also be necessary to keep business operations moving, especially for small- to medium-sized businesses (SMBs).
To balance business continuity and security, here are some prerequisites to cover the process of validating and handling the requests:
- Clear written security and access control policies
- Credential management tools or password vaults (such as Keeper or LastPass)
- Defined roles for request review and approval (for example, service manager or client owner)
- A ticketing system capable of logging and documenting credential requests
💡 Note: Requirements may vary based on systems, policies, and business needs.
Potential use cases for shared credentials
Elevated access might be needed by a client or an MSP with a team of technicians who rely on shared administrative access to multiple systems. A third-party vendor might also need it to complete the deployment of a new client system or integration.
Step 1: Define what counts as a shared credential request
Set criteria to determine when a request requires policy-driven handling. Most requests could fall in these categories:
- Generic or shared accounts (for example, administrator or service)
- Temporary access for contractors or vendors
- Credential sharing for Systems that lack MFA or SSO support
Gaps in access control usually start with poor escalation procedures. See to it that temporary access is offered sparingly and that use cases are classified unilaterally for clients and internal stakeholders.
Step 2: Standardize the request workflow
The next process to standardize is the request workflow. For instance, every shared credential request should go through a similar approval and documentation path. Log critical information, such as justifications, requester ID, duration of temporary access, and all associated services or documents disclosed.
Be consistent with the request, approval, and documentation processes to create a secure and auditable workflow that doesn’t compromise crucial assets.
Step 3: Apply approval and risk review
Before granting shared access, assess the level of risk and ensure the designated authors sign off on each request. Classify requests as low-risk or high-risk and maintain an auditable and strict escalation process.
A separate vendor access workflow may also be needed to accommodate business needs.
For additional tips on managing third-party-associated risks, check out this guide on vendor risk assessment.
Step 4: Enforce controls on issued credentials
Shared credentials must continually be monitored and controlled. These actions can be taken at different stages. For example, you can use password vaults to distribute credentials securely without exposing passwords.
For instance, PowerShell can be used to set an expiry period for temporary credential access. With NinjaOne, the Configuring Password Expiration with PowerShell workflow can be deployed in more complex IT environments.
Step 5: Document and review shared credential usage
All credential-sharing events must be logged for compliance and audit readiness.
Ideally, data on request approvals, duration, and users (for example, requester or endorser) must be kept in a centralized record. These logs can be included in regular security reviews when evaluating the usage of shared credentials.
In addition, stale or expired shared accounts must be purged proactively.
NinjaOne solutions for credential management
NinjaOne can provide credential management capabilities for both users and administrators.
- Technicians can use NinjaOne for tracking and managing credentials.
- MSPs can set up role-based access controls, create additional restrictions, and even use the RMM for building executive reports or summaries.
- IT support can use NinjaOne Remote® for cross-platform secure access sharing.
- Administrators can use Credential Exchange for the secure passing of administrator credentials.
As a unified endpoint management and security platform, NinjaOne provides various user management solutions for efficiently tracking, managing, and sharing credentials while maintaining granular access controls.
That said, clear policy enforcement is necessary to lay the groundwork for effective credential management, while an RMM can provide opportunities to scale, improve visibility, and strengthen compliance.
