Security for Datacenters and MSPs: hardening the privileged access link to many clients

Managed providers and datacenters carry an asymmetric risk: a single compromise becomes a massive incident, propagated to dozens of clients through the very remote management tool. See how Decripte contains, isolates, and hardens.

Direct answer

To protect datacenters and MSPs, the decisive control is to treat privileged access as the real perimeter: a credential vault with PAM and phishing-resistant MFA, strict segmentation between tenants and between the management plane and the client plane, continuous monitoring (SOC 24x7) of RMM/PSA tools and access jumps, and an Incident Response plan that isolates affected clients instead of letting the attack propagate through the chain. At Decripte, this translates into a containment SLA of up to 1 hour, PAM with session recording, EDR across the entire management plane, and Pentest exercises that simulate precisely the abuse of the remote management tool.

24/7

SOC monitoring RMM and privileged access

<=1h

Incident containment SLA

ISO 27001

expected baseline for datacenters and providers

PCI-DSS

requirement when client card data is involved

In summary

  • The risk of MSPs and datacenters is asymmetric: a compromise of the remote management tool (RMM) turns into a simultaneous incident across dozens of clients.
  • The defense starts by treating privileged access as the perimeter: PAM with a vault, phishing-resistant MFA, session recording, and the principle of least privilege.
  • Segmentation between tenants and between the management plane and the client plane prevents a compromised client from contaminating the others.
  • The SOC 24x7 must watch what the RMM/PSA does, not just the hosts: mass execution, new automation scripts, and technical accounts created outside business hours.
  • Incident Response at an MSP isolates affected clients and freezes the management channel before eradicating, with a containment SLA of up to 1 hour.
  • Pentest and Red Team must simulate the abuse of the supply chain itself: the attacker who enters through the provider's account.
Tecnologia e SaaS

Cibersegurança para Datacenters and MSPs

Managed providers and datacenters carry an asymmetric risk: a single compromise becomes a massive incident, propagated to dozens of clients through the very remote management tool. See how Decripte contains, isolates, and hardens.

Why datacenters and MSPs concentrate a risk that clients don't see

A managed service provider (MSP) and a datacenter are not just another target: they are an impact multiplier. To operate, this provider maintains simultaneous administrative access to dozens or hundreds of client environments — through remote monitoring and management tools (RMM), professional services automation platforms (PSA), maintenance tunnels, domain accounts with elevated privilege, and API keys. This access is what makes the service viable and, at the same time, is the most valuable attack surface in the market.

When an attacker compromises the provider, they don't need to break into each client individually. They inherit the trust channel the client has already granted to the MSP. This is the logic of the supply chain attack: compromise one to reach many. In incidents of this type, the legitimate remote management tool becomes the ransomware distribution vector — the same agent that installs patches starts pushing malicious payload to the entire base.

The privileged access paradox

The capability that justifies the MSP — pushing software and commands to many clients at once — is exactly the capability the attacker wants to steal. There is no functional MSP without mass privileged access; there is the MSP that governs this access and the MSP that does not.

For the end client, the risk is invisible: they trust that the provider is secure. For the regulator and for the LGPD, however, responsibility does not disappear — the provider frequently acts as a processor of third-party personal data, and a security failure that leaks data from multiple clients is an event requiring notification to the ANPD with a cascading effect.

The five threats that most bring down managed providers

The sector's specific risk map

Vectors that Decripte prioritizes in datacenters and MSPs

  • Supply chain attacks via MSP: the attacker enters through the provider and uses the trust relationship to hit the client base all at once.
  • Compromise of privileged credentials: domain administration accounts, hypervisor root, and RMM tokens stolen through phishing, infostealer, or password reuse.
  • Ransomware propagated to clients: payload distributed through the legitimate remote management tool, encrypting multiple clients' environments in parallel.
  • Flaws in remote management tools: vulnerabilities in RMM/PSA, consoles exposed to the internet without MFA, and outdated agents.
  • Lateral movement between tenants: the absence of segmentation allows the compromise of one client to reach the management plane and, from there, the others.

These five vectors are not independent — they form a chain. Typically the attack begins with a stolen privileged credential (vector 2), exploits an exposed or outdated RMM console (vector 4), uses the legitimate RMM channel as a distribution mechanism (vector 3) and, in the absence of segmentation, jumps between environments (vector 5) — all framed as a supply chain attack (vector 1) because the entry point was the provider, not each client.

What the SOC observes that ordinary monitoring ignores

Watching CPU, disk, and availability is not enough. Decripte's SOC 24x7 instruments the behavior of the management plane: mass script execution, creation of new automation policies in the RMM/PSA, administrative logins outside business hours, new technical accounts with privilege, and changes to GPO/hypervisor policies — the signals that precede propagation.

Gestão de Ameaças · Grátis

Is datacenters and msps data already exposed or up for sale? Find out now — for free.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Privileged access is the real perimeter — and it needs PAM

In an MSP, the edge firewall is no longer the most important perimeter. The real perimeter is the privileged identity: who can, from where, and at what level, execute commands in the clients' environment. That's why the first structural layer is not network, it is privileged access management (PAM).

What PAM solves in the MSP context

A credential vault takes the administrative passwords out of the hands (and browsers) of technicians, enforces phishing-resistant MFA, grants just-in-time access with expiration, records every privileged session for auditing, and revokes in seconds when an operator is dismissed or compromised. The technician remains productive; the credential ceases to be a stealable asset in clear text.

Combined with PAM, the principle of least privilege must apply to machines and automations, not just people. The RMM and PSA service accounts are often the most powerful and least watched in the environment — exactly what the attacker seeks. Decripte treats these non-human identities as critical assets: secret rotation, minimal scope, and dedicated monitoring.

MFA is not all the same

MFA via SMS or simple push can be bypassed by notification fatigue and SIM swap. For an MSP's management plane, the standard must be phishing-resistant MFA (FIDO2/WebAuthn or hardware keys) on administrative accounts and RMM consoles. It is a cheap control against the size of the damage it prevents.

Segmentation between tenants: preventing one from becoming all

The difference between an incident contained in one client and an incident that destroys the entire base is segmentation. In many providers, the management plane (where the RMM, the PSA, the backups, and the credentials live) shares network, domain, and identities with the clients' production plane. When this happens, any entry point allows lateral movement to the heart of the operation.

Layers of isolation that Decripte structures

  • Strict separation between the MSP's management plane and the clients' environments (distinct network, identity, and domain).
  • Isolation between tenants, so that the compromise of one client has no route to another.
  • Bastion hosts and access jumps controlled by PAM for any client administration.
  • Isolated and immutable backups, out of reach of day-to-day credentials, with an offline copy or object lock.
  • Microsegmentation of the RMM/PSA, restricting where these systems can be administered from and where they can talk to.

Backup immutability deserves emphasis. Modern ransomware seeks out and deletes backups before encrypting — and at the MSP the backups are frequently accessible via the same administration account the attacker has already stolen. Immutable and segregated backups are often the difference between recovering in hours and negotiating with criminals.

SOC 24x7: watch the management channel, not just the hosts

An attack that abuses the remote management tool looks, at first glance, like normal operation: it is the same console pushing the same type of command to many endpoints. What distinguishes the attack is the pattern — volume, timing, origin, sequence, and the content of what is being distributed. Detecting this requires management-plane telemetry correlated in real time, 24 hours a day.

Early detection signals in the management plane

Mass script execution outside the maintenance window; sudden creation of automation tasks in the RMM; disabling of antivirus/EDR via central policy; new administrative accounts; access to the credential vault from an unusual IP or geography; and spikes in traffic leaving the management server. Each one in isolation may be noise; correlated, they are the start of a propagation.

Decripte's SOC 24x7 integrates EDR across the entire management plane and the managed endpoints, RMM/PSA logs, identity and PAM events, and network telemetry into a single correlation canvas. The goal is to detect the propagation at minute zero — before it reaches the base — and trigger automatic containment while Incident Response takes over the case.

Gestão de Ameaças · Grátis

What would an incident in datacenters and msps cost? See your real risk before it happens.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Pentest and Red Team: simulate the attacker who enters through the chain

Defending an MSP without testing it like a supply chain attacker is defending in the dark. Decripte's Pentest for this sector is not limited to scanning the infrastructure: it takes the point of view of someone who wants to turn the provider's access into a weapon. The scenarios include the theft of privileged credentials, the abuse of the RMM/PSA as a distribution channel, the attempt at lateral movement between tenants, and the escape from the client plane to the management plane.

Specific offensive exercise scenarios

Compromise of a technician's workstation and attempt to pivot to the central console; abuse of an RMM service account; exploitation of a management console exposed to the internet; and simulation of controlled propagation to measure, in practice, whether segmentation and immutable backups hold the attack. The result is a map of what would really happen, with a prioritized remediation plan.

Vulnerability Management closes the loop between the exercises: the RMM, the PSA, the hypervisors, and the administrative consoles enter an inventory with prioritization by real exposure. A management console accessible from the internet with a known CVE is treated as an emergency, not a backlog item — because it is precisely the path most of these incidents follow.

The MSP usually operates as a personal data processor in the LGPD chain: it processes client data under their instruction (controllers). This does not dilute responsibility — it imposes duties of security and cooperation. An incident that compromises data from multiple clients can trigger obligations to notify the ANPD and the data subjects, and the provider needs to have records, forensic investigation capability, and a notification channel ready before the incident.

Frameworks that guide the sector

  • ISO 27001: baseline security management system expected of serious datacenters and providers.
  • LGPD: processor duties, information security, and incident notification to the ANPD and data subjects when there is risk.
  • PCI-DSS: mandatory when the environment stores, processes, or transmits client card data.
  • SOC 2: a controls report increasingly required by corporate clients when contracting providers.
  • Sector regulation (e.g., Bacen/CMN) when the provider serves financial institutions, with third-party risk management requirements.

Decripte structures compliance as a byproduct of the security architecture, not as parallel paperwork: the same controls of PAM, segmentation, monitoring, and response that prevent the incident are the ones that support the audit of ISO 27001, SOC 2, and PCI-DSS and accountability to the ANPD.

Start with the diagnosis before the incident

The worst time to discover that the management plane was not segmented, that the backup was not immutable, and that the RMM did not have phishing-resistant MFA is during the ransomware propagation. The responsible path is the reverse: measure the posture now, with the simulated attacker, and close the paths before they are traveled.

Next step

Start with the free Threat Management diagnosis at decripte.com.br/intelligence-center to see your external exposure. To structure SOC 24x7, PAM, segmentation, and Incident Response, sign up at decripte.io/start or talk to the team at /contato.

Providers don't choose to be a target — privileged access elects them. What is under the provider's control is whether that access will be the most protected point of the operation or the easiest to steal.

Anatomy of a real case: ransomware propagated through an MSP's remote management tool

Real, de-identified example

A real, anonymized example (without identifying the client). A managed service provider administers about 40 clients from a central RMM platform. The administrative credentials are saved in the technicians' browsers, the RMM console is accessible from the internet with push MFA, and the management plane shares the same Active Directory domain as the production environments. The clients' backups are written to a server reachable by the domain administration account.

  1. Detection

    The SOC 24x7 fires an alert at 02:14: the RMM server started mass script execution on more than 30 endpoints outside the maintenance window, preceded by an administrative login from an unusual geography and by an EDR disabling via central policy. The correlation identifies a propagation pattern, not legitimate maintenance.

  2. Triage and containment

    In less than 1 hour (containment SLA), Incident Response freezes the management channel: the RMM server is isolated from the network, active privileged sessions are terminated, administrative credentials are revoked and rotated in the vault, and the execution of new RMM commands is blocked. The propagation stops before reaching most of the base.

  3. Isolation of affected clients

    The environments of clients that have already received payload are segregated into network quarantine to prevent additional encryption and lateral movement between tenants. Each affected client is classified by stage (payload delivered, executing, encryption started) to prioritize the response.

  4. Eradication

    Forensic analysis reconstructs the entry: a privileged credential stolen by an infostealer on a technician's workstation, reused on the exposed RMM console. The malicious artifacts, automation tasks created by the attacker, and planted technical accounts are removed; the RMM CVEs are patched and the console is taken out of direct internet exposure.

  5. Recovery

    The clients in the encryption stage are restored from backups (validated for integrity). The incident reveals that part of the backups was within reach of the compromised account — corrected with the immediate deployment of immutable and offline copies. Services come back in waves, with reinforced per-tenant monitoring.

  6. Hardening

    Deployment of PAM with a credential vault, just-in-time access, and session recording; phishing-resistant MFA (FIDO2) across the entire management plane; segmentation of the management plane into a domain and network separate from the clients; microsegmentation of the RMM/PSA; and dedicated privileged monitoring in the SOC.

  7. Lessons and continuous prevention

    Pentest now simulates quarterly the abuse of the RMM and movement between tenants; Vulnerability Management places administrative consoles and hypervisors at maximum priority; and a supply chain incident runbook with per-client isolation is ready for immediate activation.

Outcome with Decripte

In this real, anonymized example, containment in less than 1 hour limits the ransomware to a fraction of the base, and the affected clients are restored from backup without paying a ransom. More important than the outcome of the incident is the structural change: by installing PAM, segmentation between tenants, phishing-resistant MFA, and 24x7 privileged monitoring, Decripte transforms privileged access — previously the provider's most fragile point — into the most watched control of the operation, and prepares accountability to the ANPD and audits of ISO 27001 and SOC 2.

Resposta a Incidentes · 24/7

Don’t wait for the incident. Start hardening datacenters and msps today.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte responds to an incident in a datacenter or MSP

Incident response at a provider with privileged access to many clients has a priority that does not exist in other sectors: stanching the propagation through the chain above all. Decripte's flow is designed to isolate first and investigate in parallel.

  1. 24x7 detection and triage: the SOC correlates RMM/PSA, EDR, identity, and PAM telemetry to distinguish propagation from legitimate operation and classify severity in minutes.
  2. Freezing the management channel: immediate isolation of the RMM/PSA server, blocking the execution of new commands, and terminating active privileged sessions, with a containment SLA of up to 1 hour.
  3. Revocation and rotation of privileged credentials: cutting off and changing the compromised administrative accounts, API tokens, and service accounts, closing the access inherited by the attacker.
  4. Isolation of affected clients: per-tenant network quarantine to prevent additional encryption and lateral movement, with classification of each client by attack stage.
  5. Eradication with forensics: reconstruction of the entry chain, removal of artifacts, malicious automation tasks, and planted accounts, and remediation of the exploited vulnerabilities.
  6. Recovery from validated backups: prioritized restoration with integrity verification and, when necessary, emergency deployment of immutable backups.
  7. Notification and compliance: support for communication to the ANPD and to the controller clients as required by the LGPD, with forensic evidence and a documented timeline.
  8. Lessons learned and hardening: executive and technical report, updated supply chain runbook, and a hardening plan with PAM, segmentation, and privileged monitoring.

How Decripte structures the security of datacenters and MSPs

Structuring a provider's security is, above all, about governing privileged access and preventing a compromise from becoming massive. Decripte organizes the defense into mutually reinforcing pillars.

Privileged access governance (PAM)

Credential vault, just-in-time access with expiration, phishing-resistant MFA (FIDO2/WebAuthn), session recording, and the principle of least privilege applied also to RMM and PSA service accounts.

Segmentation and isolation between tenants

Strict separation between the management plane and the clients' environments in network, identity, and domain; isolation between tenants; bastion hosts; and immutable backups out of reach of day-to-day credentials.

Privileged monitoring with SOC 24x7

EDR across the entire management plane, correlation of RMM/PSA, identity, and PAM logs, and detection rules aimed at mass execution, new automations, and anomalous access — to flag propagation at minute zero.

Continuous offensive validation

Pentest and Red Team simulating supply chain attacks — credential theft, abuse of the RMM as a distribution channel, and escape between tenants — with a prioritized remediation plan.

Vulnerability management focused on the management plane

Inventory and prioritization by real exposure of RMM/PSA consoles, hypervisors, and administrative tools, treating internet exposure and known CVEs as an emergency.

Integrated incident response and compliance

A ready supply chain incident runbook, a containment SLA of up to 1 hour, and the same controls supporting audits of ISO 27001, SOC 2, and PCI-DSS and accountability to the ANPD under the LGPD.

Recommended plans for Datacenters and MSPs

Frequently asked questions

Why are datacenters and MSPs preferred targets for supply chain attacks?

Because they concentrate privileged access to many clients at the same time. The attacker compromises one provider and inherits the trust channel each client granted, turning a single entry point into a simultaneous incident across dozens of environments — usually using the remote management tool itself as the means of distribution.

How does ransomware propagate through the remote management tool?

The attacker steals or bypasses access to the RMM/PSA console and uses the legitimate mechanism for pushing software and commands to distribute the payload to all managed endpoints at once. Because it is the same channel that installs patches, the activity blends into normal operation — that's why detection requires observing pattern, volume, and timing, not just the presence of the command.

What is PAM and why is it so critical in an MSP?

PAM (Privileged Access Management) is the governance of privileged credentials: password vault, just-in-time access with expiration, phishing-resistant MFA, and session recording. In an MSP, privileged access is the real perimeter, because it is what makes it possible to act on the clients. Without PAM, administrative passwords are stealable and propagation becomes trivial.

How do you prevent the compromise of one client from reaching the others?

With segmentation and isolation between tenants and between the management plane and the clients' production plane — separate network, identity, and domain, bastion hosts controlled by PAM, and microsegmentation of the RMM/PSA. Without this, lateral movement takes the attacker from one client to the heart of the operation and, from there, to all of them.

Does backup solve the ransomware problem at a provider?

Only if it is immutable and isolated. Modern ransomware seeks out and deletes backups before encrypting, and at the MSP the backups are frequently within reach of the same administration account the attacker has stolen. Immutable backups (with object lock) and offline copies, outside day-to-day credentials, are what allow recovery without paying a ransom.

What is the MSP's legal responsibility under the LGPD in an incident?

The provider usually acts as a personal data processor under the instruction of the controller clients. This imposes duties of information security and cooperation, including support for notification to the ANPD and to the data subjects when there is significant risk. Having log records, forensic capability, and a notification channel ready before the incident is part of compliance.

How long does Decripte take to contain a propagation incident?

The containment SLA is up to 1 hour. In a scenario of propagation through RMM, this means freezing the management channel, revoking privileged credentials, and isolating the already-affected clients before the attack reaches the rest of the base — the difference between a localized incident and a massive incident.

How do you start without stopping the provider's operation?

Start with the free Threat Management diagnosis at decripte.com.br/intelligence-center to map the external exposure. From there, Decripte structures PAM, segmentation, SOC 24x7, and Incident Response in waves, without interrupting the service. To sign up, go to decripte.io/start or talk to the team at /contato.

Sector terms

MSP (Managed Service Provider)
A managed IT services provider that administers the infrastructure of multiple clients remotely, maintaining privileged access to those environments to operate, monitor, and maintain them.
RMM (Remote Monitoring and Management)
A tool used by MSPs to remotely monitor and administer clients' endpoints and servers, pushing software, patches, and commands at scale — hence its value as a propagation vector when compromised.
PAM (Privileged Access Management)
A set of controls to govern privileged credentials: password vault, just-in-time access, phishing-resistant MFA, least privilege, and session recording, reducing the risk of theft and abuse of administrative accounts.
Supply chain attack
An attack that compromises a supplier or provider in order to, from the trust relationship, reach its clients — turning a single compromise into an incident distributed across many organizations.
Lateral movement between tenants
A technique in which the attacker, after compromising one environment (tenant), exploits the lack of segmentation to reach other clients or the provider's management plane, expanding the reach of the incident.
Immutable backup
A backup copy protected against alteration and deletion for a defined period (for example, via object lock), so that even a compromised administrative account cannot delete it — essential for recovery without paying a ransom.

Decripte protects and responds to incidents in datacenters and msps.

Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.