IT management, MSP, Content

NinjaRMM Launches Secure Credential Exchange, Nears 3000 MSPs


NinjaRMM has introduced a new Credential Exchange to help MSPs further automate their businesses in a secure, compliance-minded manner. The Credential Exchange arrives at a key time for the global managed IT services provider (MSP) ecosystem, which has reached key IT security and automation inflection points, ChannelE2E believes.

NinjaRMM CEO Salvatore Sferlazza
NinjaRMM CEO Salvatore Sferlazza

The Credential Exchange, according to NinjaRMM, allows MSPs to "assign the use of privileged credentials to a wide variety of specific tasks, providing a more seamless, reliable, and secure way of running scripts, installing patches and updates, and establishing one-click remote connections via RDP."

The Credential Exchange supports MSPs of all sizes, and is designed to scale with the largest MSPs in mind, NinjaRMM says. In fact, the number of MSPs leveraging NinjaRMM to manage over 1,000 endpoints has been doubling year over year. Some MSPs within the NinjaRMM ecosystem are approaching 20,000 endpoints under management, the company says.

In a prepared statement about the Credential Exchange, NinjaRMM CEO Salvatore Sferlazza said:

“With our largest MSP and IT partners managing thousands of nodes and over 100 technicians, secure access to credentials is an ever-growing pain point. Dealing with employee turnover is not only a security issue, but a regulatory and compliance one as well. That’s why we’re excited to provide NinjaRMM customers with the most powerful and customizable way of managing credentials available from any RMM on the market."

How NinjaRMM Credential Exchange Works

NinjaRMM stores all that information in a secure cloud system. How secure? Here's the official, detailed answer that NinjaRMM shared with us:

"The private key material is stored encrypted on a cluster of FIPS 140-2 Level 3 compliant physical Hardware Security Modules (HSM) within AWS’ secured datacenter. The physical HSM itself has no keys anywhere within its hardware components, nor operating system, to decrypt the private key material. This combination of the physical hardware, secured datacenter, and console management together form AWS’ CloudHSM service offering.  AWS’ Key Management Service (KMS) uses the CloudHSM as the basis for creating a FIPS 140-2 Level 3 compliant CMK, which is now the private key used to create the client keys for each of NinjaRMM’s MSP partners. Only the Chief Technology and Security Officers have privileges to operate and leverage the CloudHSM cluster and CloudHSM-sourced CMK, as all access is locked down through a DENY-ALL policy ."

ChannelE2E wondered if this new NinjaRMM technology would block some of the recent RMM-centric and remote control type attacks we’ve seen lately in the MSP industry. NinjaRMM's reply:

"We can’t speak to specific recent attacks for obvious reasons, including the fact that we don’t have full details. What we can say is NinjaRMM’s use of extremely tight key controls prevents theft of privileged access credentials. Credentials are encrypted and passed through an encrypted tunnel, preventing them from being exposed. Along with NinjaRMM’s explicit node approval feature eliminating unauthorized machines, the possibility for an honest mistake, or a disgruntled employee, or an external attacker to leverage any of NinjaRMM’s internal key and credential mechanisms to launch a remote control attack is further mitigated."

Node approval provides another important layer of RMM security by adding an approval process before new devices can be monitored and managed or gain Credential Exchange access, the company adds.

MSP Platform Security

As we pointed out the Credential Exchange arrives during a key time for the overall MSP software and IT service provider industry.

Indeed, hackers are increasingly targeting MSPs and their underlying software systems for island hopper attacks that eventually penetrate end-customer systems, the FBI and Department of Homeland Security have repeatedly warned. At the same time, thousands of MSPs have failed to pinpoint next steps for business automation, potentially hurting their own business margins along the way.

Amid those market realities, security-minded MSPs can leverage Credential Exchange to differentiate themselves from the market masses, according to Sferlazza. He notes:

"Security is obviously top of mind not just for our customers, but for their customers, as well. Features like the Credential Exchange allow NinjaRMM customers to position security as one of their key strengths and differentiators. At the same time, this new functionality also allows them to operate more profitably by shaving significant time off their day-to-day management tasks. Both of those things are especially critical for MSPs and admins working in enterprise environments.”

NinjaRMM Business Growth

NinjaRMM, meanwhile, has escaped niche status and achieved critical mass within the MSP software market. The RMM (remote monitoring and management) software provider is nearing an installed base of 3,000 MSPs, company officials tell ChannelE2E. The company had roughly 2,000 MSPs as of September 2018.

What's driving that growth? A simple message backed by a simple but powerful cloud-based platform is likely the answer. Instead of buying multiple RMM solutions to address PC, server, network, infrastructure and other point needs, NinjaRMM is positioning itself as an all-in-one RMM option for MSPs.

Moreover, NinjaRMM's executives and employees have MSP-centric businesses in their DNA. Sferlazza and many of his lieutenants have held key roles or pioneering positions at such firms as SonicWall, PacketTrap Networks, Quest Software and Anchor.

Admittedly, the company continues to face intense competition from numerous RMM companies. But if the Credential Exchange works as advertised, it may be yet another point of differentiation for NinjaRMM.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.