Feature Release: ContraForce Identity and Access Management (Solving a 3 Body Problem)

If you run a managed services provider (MSP) and have outsourced your client’s security services to a third party managed security services provider (MSSP), you may face the “3-body problem” of co-managed services. The problem arises because you have individuals from three different entities – your MSP, the MSSP and your client – interacting with your client’s data. If not properly managed, the resulting experience can be chaotic and unpredictable for you and your client (this may also be the case if you are managing your clients directly and don’t have controls in place).

The term 3 body problem was recently popularized by a Netflix series of the same name. In physics, the three-body problem refers to the calculation of the trajectories of three masses that orbit each other. It is a “problem”, because no equation exists to solve the calculation.  

In the TV series, the 3-body problem is a system of three sun-like stars orbiting one another around an alien civilization. Because they can’t calculate the orbit of the three stars, the stars’ movements are chaotic and unpredictable, and sometimes lead to climate catastrophes. The worst such catastrophes are civilization-ending.

‍

Chaos and Unpredictability

As an MSP, your 3-body problem is unlikely to be civilization-ending like the TV show (we hope!). But the problem could become relationship-ending due to frequent client issues and their frustration with a seeming lack of accountability in co-managed situations.

‍

‍

Common identity and access management challenges for co-managed services not using the ContraForce Platform are:

• Manual Authorization. The process of adding identities to the service delivery platform can be time-consuming since a system administrator (or multiple administrators) is required to manually authorize access each time.

• Weak Access Controls. You may not know why certain individuals have access to your client’s data, or be able to control their access. Even when you do have access control at the account level, you may not be able to assign role-based access permissions within the account, for example to determine who has permission to undertake remediation actions.

• Time-Consuming Administration. You may have to track and manage each user’s role and permission. The repetitive task of assigning individuals to workspaces and accounts can be a significant administration time sink.

‍

Structured Identity and Access Management

Today, we are excited to have released ContraForce IAM, a solution for the identity and access management (IAM) issues that can torment MSPs like you and your clients when you are in a co-managed situation with a third-party MSSP. Many of the benefits of ContraForce IAM also accrue to MSPs and MSSPs who are managing their clients directly.

ContraForce IAM introduces enhanced capabilities to the ContraForce platform that allow you to manage users, roles, groups and privileges at both the organization and workspace level. ContraForce IAM includes the ability to authorize users, assign users to roles, and create and manage groups; all features to facilitate co-management of workspaces by multiple service providers.  

Role-based Access Control

With ContraForce IAM you can implement role-based access control (RBAC) at both the organizational and workspace level. RBAC at the organizational level includes four clearly defined roles: organization administrator, user administrator, workspace administrator and organization member. Each role has explicitly outlined permissions as follows for your MSP:

‍

RBAC at the workspace level similarly entails four clearly defined roles for identities at your MSP, Client (and MSSP if the account is co-managed):

* The exceptions are Microsoft Sentinel and Microsoft Defender which require one-time administrator authorization.

‍

Using these defined roles, you can provide account access and assign roles to individuals from your MSP, from a third party MSSP and from your client. We also recognize that user roles vary by client and workspace. With ContraForce IAM, different roles can be assigned for each workspace a user is permitted to access.  

‍

‍

User Groups

To make IAM administration more efficient, we also allow you to create user groups within the ContraForce Platform. With groups, you don’t need to separately assign each individual access to a workspace. Groups can be formed by project, function (analysts versus engineers, for example), geography or using some other criteria. You can then assign roles by group for each workspace.  

‍

‍

It is easy for you to see the groups that an individual belongs to, and vis-versa. You can also view a client workspace and see which groups and which individuals have access to that workspace.

‍

‍

Overall, ContraForce IAM benefits you whether you are delivering services directly or part of a co-managed service, including:

• Delegated Service Provider Authorization. Once a client provides you with consent, ContraForce ensures that all necessary permissions are securely and transparently provisioned to your MSP eliminating additional manual authorization efforts and maintaining strict security boundaries. You can then seamlessly access your client’s security tooling and data essential for service delivery, without requiring any configuration within their identity directory (such as Microsoft Entra ID) or cloud platform.

• Role-based Access Controls. You have control and can manage users, roles and privileges at both the organization and workspace level.

• Groups. To facilitate administration, you can easily group users and then assign roles by group for each workspace.

And unlike the 3-body math problem, your co-managed services 3-body problem is … solved!