Identity and access management (IAM) and privileged access management (PAM) are critical security tools for modern organizations. However, they can sometimes bar users from accessing critical systems and services, potentially impacting production, customer experience, and cybersecurity. In urgent cases, a method of bypassing normal security controls to regain access—called “break glass”—is needed. In this post, we’ll walk you through the break-glass process—what it is, why it’s important, and how to execute it.
What Is Break Glass?
Break glass refers to a method of bypassing security controls that normally guard a system or service. The term “break glass” is a reference to someone breaking a glass stopper to pull a fire alarm. In some situations, a user may be unable to gain authorized access as they normally would.
Examples include a data breach, security tool-tool failure, or lockout due to a forgotten password. Break glass will allow them to circumvent their organization’s IAM or PAM solution and regain access. A dedicated, pre-staged break-glass user account is created as a backup for emergency situations.
The break-glass account is highly privileged, as it allows access to critical systems, such as root accounts. Break-glass accounts are typically monitored, tested, documented, and managed to prevent inappropriate use. Break-glass credentials have a limited lifespan to restrict use to emergencies or other unusual events and avoid mishandling.
The Importance of Break Glass
PAM and multi-factor authentication (MFA) involve rigid rules designed to say “No” to unauthorized users or cyber attackers. But these security controls can also lock out benign users, potentially hurting business continuity and emergency response.
In some cases, attackers can leverage an organization’s security controls to thwart the threat responders trying to catch them. In some industries, such as healthcare or disaster management, a security lockout may put lives or property at risk. For these and other reasons, break glass is a must-have backup measure.
Break glass may provide crucial recourse in cases where break-glass access is the only route back into systems and applications, like the following:
- The organization’s PAM tool is unavailable due to downtime or maintenance.
- The PAM tool’s normal authentication process fails because the server is down.
- MFA is unavailable because of a network outage.
- Cyberattack. For example, a DDoS attack can prevent anyone from logging in.
- PAM or MFA safety feature locks out a user for typing the wrong password too many times.
- A user may lock himself/herself out of a tenant with conditional access policies.
- Failure of federation services.
- A service outage.
IAM and PAM deployments are critical for security. So is a backup method to bypass them in urgent or unexpected situations. Organizations should look for solutions like StrongDM that combine secure IAM and PAM tools with the ability to allow for emergency break-glass access.
Break Glass Process Overview
A break-glass process features several well-defined steps to enable break-glass access when needed. The process is pre-planned, managed, and audited to prevent abuse and quickly return to normal access controls afterward.
An organization must first determine who will be allowed emergency break-glass access and under what circumstances. They must then create pre-staged break-glass accounts with global admin rights, exempt from normal access controls like MFA. These accounts should not be connected to any other systems.
A rule of thumb is to set up one break-glass account per platform. Some cybersecurity experts recommend adding a second break-glass account—a backup for the backup—to be on the safe side. These emergency user accounts are managed and distributed to ensure quick availability with minimum administrative delay.
Who ultimately guards break-glass accounts? A best practice is to assign the role of an emergency account manager to someone available during operating hours. This individual distributes the accounts with a sign-out method requiring identification from the requestor.
In the event of an emergency, the break-glass procedure typically looks like this:
- A user requests break-glass access to an account they are locked out of. Perhaps a service outage has occurred, a DDoS attack is preventing log in, or they are not normally authorized to access the account, for example.
- The emergency account manager receives notification that the break glass process has begun. Their pre-approval may or may not be necessary for the requester to obtain the username and password for the emergency account. In all cases, the account manager will normally request an acceptable form of identification from the requester and record it for auditing purposes.
- The requester gains account access.
- The whole procedure is monitored for later auditing. The use of the emergency account should be reviewed for inappropriate or suspicious activity. During clean-up, the account used should be deleted or disabled, and new account credentials created.
The ideal break-glass procedure may depend on an organization’s IT environment. For example, those operating solely on-premises may store emergency credentials on a hardware key, such as a Yubikey, kept inside a physical vault for extra security.
On the other hand, those based primarily in the cloud may temporarily remove Service Control Policies (SCPs) in emergencies. This lets users use the cloud provider’s console to access machines.
Why Tools in Your Security System Need To Support Break Glass
IAM and PAM are crucial for security. But when they prevent users from accessing critical systems or services, they can negatively impact production, customer experience, and, ironically, cybersecurity response. For these and other reasons, organizations must choose tools for their security system that support break glass.
Speed is everything when there is a breach. Getting into a compromised system in time to thwart an attack can spare companies huge costs and loss of reputation. Likewise, problems with software running in production can seriously impact customer experience. Developers are pressed to troubleshoot and conduct incident investigations on the fly to keep things running smoothly. Something as basic as authenticating their identities should not be a barrier.
A reliable break-glass plan provides a quick way around IAM- and PAM-related problems and helps developers and threat responders stay on top of their game, no matter what. And that requires security and authentication tools like StrongDM, with the openness and flexibility to support a frictionless break-glass procedure from start to finish.
StrongDM Break Glass Scenarios
StrongDM is a proxy that combines authentication, authorization, networking, and observability into a single product. As such, it simplifies access security, authentication, and auditing for your workflows. As a comprehensive solution, StrongDM also enables emergency break-glass access when necessary. In fact, with StrongDM, the whole break-glass process requires just a few simple steps.
The process involves creating accounts for a break-glass scenario, protecting those accounts, and closely monitoring access to them. Here’s how it’s done, step by step:
- Create local break-glass accounts on the end resource.
- Store them in a vault (preferably one that requires at least two people to access or uses Shamir Secret Sharing).
- Alert on access to the accounts outside of emergency situations.
- Rotate break-glass credentials after each incident.
Depending on the environment, there are additional considerations for on-premises vs. cloud environments.
Conclusion
It’s never wise to compromise on security. Strong MFA and PAM processes are crucial in today’s threat-ridden virtual landscape. However, when authentication tools lock out users due to service disruption or a threat, a method for bypassing them is equally crucial. For this reason, support for break glass should be a core requirement in an organization’s IAM and PAM deployments.
See StrongDM in action, book a demo.
