In our last post, we talked about the risks of sharing passwords. This is important for everyone, but perhaps especially so for those people with administrative access to your systems—and therefore control of your information and operations.
However, what if there’s a significant problem requiring administrative access and the person with the correct access permissions just isn’t available?
That’s when a ‘break glass’ procedure is needed.
You can think of it as being like a fire alarm: ‘in emergency, break glass’ to open an exit door and sound an alarm.
A ‘break glass’ procedure is a way of providing a way in for someone in an emergency—and only in an emergency. It is a way of bypassing the security controls that have been put in place, while triggering an alert that this is happening.
Note that alerting is important, because otherwise a threat actor could use the break glass procedure unnoticed and get access to highly privileged information.
Why might we need a break glass procedure?
You might need such a procedure in case of a cyber attack, network or third-party outages, your access management tools being down for maintenance, or simply due to users having repeated login issues.
Examples include:
- a cyber attack destroying access to your accounts
- your privileged access management (PAM) tool is down for maintenance or due to a denial of service attack
- your only system administrator is away, on holiday or in hospital
- multifactor authentication (MFA) is unavailable because of a network outage
- Your accounts use federated identity, and the identity provider is unavailable
- Your PAM tool has locked the system administrator out because of too many incorrect login attempts.
If such an account is used, it should be carefully controlled, monitored, and regularly audited. This is because it provides more access than the person using it would typically have, and that could be a security risk.
What to think about?
Your break glass account will need a very high level of privileged access, to allow someone using it to do whatever is needed. And so that it will work under any circumstance, and always be available, the account can’t be locked out, deleted or deactivated.
Access to your break glass account must therefore be very carefully protected.
- Make sure the break glass account has a complex username and password. Ideally, no one person would know the complete password, so that at least two people are needed to operate the break glass procedure. Consider writing the two or three parts of the password on separate pieces of paper and storing them separately and securely—make sure that each part is sufficiently complex to reduce the risk of being broken.
- The account should not have MFA tied to a personal device (in case the owner of that device is unavailable). If MFA must be activated, it should be tied to a shared company device with various ways of connecting to the internet, in case of network outage.
- Limit the number of people who can use the break glass accounts. Ideally, these people would be administrators in their normal roles to avoid mistakes in operating the break glass account.
- The procedure to get access to the account should include alerting the system owner to the fact that the break glass procedure was being initiated.
- Monitor the accounts, and assess any unusual activity for threat.
- Check and test the routine regularly, and document the procedure. Don’t forget to think about your joiners, movers, and leavers processes—what if your break glass users leave?
- Once completed, the person given access to the break glass account should log out, and the password changed before being hidden again.
- Then establish why it was necessary—and try to eliminate that issue to reduce the likelihood that it should be initiated again in the future.
The NCSC provides useful advice on considerations for protection of cloud admin access, if you’d like to know more. If you need some help, contact the Click and Protect team on 0113 733 6230 or via our contact form.