What is a “Break Glass” Account?
A break glass account is a highly privileged account for a specific application or system used during an emergency or system down event. In Privileged Access Management (PAM), having this type of account and a process on how to use it is essential.
Why are Break Glass Accounts necessary for PAM?
If a company has a mature PAM program, most if not all privileged accounts (Domain Admin Accounts, Elevated User Accounts, Service Accounts, Local Admins, Admin-level Application Accounts, etc.) will be stored in the secured vault of the PAM solution and most likely are rotated after each use. Since these privileged accounts are used every day, if user access to this system is interrupted for an extended period of time, PAM Admins will need a way to access the system to retrieve these crucial accounts. The sole purpose of the break glass account is to access the PAM vault, when no one else can, to retrieve these privileged accounts and to verify that all services are functioning properly within the PAM system.
How to Secure a Break Glass Account?
Since the break glass account is highly privileged and has access to the system that holds all of the crown jewels for a company, it will require extreme measures to protect it. Below are some best practices on how to properly secure a break glass account.
1. The break glass account should be stored in a minimum of two (2) physical safes geographically separated from each other (i.e., not in the same data center).
If that is not possible due to limits in your location options, you should plan to have copies of this account separated geographically in a non-traditional manner. For example, store one copy in a safe in the primary data center and the other copy in a safe at the CISO’s house. It is not perfect but will, at a minimum, allow you to keep the 2 physical copies separated.
2. Write the break glass account information on a piece of paper or store it on a USB drive. It does not need to be an encrypted USB drive. Remember, if your system is down, you want the least number of options for technology failure as possible.
If a USB drive is chosen to store the break glass account, make sure to store it on at least two (2) drives, per location, to account for the potential of technology failure or corruption.
3. Store the break glass account (whether on paper or a USB drive) in a tamper proof envelope in the safe and have all parties involved sign and date the envelope. This will make it difficult for someone to tamper with the break glass account without evidence that it was tampered with.
1. The break glass account should ONLY be retrieved and used if no one can login to the PAM system with their conventional Domain accounts.
2. Log events must be setup to alert on failed and successful authentication attempts for the break glass account.
Usually this can be set up within the PAM tool itself, otherwise a Security Information & Event Management (SIEM) integration can be used to correlate logs and alert on this.
1. The password should be a minimum of twenty (20) characters long using uppercase letters, lowercase letters, special characters, and numbers.
The reason for a long and complex password is that it won’t be rotated often, and you want to make attempted brute force attacks to be as difficult as possible while still making it reasonable to use when needed. You can also use your PAM solution to generate the original password and any new passwords needed in the future. 2. The password should be changed manually after each use.
This is crucial to maintain proper security hygiene. If the password for the break glass account is stored on a USB drive or otherwise copied for whatever reason, be sure to follow the steps below to purge the clipboard on the system that copied it.
Go to Settings > System > Clipboard and select the <Clear> button under the Clear Clipboard Data section. This will remove all data within the Clipboard history.
Talk to the experts at CyberSolve to see how your organization can implement Cybersecurity to fit your organization’s needs.