CyberSolve Project Delivery Office – What Separates Us from the Rest
- August 24, 2023
- Posted by: admin
- Category: Blog
What is a “Break Glass” Account?
A break glass account is a highly privileged account for a specific application or system used during an emergency or system down event. In Privileged Access Management (PAM), having this type of account and a process on how to use it is essential.
Why are Break Glass Accounts necessary for PAM?
If a company has a mature PAM program, most if not all privileged accounts (Domain Admin Accounts, Elevated User Accounts, Service Accounts, Local Admins, Admin-level Application Accounts, etc.) will be stored in the secured vault of the PAM solution and most likely are rotated after each use. Since these privileged accounts are used every day, if user access to this system is interrupted for an extended period of time, PAM Admins will need a way to access the system to retrieve these crucial accounts. The sole purpose of the break glass account is to access the PAM vault, when no one else can, to retrieve these privileged accounts and to verify that all services are functioning properly within the PAM system.
How to Secure a Break Glass Account?
Since the break glass account is highly privileged and has access to the system that holds all of the crown jewels for a company, it will require extreme measures to protect it. Below are some best practices on how to properly secure a break glass account.
Storage
1. The break glass account should be stored in a minimum of two (2) physical safes geographically separated from each other (i.e., not in the same data center).
If that is not possible due to limits in your location options, you should plan to have copies of this account separated geographically in a non-traditional manner. For example, store one copy in a safe in the primary data center and the other copy in a safe at the CISO’s house. It is not perfect but will, at a minimum, allow you to keep the 2 physical copies separated.
2. Write the break glass account information on a piece of paper or store it on a USB drive. It does not need to be an encrypted USB drive. Remember, if your system is down, you want the least number of options for technology failure as possible.
If a USB drive is chosen to store the break glass account, make sure to store it on at least two (2) drives, per location, to account for the potential of technology failure or corruption.
3. Store the break glass account (whether on paper or a USB drive) in a tamper proof envelope in the safe and have all parties involved sign and date the envelope. This will make it difficult for someone to tamper with the break glass account without evidence that it was tampered with.
Use
1. The break glass account should ONLY be retrieved and used if no one can login to the PAM system with their conventional Domain accounts.
2. Log events must be setup to alert on failed and successful authentication attempts for the break glass account.
Usually this can be set up within the PAM tool itself, otherwise a Security Information & Event Management (SIEM) integration can be used to correlate logs and alert on this.
Rotation
1. The password should be a minimum of twenty (20) characters long using uppercase letters, lowercase letters, special characters, and numbers.
The reason for a long and complex password is that it won’t be rotated often, and you want to make attempted brute force attacks to be as difficult as possible while still making it reasonable to use when needed. You can also use your PAM solution to generate the original password and any new passwords needed in the future. 2. The password should be changed manually after each use.
This is crucial to maintain proper security hygiene. If the password for the break glass account is stored on a USB drive or otherwise copied for whatever reason, be sure to follow the steps below to purge the clipboard on the system that copied it.
Go to Settings > System > Clipboard and select the <Clear> button under the Clear Clipboard Data section. This will remove all data within the Clipboard history.
Talk to the experts at CyberSolve to see how your organization can implement Cybersecurity to fit your organization’s needs.
Leave a Reply
Contact us at the Consulting WP office nearest to you or submit a business inquiry online.
Todd is a recognized IAM and Cloud industry expert who brings over 20 years of experience in managing, advising, architecting, and deploying IGA, Authentication and Authorization, and Cloud solutions and services across IDaaS, SaaS, IaaS, and PaaS. Todd is a frequent speaker on effective risk and security practices at leading industry events. He is responsible for the oversight of CyberSolve’s business segments and for the development of strategic plans to sustain the company’s rapid growth while providing trusted advice to clients across the security and risk spectrum.
Atul has over 20 years of experience in managing, designing and implementing Customer Relationship Management (CRM) and Salesforce integrations. He has acted as a cloud-focused solutions expert in both domestic and international markets. Prior to founding CyberSolve, Atul was a Technical Consulting Director at Salesforce where he demonstrated his strong experience architecting financial services industry solutions. Atul holds a Bachelor of Engineering from Madan Mohan Malaviya University of Technology.
Shub possesses over 15 years of experience in the Identity and Access Management (IAM) industry in pre-Sales and technology architecture roles. Shubham has held various positions with SailPoint, RSA, Saviynt, and Okta. He has extensive Identity and Access Management industry technology and sales experience in both domestic and international markets as well strong knowledge of how Identity and Access Management satisfies Audit and IT compliance issues. Shub holds a 
Rajesh has served Multi-National Corporations and large organizations as a full time Vice President of Finance, Chief Financial Officer and in equivalent roles. In order to fulfill his duties as a CFO he is a Chartered Accountant, holds a Diploma in Information System Audit (DISA certified by the Institute of Chartered Accountants of India), is a Certified SAP Consultant, Certified QuickBooks Professional Advisor, and Zoho Partner with 30+ years of experience in managing Finance, Accounting and ERP Systems for Medium to Large organizations in diverse sectors.
John is an experienced IT executive with extensive business leadership, operations management, project management, technology delivery and consulting skills who spent over two decades with General Electric where he was responsible for all aspects of their Global PIM program, he was also a key member of the security assurance team for the organizations Capital business. John leads the delivery of client services across the business landscape, to include Privileged Access Management, Managed Services, Identity Governance & Administration, Cybersecurity and Cloud Services.
Luis has been facilitating IAM programs for 20+ years. He was the CRO at Clear Skye, which builds identity governance capabilities on the ServiceNow Platform. His prior experience with services companies that deliver real world identity solutions has made him a trusted resource for information security executives that he has the privilege of advising. Luis assists in the management of our global sales organization, driving revenue growth via direct sales, ensuring our customers have the best plan and solution to ensure their IAM investment achieves the lowest TCO while providing the highest ROI.
Amit brings over 15 years of Identity and Access Management (IAM) experience to the organization. He has a proven track record in providing customers with the best of breed Identity and Access Management solutions. He ensures success within all engagements by staying integrated with the customer throughout the engagement whether it is a program, project or managed services and support. Amit acts as a customer champion at all times to ensure the right solution and resources are in place to achieve the right requirements.
James leads the delivery of client services across the Identity, Access, and Authorization landscape. He has delivered projects across a wide range of products including Okta, Ping, ForgeRock, Oracle, Microsoft, Citrix, Imprivata, Radiant Logic, Axiomatics and many others. With the advent of modern cloud services, James has served as the internal cloud architect and administrator for almost 10 years and uses that experience to help users make the best use of it.
As a veteran of the Identity Governance and Administration (IGA) landscape, Tony’s career has spanned from being a hands-on Architect\Engineer on numerous industry-leading IGA solutions to building and managing industry-leading Professional Services delivery teams. Tony brings that vast knowledge to CyberSolve and the teams under his management. In recent years Tony has been instrumental in the migration away from the legacy on-prem Identity Governance & Administration solutions to modern cost-effective cloud products.
Clark is a Channels, Sales and Marketing executive with 40+ years of experience as a direct seller, Executive and Founder. His experience includes services, software and hardware sales to Commercial, Federal, and State/Local/Education entities across US Domestic and International markets. Within the IAM spectrum, Clark spent over 5 years as SailPoint’s Channel Manager, Federal & Healthcare markets. He has developed and managed Partner relationships and strategies globally, and is known for significantly growing the revenue of his partners by building trusted, profitable relationships and business strategies.