Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Provide Security for Privileged Accounts with a Break Glass Process

February 22, 2017

  • Blog
  • Archive

Break Glass Theory

In computing “Break Glass” is the act of checking out a system account password to bypass normal access controls procedures for a critical emergency. This provides the user immediate access to an account that they may not normally be authorized to access. This method is generally used for highest level system accounts such as root accounts for Unix or SYS/SA for a database. These accounts are highly privileged and break glass limits them by the password time duration, with the aim of controlling and reducing the account’s usage to that which is absolutely necessary to complete a certain task.

Want to learn more? Check out my on-demand webinar "Break Glass Theory: Designing a Break Glass Process to Provide Security for Privileged Accounts" View Webinar

Break glass is a quick means for extending a person’s access rights in exceptional cases and should only be used when normal processes are insufficient (e.g. the helpdesk or system administrator is unavailable). Examples of a situations when “break glass” emergency access might be necessary are account, authentication, and authorization problems. In many companies some critical tasks exist which – in exceptional cases – must be performed by a person not usually permitted to perform these tasks. For example, a junior physician would be able to perform certain tasks of a senior physician in case of emergency.

The break glass solution is based on pre–staged emergency user accounts, managed and distributed in a way that can make them quickly available without unreasonable administrative delay. The break glass accounts and distribution procedures should be documented and tested as part of implementation and carefully managed to provide timely access when needed.

A best–practice would place the pre–staged emergency accounts under the responsibility of an individual, such as an Emergency Account Manager, who would be readily available during operating hours and who understands the sensitivity and priority of the emergency accounts. This person would distribute the accounts with a sign–out method requiring that an acceptable form of identification be provided by the requestor and recorded before the accounts are made available.

A "Break Glass Process" would look something like this:

  1. A user performs a break glass checkout when they need immediate access to an account that they are not authorized to manage.
  2. In the break glass check out process, a notification message is sent to the Emergency Account Manager, informing her that a break glass check-out process occurred, however, she cannot approve nor stop the process.
  3. The checked out break glass account is recorded for audit purposes.

While the emergency account is being used it must be carefully monitored, and audited on a regular basis. Additionally, the system should alert the security administrator when an emergency account is activated. The administrator will make sure the account properly closes when done and a new account established.

The best way to manage a break glass account is through the use of a privileged access management (PAM) solution. PAM is all about locking “root” or “admin” credentials up in a hardened vault and tightly controlling access to them for increased security. Enterprise password management provides an extra layer of control over privileged administration and password policies, as well as detailed audit trails on privileged access. In addition to controlling the use, distribution and change of the break glass passwords, PAM solutions can also broker sessions to systems or databases so that the privileged user never even sees the passwords or credentials.

Using a break glass solution in your organization is a way to ensure that your critical systems are accessible when you need them most.

Want to learn more? Check out my on-demand webinar "Break Glass Theory: Designing a Break Glass Process to Provide Security for Privileged Accounts"

Derek A. Smith

Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.