As more and more enterprises move their operations to the cloud, the need for secure account management becomes increasingly important. One key aspect of this is the implementation of a "break glass" account management strategy.
In this blog post, we'll take a closer look at what break glass account management is, how it can help enterprises improve their cloud security, and some of the key things to consider when developing your organisation’s break glass account process, particularly to protect these accounts from both external and internal threat actors.
What Are Break Glass Accounts And What Are Their Purposes?
A break glass account (BGA) is a non-personal account used in emergencies to gain access to a service or system when access via regular admin accounts is not possible - for example, if they are compromised. BGAs play a vital role in an organisation’s disaster recovery (DR) process, improving security, accountability, and providing a response capability to critical systems.
They are typically the ‘root’ or ‘owner’ accounts for a tenant provided by a public cloud service provider (CSP) such as AWS, Azure, or Google. Subsequently, these accounts pose exponential risks to each organisation if they are compromised or lost.
An organisation may use its break glass accounts for specific tasks as some CSPs limit actions to ‘root’ accounts only, or they can be used as part of a response to an incident. These accounts are typically highly privileged, with access to sensitive information and the ability to perform a wide range of actions, making them a prime target for adversaries and a priority for defenders to protect.
Authentication and User Experience
Nowadays, users are used to getting what they want, fast. The trend in recent years has been to promote the use of passwordless authentication (PA), reducing the onus and burden on the end user to remember passwords. This improves organisational security posture by reducing the attack surface, mitigating known attack types and the poor practices that are common amongst people.
Where BGAs are concerned, user experience is not a primary concern. The focus shifts towards the ability to segregate parts of the authentication process to avoid toxic combinations. This is a limiting factor of PA specifically and Fast Identity Online (FIDO) compliant secondary factors because the end user is required to have one or more elements of authentication process at any given time.
In the example provided, access to a break glass account using PA would require you to have the following, rendering it impossible to segregate:
- The Identity
- Passwordless Token with Biometric Approval
- Software Token installed on the phone
- The requesting device.
A vital part of break glass account management is the ability to segregate the process, rendering each element of the process as a dependency for another. Segregating the process ensures that nefarious actors, whether internal or external, cannot act alone, and that where corroboration is apparent there is another reviewer before access is granted. Similarly, segregating the process negates a risk of single points of failure if the accounts need to be used for legitimate reasons.
What's The Best Break Glass Account Approach For My Organisation?
This is the million-dollar question. And, as with most things security-related, it depends.
Recent publications and best practice have often argued that BGAs should be easily accessible, stored securely, excluded from conditional access policies (CAPs), and exempt from requiring Multi-Factor Authentication (MFA) during the sign-in process.
The truth is your organisation should apply as many of the available best practices as possible. However, they must be aligned to the organisation’s security policies, the overall risk appetite for the organisation, and what is achievable.
What should my organisation be aware of?
As explained above, determining an appropriate break glass account process aligned with organisational risk appetite is key. Each time an element of this process is considered, the security architect must consider the following points:
- Who is the responsible owner?
- Does the additional step improve the process, increase the risk footprint or create an unnecessary hop in the chain?
- How does it impact the efficacy of the process?
- Does the proposed solution or element introduce additional vulnerabilities in the process?
This is the ‘black hole’ of break glass account management: as a security architect, the options are infinite. Determining an acceptable level of residual risk is therefore key to determining what is enough for your organisation.