What is a Break Glass Account?

In the world of IT management and cybersecurity, terms often come up that can sometimes sound a bit mysterious, but play a crucial role in securing systems.
One such term is the Break Glass account.
But what exactly is it, and why is it so important?

What is a Break Glass Account 🔐?

A Break Glass account is a special administrator account that provides access to critical systems in the event of failures or security incidents.
This account is like an “emergency hammer” that you use to access systems when other access methods fail.
Consider situations where:

• A major security incident occurs.
• There is a malfunction in the systems that normally provide access.
• MFA (Multi-Factor Authentication) is not available.

MFA Required for Administrators as of Oct. 15 🔐

It is important to note that as of Oct. 15, MFA is mandatory for all administrator accounts.
This means that administrators can only access systems through an additional layer of security, such as a code sent to their mobile device.
This measure is intended to further strengthen the security of critical systems and minimize the risk of unauthorized access.
While MFA is essential, there are situations where MFA services are not available or where quick access to systems is required without delay.
In such cases, a breakglass account is crucial because it provides access without the need for MFA while still adhering to strong security measures such as strong passwords and the use of FIDO2 keys.

Why is a Break Glass Account important? 💡

Having a Break Glass account is not a luxury, but a necessity for any organization serious about cybersecurity.
Here are some reasons why this account is essential:

• Emergency access: When regular access methods fail, the BreakGlass account always provides a back door to manage critical systems.
• Minimal downtime: By guaranteeing access at all times, the time systems are unavailable is minimized.
• Security incident management: In the event of a cyberattack, a BreakGlass account can enable administrators to respond quickly and effectively.

How does a Break Glass Account work? ⚙️

A Break Glass account is usually configured differently than other administrator accounts:

• MFA Disabled: MFA is often disabled for this account to ensure access at all times, even when MFA services are not available.
• Strong Passwords: The account has a very strong and unique password that is regularly checked and changed.
• Restricted Use: The account is used only in emergency situations and access is closely monitored and logged.
• Use of FIDO2 keys: Although MFA is often disabled for breakglass accounts, using FIDO2 keys can add an extra layer of security without relying on traditional MFA methods.
  These keys provide strong, hardware-based authentication that is difficult to bypass.

Best Practices for Break Glass Accounts 📋

When setting up a Break Glass account, there are some best practices you should always follow to ensure security:

• Documentation: Provide clear documentation of when and how the account may be used.
• Monitoring: Closely monitor all access attempts to the account.
• Regular audits: Perform periodic audits to ensure that the account still meets security standards.
• Restricted Access: Ensure that only a limited number of trusted individuals know about the existence and login credentials of the BreakGlass account.
• Exclusion from Conditional Access: Ensure that the Break Glass account is excluded from all conditional access policies.
  This is critical to ensure that the account always remains accessible even when there are conditional access issues.

Why Exclude Break Glass Accounts from Conditional Access? ❌

Break Glass accounts have a specific purpose: to provide guaranteed emergency access to critical systems.
Subjecting these accounts to conditional access may undermine the account’s intended purpose.
Here are some reasons why excluding Break Glass accounts from conditional access is best practice:

• Always Access: Excluding Break Glass accounts ensures that these accounts always have access regardless of circumstances such as location, device usage or risk level.
• Avoid Locking: Suppose there is a problem with conditional access, such as a configuration error or service failure that enforces these policies.
  In that case, a Break Glass account covered by these policies would also be locked, which would negate the usefulness of the account.
• Emergency Access Without Barriers: In an emergency situation, speed is critical.
  Excluding Break Glass accounts from conditional access avoids unnecessary delays and allows administrators to act quickly.

Conclusion 🛡️

A breakglass account is a critical component of a robust IT security strategy.
It provides a last resort in situations where access to critical systems is at risk of being lost.
By setting it up correctly, excluding it from conditional access, considering the use of FIDO2 keys, and following best practices, organizations can ensure they are prepared for any emergency situation.
At ALTA-ICT, we use FIDO2 keys in all of our modern workplace packages to ensure that our customers always have access to their critical systems, even in emergency situations.
This enhances the security and reliability of our solutions, keeping your organization well protected from unexpected events.
As an IT administrator or security professional, it is advisable to think about implementing a breakglass account within your organization.
It is better to be prepared for the unexpected than to have to respond to a crisis after the fact.

Need Help?

Are you running into challenges as an organization or need additional support?
We are ready to help you and make sure everything is taken care of in a timely and correct manner! Check out our contact page and get in touch with us.