Overview
"Break Glass" refers to the emergency procedures used when the primary PAM system is unavailable or when a catastrophic incident requires immediate, unfettered access to systems.
Imagine the PAM Vault server crashes. Or a ransomware attack locks the network. If your only way to log in to servers is via the Vault, you are locked out of your own infrastructure. Break Glass accounts are the "Safety Deposit Box keys" kept offline for this exact scenario.
Architecture
Reference Pattern: Physical & Digital Separation
Break Glass credentials should NEVER depend on the system they are meant to bypass.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Storage | Digital Vault, Physical Safe | Physical Safe | If the network is down, a digital vault is useless. Use a physical safe for the "Root of Trust." |
| Account Type | Domain Admin, Local Admin | Both | You need a Domain Admin to fix AD. You need Local Admin to fix the Domain Controllers if AD is down. |
| Access Control | Single User, Split Knowledge | Split Knowledge (Shamir's) | Require 2 people to combine parts of the password. No single rogue admin can use it. |
| Monitoring | SIEM Alert, Camera | SIEM + Human Protocol | Alert on any usage. But in a disaster, the SIEM might be down too. Rely on physical logs. |
| Testing | Never, Annually | Quarterly | If you don't test it, the password in the envelope is probably wrong (expired). |
Implementation
Phase 1: Identify Accounts
- Select one "Emergency Domain Admin" account.
- Select one "Local Administrator" password for critical hardware.
- Select the "Root" account for the PAM Vault itself.
- Goal: Isolate the keys to the kingdom.
Phase 2: Secure Storage
- Generate complex passwords (e.g., 50 chars).
- Print them on paper or store on encrypted USB.
- Seal in tamper-evident envelopes.
- Place in a safe requiring 2 people to open (or 2 keys).
- Goal: Physical security.
Phase 3: Protocol & Drill
- Write the procedure: "Who authorizes opening the safe? Who witnesses it?"
- Drill the procedure: Actually open the safe, use the account, and then rotate the password.
- Goal: Muscle memory for disaster.
Risks
- Stale Credentials: You open the envelope during a fire, type the password, and it says "Incorrect Password." Someone rotated it but didn't update the envelope.
- Insider Threat: A rogue admin steals the envelope. Tamper-evident seals and cameras are critical.
- Loss of Keys: The VP holding the safe key is on vacation during the outage. Have backups.
- Over-reliance: Using Break Glass for "urgent" business requests instead of true disasters.
KPIs
- Event Frequency: Number of break-glass events per quarter (Target: < 1. Zero is best, unless drilling).
- Rotation Time: Time elapsed between credential use and subsequent rotation (Target: < 4 hours).
- Incident Review Rate: Percentage of break-glass events with a documented post-incident review (Target: 100%).
- Drill Success Rate: Success rate of scheduled break-glass drills (Can you actually log in?).