How a PAM Solution Can Help With Break Glass Situations

Disaster planning and recovery is a critical piece of any IT security plan. When there’s a service disruption such as a cyber attack or a prolonged power outage, an administrators’ priority is to regain secure access to critical systems to protect their organisations’ systems and data. Regaining access typically involves a process called ‘break glass’ — checking out a system account password for use by a human user when an emergency situation arises and traditional access methods have failed.

We’ve written about the importance of providing security around privileged accounts with a break glass process in a previous blog post. Using a privileged password management solution can not only help protect your organization’s most critical data, it can help you reduce risk and the attack surface by proactively managing access to all of your privileged accounts.

Although the term is fairly well defined, the application of the break glass process brings unique challenges. Let’s consider a few use cases:

  1. Web server process fails in the middle of the night. The only people available to troubleshoot and restart the server are help desk personnel that do not generally have access to administrative credentials on the server. In this scenario, a mechanism to provide emergency access to the admin username and password would be employed. After the server is restarted, the credentials should be scrambled so that unauthorized exposure after the break glass incident is prevented.
  2. Organization uses a password manager to store passwords to their network firewalls. Due to a misconfiguration, the network firewalls go down, preventing access to the internal network. The on-call network firewall admin is at home but cannot access the firewalls as the credentials are stored on the password manager within the internal network. The network admin needs to access a copy of the credentials stored in a cloud DR location.
  3. The password manager that an organization uses to store credentials stops working. Administrators need to access credentials to be able to perform their duties. Without the password manager, the company is effectively cut off from its systems. A comprehensive break glass solution is required to give the admins access back to their critical systems, and restore the password management solution

PowerBroker Password Safe discovers and profiles all known and unknown assets, shared accounts, user accounts, and service accounts helping IT maintain control. With Password Safe, IT teams can quickly identify assets with common traits and automatically place them under Password Safe management via Smart Rules to reduce the number of attack surfaces.

For break glass, Password Safe can give you access to your critical systems in emergencies, and as a tier one system, can provide comprehensive deployment methodologies to ensure that credentials remain accessible through failure of any component, including the ability to access credentials in cloud-based DR, outside of the corporate infrastructure.

PowerBroker Password Safe provides a secure connection gateway, with the ability to proxy access to RDP, SSH, and Windows applications. Leveraging dynamic assignment of just-in-time privileges via Advanced Workflow Control, organizations may lock down access to resources based upon the day, date, time, and location.

BeyondTrust have created a technical brief, “How to Access Privileged Passwords in ‘Break Glass’ Scenarios”, to help you develop procedures based on best practices. If you’d like to learn more about how BeyondTrust’s solutions can help you address your privileged access management challenges, feel free to contact us to arrange a personalized demo.

Source link