Break-glass accounts protected
Demonstrate that break-glass accounts are configured with security controls appropriate to their elevated risk, monitored for unauthorized use, restricted from routine operations, and subject to auditable access procedures.
Description
What this control does
Break-glass accounts are emergency privileged accounts used when normal authentication mechanisms fail or during critical incidents requiring immediate elevated access. This control ensures these accounts are secured through strong passwords, monitored continuously, restricted from routine use, and subject to strict access policies including MFA bypass only when necessary. Protection includes secure credential storage (sealed envelopes, vaults), change control for credential rotation, and real-time alerting on any authentication attempt. Without proper safeguards, break-glass accounts become attractive targets for attackers seeking persistent privileged access or a means to bypass standard identity controls.
Control objective
What auditing this proves
Demonstrate that break-glass accounts are configured with security controls appropriate to their elevated risk, monitored for unauthorized use, restricted from routine operations, and subject to auditable access procedures.
Associated risks
Risks this control addresses
- Attackers compromise break-glass credentials through weak passwords or insecure storage and gain unrestricted privileged access to critical systems
- Insiders abuse break-glass accounts for unauthorized activities without detection due to insufficient logging or monitoring
- Break-glass accounts are used routinely instead of normal accounts, normalizing their presence and masking malicious activity
- Credentials remain static for extended periods without rotation, increasing exposure window if compromised
- Multiple personnel know break-glass credentials simultaneously without accountability for who accessed systems during incidents
- Break-glass authentication bypasses MFA and conditional access policies, creating a permanent gap in zero-trust architecture
- Lack of automated alerting delays detection of break-glass account usage until routine log review occurs days or weeks later
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all break-glass, emergency, and fire-drill accounts across identity providers, directory services, cloud tenants, and privileged access management systems.
- Review authentication policies applied to each break-glass account to verify password complexity requirements, account lockout configurations, and any exceptions to standard MFA enforcement.
- Inspect credential storage procedures by examining physical storage locations (sealed envelopes, safes) and digital vaults, confirming access controls and tamper-evidence mechanisms are documented.
- Examine SIEM rules, alerting configurations, or monitoring dashboards to verify real-time notifications trigger immediately upon any break-glass account authentication or failed login attempt.
- Sample authentication logs from the past 12 months for each break-glass account to identify all usage events and verify each corresponds to a documented incident, drill, or approved maintenance window.
- Review change management records for break-glass credential rotation, confirming rotation occurs at defined intervals and after each use or personnel change.
- Test one break-glass account by initiating a controlled authentication attempt and verifying that alerts fire within defined SLA, logs capture the event with sufficient detail, and the authentication requires documented approval or break-seal procedure.
- Interview incident response and IT operations personnel to confirm they understand break-glass account usage procedures, approval workflows, and post-use reporting requirements.