Are root / global-admin accounts protected with hardware MFA and reserved for break-glass only?
Demonstrate that root and global administrator accounts are secured with hardware MFA, access is restricted to break-glass emergencies only, and usage is monitored and justified.
Description
What this control does
This control ensures that accounts with the highest privilege levels (root, global administrator, enterprise admin) are protected by hardware-based multi-factor authentication tokens (e.g., FIDO2 security keys, smart cards) and are used exclusively for emergency break-glass scenarios, not routine administration. Normal operations are performed using lower-privileged accounts with role-based access. This control prevents credential theft attacks from compromising the entire environment and enforces least-privilege principles at the highest access tier.
Control objective
What auditing this proves
Demonstrate that root and global administrator accounts are secured with hardware MFA, access is restricted to break-glass emergencies only, and usage is monitored and justified.
Associated risks
Risks this control addresses
- Compromise of global administrator credentials through phishing or malware enables unrestricted access to all systems and data across the entire environment
- Software-based MFA bypass via session hijacking, push-bombing, or SIM-swapping attacks allows adversaries to authenticate as privileged users
- Routine use of highly privileged accounts expands the attack surface and increases exposure time for credential harvesting
- Insider threat actors with persistent global admin access can exfiltrate data, create backdoors, or destroy audit trails without detection
- Lack of break-glass controls delays incident response when standard authentication mechanisms fail during outages or security events
- Shared or unaccounted privileged accounts enable malicious activity without attribution or accountability
- Lateral movement from compromised administrative workstations grants attackers persistent enterprise-wide control
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all root, global administrator, and equivalent superuser accounts across identity providers, cloud tenants, directory services, and infrastructure platforms.
- Review authentication policies and configuration exports for each privileged account to confirm hardware MFA enforcement (e.g., Azure AD Conditional Access policies, AWS IAM policies, Active Directory smart card requirements).
- Inspect registered MFA devices for each privileged account and verify they are hardware tokens (FIDO2, YubiKey, smart card) rather than software authenticators or SMS.
- Examine access logs for the past 90 days for each privileged account to identify usage frequency, duration, and context of authentication events.
- For each instance of privileged account usage, obtain corresponding change tickets, incident reports, or break-glass justification documentation.
- Interview IT leadership to confirm the existence and enforcement of break-glass procedures, including account activation workflows and emergency access protocols.
- Review user provisioning records and role assignments to verify that routine administrative tasks are delegated to lower-privileged, named user accounts with appropriate RBAC.
- Test a sample privileged account by attempting authentication without hardware MFA or through a non-break-glass workflow to validate technical enforcement.