Break-Glass Access Control For Business Owners
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
As stated here, wondering what process/tools people use for this process.
A set of one time credentials setup and not managed by the leaving IT party/personnel that are put into a vault at the time of creation and only used for that case.
The creator of the credentials doesn't actually set the password(s).
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
-
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
In my case, if my clients accessed this storage/file, it would be important to know. Not only would that mean they are potentially looking to terminate relationship (not too worrying since this is part of doing business...the majority of my clients are from other IT service providers who have screwed the pooch) or that there was some reason for someone to access the credentials and, provided I'm still the service provider of choice, would now need to closely evaluate what was done and what caused them to need to access those credentials.
*edited for spelling
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
-
@NashBrydges said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
In my case, if my clients accessed this storage/file, it would be important to know. Not only would that mean they are potentially looking to terminate relationship (not too worrying since this is part of doing business...the majority of my clients are from other IT service providers who have screwed the pooch) or that there was some reason for someone to access the credentials and, provided I'm still the service provider of choice, would now need to closely evaluate what was done and what caused them to need to access those credentials.
*edited for spelling
This wouldn't tell you if they are planning to leave you, but the simplest and most common mechanism is a sealed envelope. Just print up what is needed, seal it (maybe wax seal it too) and then keep that safe (vault at home or whatever.) Something that is protected, but has to be broken to get into. The point is when you question how access happened, they can produce the original, sealed envelope to show that the passwords were not accessed.
-
And if they need to be accessed, just reset them, and put them into a sealed envelope again. Not a heavy process.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
But if someone never sees the envelop how would others know?
If a tree falls in a forest and there is nothing around to hear it fall, does it make a sound?
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
If a tree falls in a forest and there is nothing around to hear it fall, does it make a sound?
No, but it, wait for it, logs that it has fallen. JAJAJAJAJA
No, but seriously. It's not about making a sound, it's about being able to see if it fell. Which you can.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
That isn't an alert though as one could easily create a duplicate set of the envelop and put that new copy in place of the original.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
That isn't an alert though as one could easily create a duplicate set of the envelop and put that new copy in place of the original.
That's why you seal it. It's trivial to make it essentially impossible to replicate. The point isn't making it actual impossible, but to make it hard and obvious that it was accessed. That's easy to do. This isn't about stopping a government sponsored hacking organization, this is about keeping a small time business owner from using their access secretly.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
this is about keeping a small time business owner from using their access secretly
On what grounds as an MSP or ITSP would you care if a business owner used their access? I guess I'm not following the argument being made here.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
this is about keeping a small time business owner from using their access secretly
On what grounds as an MSP or ITSP would you care if a business owner used their access? I guess I'm not following the argument being made here.
OH that's easy - if the MSP/ITSP IS the IT department, and the owner/company uses these creds and breaks things - the MSP/ITSP can say - we didn't break it, therefore you'll be paying for these repairs.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
That's my point, the notification should be that someone, somewhere is alerted that the seal on the envelop has been broken and the credentials used.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
OK I saw Scott's log comment - and sure, but notification - isn't the same as verification.
How is the envelope being opened an act of notifying someone/something?