Break-Glass Access Control For Business Owners

Dashrender

@Dashrender said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@NashBrydges said in Break-Glass Access Control For Business Owners:

That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.

Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.

Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."

Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).

Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.

that's not notification. that's verification for sure, but not what I would consider notification.

OK I saw Scott's log comment - and sure, but notification - isn't the same as verification.

How is the envelope being opened an act of notifying someone/something?

Dashrender

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@Dashrender said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@NashBrydges said in Break-Glass Access Control For Business Owners:

That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.

Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.

Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."

Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).

Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.

that's not notification. that's verification for sure, but not what I would consider notification.

That's my point, the notification should be that someone, somewhere is alerted that the seal on the envelop has been broken and the credentials used.

agreed - I'd have accepted something like - log monitoring is in place to notify us if that username is used to log into the system - then you have notification.

scottalanmiller

@Dashrender said in Break-Glass Access Control For Business Owners:

How is the envelope being opened an act of notifying someone/something?

How is anything? By looking at it. How is email, text, XML file... by giving you something to look at when you choose to look, whenever you choose to look.

scottalanmiller

@Dashrender said in Break-Glass Access Control For Business Owners:

agreed - I'd have accepted something like - log monitoring is in place to notify us if that username is used to log into the system - then you have notification.

How do you see those logs? How is an opened envelope not a log? It is. A cumbersome one, but it's still a logged event. You can check anytime, just like with a normal log, to see if the event has or hasn't happened. So logs are a great analogy because they are exactly the same - the event is recorded and you can look for it if you so choose.

DustinB3403

@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

DustinB3403

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

So what if the envelop is just lost or destroyed? The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

DustinB3403

As an example you could use a bright enough light to peer through the envelop and read the credential's shadow.

In that case, the envelop is still sealed and perfectly qualifies as not exposed. But the credentials may have been used (or at least are known to someone, possibly the owner, some previous IT person etc).

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

So what if the envelop is just lost or destroyed?

Then it is compromised and you have to reset the creds for sure!

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

Exactly what I said. If you can't prove it hasn't been compromised, you must assume that it has. That simple, nothing to imply or read into.

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

No, I didn't say that. Not sure why you think that that's the implication. If I wanted to know that, we'd do something very different.

scottalanmiller

Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

DustinB3403

@scottalanmiller said in Break-Glass Access Control For Business Owners:

Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

That's a totally different matter and not of concern. We don't care if they've been used. If you care if they've been used, you need logging for that. But that's an unrelated concern to the one in this topic.

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

JaredBusch

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

Not everyone. Only @DustinB3403

DustinB3403

@JaredBusch said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

Not everyone. Only @DustinB3403

Har har

stacksofplates

You could use a tool like Vault. Then you'd have access logs for credentials.

stacksofplates

Plus you'd get things like single use passwords, SSH CA, encryption as a service, and some more