Break-Glass Access Control For Business Owners

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

DustinB3403

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

So what if the envelop is just lost or destroyed? The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

DustinB3403

As an example you could use a bright enough light to peer through the envelop and read the credential's shadow.

In that case, the envelop is still sealed and perfectly qualifies as not exposed. But the credentials may have been used (or at least are known to someone, possibly the owner, some previous IT person etc).

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

So what if the envelop is just lost or destroyed?

Then it is compromised and you have to reset the creds for sure!

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

Exactly what I said. If you can't prove it hasn't been compromised, you must assume that it has. That simple, nothing to imply or read into.

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

No, I didn't say that. Not sure why you think that that's the implication. If I wanted to know that, we'd do something very different.

scottalanmiller

Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

DustinB3403

@scottalanmiller said in Break-Glass Access Control For Business Owners:

Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

That's a totally different matter and not of concern. We don't care if they've been used. If you care if they've been used, you need logging for that. But that's an unrelated concern to the one in this topic.

scottalanmiller

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

JaredBusch

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

Not everyone. Only @DustinB3403

DustinB3403

@JaredBusch said in Break-Glass Access Control For Business Owners:

@scottalanmiller said in Break-Glass Access Control For Business Owners:

@DustinB3403 said in Break-Glass Access Control For Business Owners:

In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

Not everyone. Only @DustinB3403

Har har

stacksofplates

You could use a tool like Vault. Then you'd have access logs for credentials.

stacksofplates

Plus you'd get things like single use passwords, SSH CA, encryption as a service, and some more