ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Break-Glass Access Control For Business Owners

    Scheduled Pinned Locked Moved IT Discussion
    40 Posts 6 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @DustinB3403
      last edited by

      @DustinB3403 said in Break-Glass Access Control For Business Owners:

      @scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

      We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

      DustinB3403D 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @scottalanmiller
        last edited by

        @scottalanmiller said in Break-Glass Access Control For Business Owners:

        @DustinB3403 said in Break-Glass Access Control For Business Owners:

        @scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?

        We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.

        So what if the envelop is just lost or destroyed? The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

        My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

        scottalanmillerS 3 Replies Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403
          last edited by

          As an example you could use a bright enough light to peer through the envelop and read the credential's shadow.

          In that case, the envelop is still sealed and perfectly qualifies as not exposed. But the credentials may have been used (or at least are known to someone, possibly the owner, some previous IT person etc).

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @DustinB3403 said in Break-Glass Access Control For Business Owners:

            So what if the envelop is just lost or destroyed?

            Then it is compromised and you have to reset the creds for sure!

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @DustinB3403
              last edited by

              @DustinB3403 said in Break-Glass Access Control For Business Owners:

              The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.

              Exactly what I said. If you can't prove it hasn't been compromised, you must assume that it has. That simple, nothing to imply or read into.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @DustinB3403
                last edited by

                @DustinB3403 said in Break-Glass Access Control For Business Owners:

                My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.

                No, I didn't say that. Not sure why you think that that's the implication. If I wanted to know that, we'd do something very different.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

                  Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

                  DustinB3403D 1 Reply Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @scottalanmiller
                    last edited by

                    @scottalanmiller said in Break-Glass Access Control For Business Owners:

                    Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)

                    Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.

                    But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

                    In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @DustinB3403 said in Break-Glass Access Control For Business Owners:

                      But the flaw in the topic like this one (credentials specifically) is that you have no mechanism short of logging to know if the credentials have been used.

                      That's a totally different matter and not of concern. We don't care if they've been used. If you care if they've been used, you need logging for that. But that's an unrelated concern to the one in this topic.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @DustinB3403
                        last edited by

                        @DustinB3403 said in Break-Glass Access Control For Business Owners:

                        In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

                        The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @scottalanmiller
                          last edited by

                          @scottalanmiller said in Break-Glass Access Control For Business Owners:

                          @DustinB3403 said in Break-Glass Access Control For Business Owners:

                          In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

                          The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

                          Not everyone. Only @DustinB3403

                          DustinB3403D 1 Reply Last reply Reply Quote -1
                          • DustinB3403D
                            DustinB3403 @JaredBusch
                            last edited by

                            @JaredBusch said in Break-Glass Access Control For Business Owners:

                            @scottalanmiller said in Break-Glass Access Control For Business Owners:

                            @DustinB3403 said in Break-Glass Access Control For Business Owners:

                            In the example of the envelop you can't even know for sure if the credentials have been compromised (lightbox reading shadow) so what's the true point here?

                            The point is so simple that everyone is missing it. It's SO simple. Has the glass been broken or not. Don't read into it, any 'reading in' will be wrong because the needs are clearly stated, not hidden in the implications.

                            Not everyone. Only @DustinB3403

                            Har har

                            1 Reply Last reply Reply Quote 0
                            • stacksofplatesS
                              stacksofplates
                              last edited by

                              You could use a tool like Vault. Then you'd have access logs for credentials.

                              1 Reply Last reply Reply Quote 0
                              • stacksofplatesS
                                stacksofplates
                                last edited by

                                Plus you'd get things like single use passwords, SSH CA, encryption as a service, and some more

                                1 Reply Last reply Reply Quote 0
                                • 1
                                • 2
                                • 2 / 2
                                • First post
                                  Last post