Break Glass Accounts – Risk or Required

We have all seen the sign, “In case of fire, break glass, and pull alarm.” While this necessary mitigating control for fire safety is explicitly known and present in almost every building, an analogy translates into the cybersecurity landscape as “break glass accounts.” In fact, few risk-mitigating controls stir as much debate among CISOs as “break glass” used for privileged access when IT and security professionals are in a metaphorical “fire fight.” These emergency accounts exist to provide direct access to resources when all daily workflows fail. In theory, they serve as the ultimate failsafe to recover systems. In practice, they are a paradox: both a safeguard and a liability. The critical question for every enterprise is whether break glass accounts are a necessity, a security risk, or a combination of both—and how they should be managed.

To begin this conversation, a proper definition is in order. Break glass accounts are designed for rare, high-stakes scenarios when standard administrative access paths are unavailable due to an outage, compromise, or other catastrophic event impacting an organization’s technology stack. Common examples for identity and access management include (but are not limited to):

• Identity or authentication system failures or outages that lock out administrators from performing their functions.
• MFA failures preventing login to accounts by the user community or administrative privileged access.
• Critical incident response needs, such as a ransomware attack where automation and recovery tools are disabled due to the attack or manually to safeguard their integrity.

In essence, they are the “fire extinguisher behind glass,” meant to be smashed only during emergencies. The very presence of these accounts reflects the principle of resilience and risk mitigation in case operational workflows for secure access fail, and the realization that no system is immune to failure. For break glass accounts to provide value without undue risk, organizations must implement guardrails and industry best practices for monitoring and securing them from inappropriate usage.

Consider this outline as a minimum set of requirements for their security:

1. Strict Access Controls: Break glass accounts must be limited in number (as few as possible) and created only for essential platforms, such as Active Directory or cloud control planes at the highest level.
2. Strong Authentication: These accounts should have long, complex passwords stored securely in an encrypted, tamper-proof safe and not written on sticky notes or stored in plain text on a file share. If they must be physically documented (written down), they should be stored in a company safe with appropriate physical security controls and access.
3. Purpose-Built Isolation: They must not rely on the same identity provider that could fail; otherwise, they lose their purpose for access. The goal is to keep their usage independent of other systems.
4. Exception-Only Usage: Break glass accounts are implemented for emergencies only. Regular administrative tasks should never use them, and they should only be used for exceptions and appropriate conditions. If they are used, any associated passwords and secrets should be rotated and resecured for the next incident. Once they are exposed or used, their risk is increased and should never be known by anyone, at any time.
5. Monitoring and Logging: Any access attempt should trigger real-time alerts, indicators of compromise, and be audited to the highest standard to determine why they were used—or even if an attempt (failed) was made.
6. Regular Testing: Just like fire drills, organizations must periodically test their ability to access and use these accounts, ensuring they work when needed and never go stale.

Without these requirements, break glass accounts are little more than unmonitored backdoors, just like in an office building, waiting to be exploited or propped open for a thief to enter. While break glass accounts are created with good intentions, they carry inherent risks that adversaries are eager to exploit just like any intruder.

Consider these common attack vectors and risks:

• Targets for Attackers: With elevated privileges and limited oversight, break glass accounts are attractive targets for threat actors. If compromised, they provide immediate keys to the kingdom without exploits, privilege escalation, or extensive lateral movement.
• Security Hygiene: Organizations may fail to rotate break glass credentials or test them periodically due to manual labor, lapses in policy, or other business excuses. Break glass accounts should be another form of secret, with both the password and the username secured. Break glass accounts are legitimate backdoors into your environment and should have the best security hygiene and monitoring of any account in your environment.
• Insider Threats: Because these accounts bypass normal identity and access controls like MFA, they present an avenue for malicious insiders to escalate privileges without raising immediate suspicion. All usage should be monitored at all times, regardless of where the account may be instantiated.
• Governance Compliance: Regulatory frameworks like PCI DSS and ISO 27001 require demonstrable control and auditability of privileged access, regardless of the role of the account. Poorly managed break glass accounts can result in compliance violations for all the reasons that have been discussed.

To be fair, the danger of break glass accounts lies not in the concept itself but in the execution. An unprotected emergency account transforms from a safeguard into a security breach waiting to happen if best practices are ignored or falter. In order to answer our original question—are break glass accounts a risk or a requirement—consider the facts and that the truth lies in the middle. Organizations cannot ignore the operational need for an emergency override. Systems fail, MFA breaks, and identity providers go offline regardless of on-premises or SaaS deployments. In those moments, break glass accounts can mean the difference between rapid recovery and prolonged outage. Yet the very existence of these accounts introduces risk that must be actively mitigated. The solution is not to eliminate them but to approach them with the same rigor as any other privileged identity.

Break glass accounts demand a Zero Trust mindset: least privilege, constant monitoring, and no implicit trust for any usage. They are the exception to policies for authentication and access and should be protected against all inappropriate access, all the time, despite using a single-factor authentication model for privileged access. They are undeniably required for resilience, but without stringent safeguards they become one of the riskiest elements in the environment. The key is to treat them as required exceptions and as critical assets subject to the highest levels of governance. Break glass accounts embody the classic cybersecurity dilemma: convenience versus control. These accounts are inherently risky, but leaving them unmanaged is equivalent to leaving the back door of your office building propped open for an intruder. Therefore, they are both required and a risk, and the simplest conclusion is to find a secure balance between the two as part of their implementation.

About the Author: Morey J. Haber is the Chief Security Advisor and lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored five books in the Attack Vectors series. He previously served as BeyondTrust’s CISO, CTO, and VP of Product Management.

About the Company: BeyondTrust is the global identity security leader protecting Paths to Privilege™. Our identity-centric approach goes beyond securing privileges and access, empowering organizations with the most effective solution to manage the entire identity attack surface and neutralize threats, whether from external attacks or insiders. BeyondTrust is leading the charge in transforming identity security to prevent breaches and limit the blast radius of attacks, while creating a superior customer experience and operational efficiencies. We are trusted by 20,000 customers, including 75 of the Fortune 100, and our global ecosystem of partners.