Break-Glass Access Control For Business Owners
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
That isn't an alert though as one could easily create a duplicate set of the envelop and put that new copy in place of the original.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
But if someone never sees the envelop how would others know?
You can say the same thing about any alert mechanism... you still have to look if you want to know.
OK, but what would be the alert mechanism for the envelop?
Looking at it.
That isn't an alert though as one could easily create a duplicate set of the envelop and put that new copy in place of the original.
That's why you seal it. It's trivial to make it essentially impossible to replicate. The point isn't making it actual impossible, but to make it hard and obvious that it was accessed. That's easy to do. This isn't about stopping a government sponsored hacking organization, this is about keeping a small time business owner from using their access secretly.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
this is about keeping a small time business owner from using their access secretly
On what grounds as an MSP or ITSP would you care if a business owner used their access? I guess I'm not following the argument being made here.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
this is about keeping a small time business owner from using their access secretly
On what grounds as an MSP or ITSP would you care if a business owner used their access? I guess I'm not following the argument being made here.
OH that's easy - if the MSP/ITSP IS the IT department, and the owner/company uses these creds and breaks things - the MSP/ITSP can say - we didn't break it, therefore you'll be paying for these repairs.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
That's my point, the notification should be that someone, somewhere is alerted that the seal on the envelop has been broken and the credentials used.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
OK I saw Scott's log comment - and sure, but notification - isn't the same as verification.
How is the envelope being opened an act of notifying someone/something?
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@Dashrender said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@NashBrydges said in Break-Glass Access Control For Business Owners:
That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.
Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.
Break-glass means "notification". If you can't show that the passwords are unused, it's not break glass. That breaks the whole point. You are just talking about normal "giving them access."
Under what definition is "In an emergency break glass" a means of notification? Genuinely asking how you're defining this. (You probably posted a description topic on this).
Just as I described, you can't hide that you've done it. You look at the envelope and know that it has been opened.
that's not notification. that's verification for sure, but not what I would consider notification.
That's my point, the notification should be that someone, somewhere is alerted that the seal on the envelop has been broken and the credentials used.
agreed - I'd have accepted something like - log monitoring is in place to notify us if that username is used to log into the system - then you have notification.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
How is the envelope being opened an act of notifying someone/something?
How is anything? By looking at it. How is email, text, XML file... by giving you something to look at when you choose to look, whenever you choose to look.
-
@Dashrender said in Break-Glass Access Control For Business Owners:
agreed - I'd have accepted something like - log monitoring is in place to notify us if that username is used to log into the system - then you have notification.
How do you see those logs? How is an opened envelope not a log? It is. A cumbersome one, but it's still a logged event. You can check anytime, just like with a normal log, to see if the event has or hasn't happened. So logs are a great analogy because they are exactly the same - the event is recorded and you can look for it if you so choose.
-
@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?
We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.
-
@scottalanmiller said in Break-Glass Access Control For Business Owners:
@DustinB3403 said in Break-Glass Access Control For Business Owners:
@scottalanmiller Is the thing you are looking for a log for the fact that the envelop has been opened, or that the credentials have been used?
We want to be able to prove that the envelope is no longer able to be demonstrably unopened. Unless the envelope can be produced, still sealed, then it is considered to have been exposed. That's all that is needed. Anything more is unnecessary.
So what if the envelop is just lost or destroyed? The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.
My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.
-
As an example you could use a bright enough light to peer through the envelop and read the credential's shadow.
In that case, the envelop is still sealed and perfectly qualifies as not exposed. But the credentials may have been used (or at least are known to someone, possibly the owner, some previous IT person etc).
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
So what if the envelop is just lost or destroyed?
Then it is compromised and you have to reset the creds for sure!
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
The envelop can't be produced as it no longer exist in a "safe space". What is the qualifier here that you're truly attempting to find.
Exactly what I said. If you can't prove it hasn't been compromised, you must assume that it has. That simple, nothing to imply or read into.
-
@DustinB3403 said in Break-Glass Access Control For Business Owners:
My guess is you want to know if the said credentials were used in any way, and the envelop open or not doesn't really matter in the grand-scheme of this conversation.
No, I didn't say that. Not sure why you think that that's the implication. If I wanted to know that, we'd do something very different.
-
Real "Break Glass"... in the traditional sense was a key kept inside glass (real glass.) The question was never "was the key used, the question is "was the glass broken." The concern is not that a key was used but if the key could have been used, could be copied, could be in the wrong hands. As long as the key is inside the glass, presumably it is still safe. (Yes, keys can be copied just by looking at them, I realize.)
Same here, we aren't looking to use "break glass" to mean "log access". If we wanted that, we'd say that. The point of knowing if the glass is broken is to know if the key (or password, whatever) has ever been exposed, not if it has been used.