Break Glass Access Request

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi all,

just want to know if anyone have use cases for Break Glass Access Request in IIQ…

Thanks.

2

“Break Glass Access” (also known as Emergency Access or Firecall Access) is a critical use case in IdentityIQ, especially for organizations with stringent security and compliance requirements. It addresses the need for immediate, highly privileged access to systems or data during critical situations, while still maintaining auditability and control.

Here are common use cases for Break Glass Access Request in SailPoint IdentityIQ:

  1. Production Outages/Incidents (Most Common):
  • Scenario: A critical production system goes down (e.g., database, application server, network device). Standard access request processes (which might involve multiple approvals and delays) are too slow.
  • Break Glass Use: An on-call engineer, sysadmin, or DBA needs immediate root/admin access to diagnose and fix the issue. They request “break glass” access to the affected system(s) or database(s). IdentityIQ quickly grants this pre-defined, high-privileged access, often with automated approval or a single, immediate override.
  1. Security Incidents/Breaches:
  • Scenario: A security team detects a suspicious activity, a potential intrusion, or a data breach. They need to rapidly isolate systems, analyze logs, or shut down compromised accounts.
  • Break Glass Use: Security analysts or incident responders request “break glass” access to security tools, critical servers, or network infrastructure to contain the threat and perform forensics without delay.
  1. Audit Failures/Data Restoration:
  • Scenario: During a critical audit, auditors require immediate access to specific logs or data that an administrator doesn’t typically have routine access to. Or, a critical data restore operation is needed, requiring elevated permissions to a backup system.
  • Break Glass Use: An administrator needs temporary, elevated access to retrieve specific audit trails or initiate a data restoration process on a secured server.
  1. Vendor/Third-Party Emergency Support:
  • Scenario: A third-party vendor or support partner needs urgent, high-level access to troubleshoot a proprietary system that they support, and their regular access credentials are not sufficient or have expired.
  • Break Glass Use: The internal team sponsoring the vendor’s request initiates a “break glass” request for the vendor’s account, granting them temporary, highly-privileged access to the specific system.
  1. Critical Business Operations Requiring Immediate Access:
  • Scenario: In highly regulated industries (e.g., finance, healthcare), there might be emergency situations where a specific transaction or critical business operation requires immediate access to sensitive data or a system that normally has restricted access, and typical workflows would cause significant financial or reputational damage.
  • Break Glass Use: A senior business leader or authorized individual might initiate a “break glass” request for themselves or an approved operator to complete the critical operation.
  1. Administrator Lockout:
  • Scenario: The primary administrator accounts for a critical system are locked out, or the usual access methods are unavailable.
  • Break Glass Use: A highly authorized individual (e.g., a “super admin” or security officer) uses a pre-configured “break glass” mechanism to regain administrative control.
3

How SailPoint IdentityIQ Manages Break Glass Access:

SailPoint IdentityIQ is well-suited to manage break glass access requests due to its robust workflow, governance, and auditing capabilities:

  1. Dedicated Workflows: IdentityIQ allows you to design specific, streamlined workflows for break glass access. These workflows are typically much simpler than standard access requests, often involving:
  • Automated Approval: For high-trust scenarios, access might be automatically granted upon request.
  • Single-Step Approval: A single, designated approver (e.g., a security officer, department head, or on-call manager) can quickly approve the request, even via email.
  • Justification Required: The requester is always prompted to provide a detailed justification for the emergency access.
  1. Pre-defined Roles/Entitlements: “Break Glass” access is typically tied to specific, highly privileged roles or entitlements that are pre-defined in IdentityIQ. These roles are often temporary and carry significant risk.
  2. Time-Bound Access: A crucial aspect of break glass is that the access is always temporary. IdentityIQ workflows can enforce:
  • Short Durations: Access is granted for a very short period (e.g., 1 hour, 4 hours, 24 hours).
  • Automatic Revocation: IdentityIQ automatically revokes the emergency access once the pre-defined duration expires.
  1. Elevated Auditing and Reporting:
  • Comprehensive Logging: Every break glass request, approval, access grant, and revocation is meticulously logged within IdentityIQ. This includes who requested it, when, why, who approved it, and what access was granted.
  • Alerting: Security teams can be immediately alerted via email or other channels when a break glass request is initiated or approved.
  • Post-Event Review: Detailed reports can be generated to show all break glass activities, enabling regular reviews by security and audit teams to ensure proper use and identify potential abuse.
  1. Certification/Review: While immediate, break glass access can still be part of a broader access certification campaign, ensuring that these high-risk entitlements are regularly reviewed and their necessity re-evaluated.
  2. Integration with PAM (Privileged Access Management) Solutions:
  • For even greater control, SailPoint IdentityIQ often integrates with PAM solutions (like CyberArk, Delinea, or BeyondTrust). In this setup, the “break glass” request in IdentityIQ might trigger the PAM solution to vault and dispense the privileged credentials, providing an additional layer of session recording, credential rotation, and command control.

In summary, Break Glass Access in SailPoint IdentityIQ is a vital component of a comprehensive identity and access management strategy, balancing the need for rapid emergency response with robust security, governance, and audit controls.