Break Glass Access Request

IdentityIQ (IIQ) IIQ Discussion and Questions
3

How SailPoint IdentityIQ Manages Break Glass Access:

SailPoint IdentityIQ is well-suited to manage break glass access requests due to its robust workflow, governance, and auditing capabilities:

  1. Dedicated Workflows: IdentityIQ allows you to design specific, streamlined workflows for break glass access. These workflows are typically much simpler than standard access requests, often involving:
  • Automated Approval: For high-trust scenarios, access might be automatically granted upon request.
  • Single-Step Approval: A single, designated approver (e.g., a security officer, department head, or on-call manager) can quickly approve the request, even via email.
  • Justification Required: The requester is always prompted to provide a detailed justification for the emergency access.
  1. Pre-defined Roles/Entitlements: “Break Glass” access is typically tied to specific, highly privileged roles or entitlements that are pre-defined in IdentityIQ. These roles are often temporary and carry significant risk.
  2. Time-Bound Access: A crucial aspect of break glass is that the access is always temporary. IdentityIQ workflows can enforce:
  • Short Durations: Access is granted for a very short period (e.g., 1 hour, 4 hours, 24 hours).
  • Automatic Revocation: IdentityIQ automatically revokes the emergency access once the pre-defined duration expires.
  1. Elevated Auditing and Reporting:
  • Comprehensive Logging: Every break glass request, approval, access grant, and revocation is meticulously logged within IdentityIQ. This includes who requested it, when, why, who approved it, and what access was granted.
  • Alerting: Security teams can be immediately alerted via email or other channels when a break glass request is initiated or approved.
  • Post-Event Review: Detailed reports can be generated to show all break glass activities, enabling regular reviews by security and audit teams to ensure proper use and identify potential abuse.
  1. Certification/Review: While immediate, break glass access can still be part of a broader access certification campaign, ensuring that these high-risk entitlements are regularly reviewed and their necessity re-evaluated.
  2. Integration with PAM (Privileged Access Management) Solutions:
  • For even greater control, SailPoint IdentityIQ often integrates with PAM solutions (like CyberArk, Delinea, or BeyondTrust). In this setup, the “break glass” request in IdentityIQ might trigger the PAM solution to vault and dispense the privileged credentials, providing an additional layer of session recording, credential rotation, and command control.

In summary, Break Glass Access in SailPoint IdentityIQ is a vital component of a comprehensive identity and access management strategy, balancing the need for rapid emergency response with robust security, governance, and audit controls.