Break Glass Access
Definition
Break glass access is a controlled emergency access method that allows a designated user, administrator, or response role to bypass normal access workflows when an urgent operational or security need exists. It is commonly used when standard identity systems, privileged access workflows, approval paths, or administrative accounts are unavailable, too slow, or insufficient during an incident. Break glass access should not be treated as a convenience account or routine administrative shortcut. It is a high-risk exception that requires strong governance, strict eligibility rules, documented use cases, secure credential storage, rapid detection, and post-use review. Effective break glass access programs define who may activate emergency privileges, what systems are covered, what approval or notification is required, how activity is logged, and how access is revoked after the emergency ends. For compliance and security assurance, organizations should maintain evidence that break glass accounts are limited, protected, tested, monitored, and reviewed so emergency access remains available without weakening normal access controls.
Real-World Examples
Identity system outage
A scaleup keeps a protected emergency administrator account so authorized responders can restore access if the main identity provider is unavailable.
Cloud incident response
An enterprise security team uses temporary emergency privileged access to contain a cloud misconfiguration that cannot be fixed through normal workflows.
Startup production recovery
A small SaaS company stores emergency production credentials in a controlled vault so founders can recover a critical service outage when standard access fails.
Manufacturing operations continuity
A manufacturing organization maintains emergency access for a limited operations role so critical systems can be restored during a plant disruption.
Break glass access is emergency access that lets authorized personnel gain privileged access when normal access processes are unavailable, too slow, or ineffective during an urgent event. It should be tightly controlled, logged, monitored, and reviewed after each use.
A break glass account is an emergency account reserved for exceptional situations, such as restoring systems during an outage or responding to a major security incident. It should be rarely used, strongly protected, and excluded from routine administration.
Break glass access should be used only when there is a genuine emergency and normal access paths cannot support timely response. Examples include identity service outages, critical production failures, security containment actions, or recovery from administrative lockout.
Secure a break glass account by limiting who can use it, storing credentials securely, requiring strong authentication where practical, monitoring every login, alerting on activation, and reviewing all actions after use. The account should not be shared casually or used for routine work.
Best practices include documenting approved use cases, minimizing the number of emergency accounts, assigning clear ownership, protecting credentials, enabling alerts, testing access periodically, rotating credentials after use, and conducting post-incident review for every activation.
Break glass accounts should be tested on a regular schedule based on risk, system criticality, and compliance expectations. Testing should confirm that access works, monitoring triggers correctly, credentials remain protected, and recovery procedures are still accurate.
Break glass accounts should use strong authentication whenever possible, including MFA where it does not create unacceptable dependency risk during emergencies. Organizations should balance security with availability so emergency access remains usable when primary authentication services are impaired.
Break glass access should generate immediate alerts, detailed logs, session records where feasible, and reviewable evidence showing who used the access, when it was used, what actions were taken, and why it was necessary. Reviews should confirm that use was appropriate and access was returned to a controlled state.
A break glass access policy should define approved emergency scenarios, eligible users or roles, authentication requirements, credential storage, approval or notification steps, logging expectations, post-use review, credential rotation, and consequences for misuse.
Information Security & GRC requirements for break glass access typically focus on governance, least privilege, accountability, monitoring, evidence retention, periodic testing, and management review. Organizations should be able to show that emergency access is available, controlled, and not used to bypass standard access management without justification.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |
