<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Close icon
Search bar icon

StrongDM: Breaking Glass Scenarios

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Let’s face it. If you work with any type of technology, you know that all software, hardware, and networking gear can fail in weird and unexpected ways. That’s why it’s critical that your technology stack has no single point of failure in your environment.

At StrongDM, that means having options in a break glass” scenario. We firmly believe that this is a requirement for the responsible operation of modern technology. So here’s how we tackle it.

StrongDM is a proxy that combines authentication, authorization, networking, and observability into a single product. As such, StrongDM makes it easy to maintain secure access and auditing for your workflows with fail-closed if we can’t authenticate you with our control plane (which you want for security reasons).

In the case that this happens, whether due to a misconfiguration or other issue, you would still need some level of access to your key infrastructure. That’s why StrongDM doesn’t lock you out of creating “break glass” emergency access.

How to Break Glass with StrongDM

Understanding how to break glass when using StrongDM requires a few very simple steps. The process is focused on creating accounts specifically for a break-glass scenario, protecting those accounts, and ensuring that access to those accounts is closely monitored. Here’s how:

  1. Implement a Break-Glass Account: Create a limited-access "break-glass" account with highly restricted privileges that can be used only during emergencies. This account should have a complex, unique password and be stored securely offline, accessible only to authorized personnel, such as the IT security team or senior management.
  2. Define Clear Access Policies: Develop a comprehensive set of policies and procedures for emergency access. Specify the circumstances under which the break-glass account can be used, the process for requesting access, and the necessary approvals.
  3. Multi-Factor Authentication (MFA): Enforce multi-factor authentication for the break-glass account to add an extra layer of security. This can include something the user knows (password), something the user has (smartphone or token), and/or something the user is (biometric data).
  4. Limited Time Window: Restrict the usage time window for the break-glass account. Once the emergency is resolved, disable the account immediately.
  5. Audit and Monitoring: Implement robust logging and monitoring to track all activities performed using the break-glass account. This helps in post-incident analysis and ensures accountability.
  6. Regular Testing: Conduct periodic testing and drills of the emergency access procedure to ensure that all involved parties understand their roles and responsibilities. This helps identify and address any potential issues before an actual outage occurs.
  7. Secure Offsite Backup: Maintain a secure offsite backup of essential PAM-related data, configurations, and credentials. This will allow a faster recovery in the event of a PAM system failure.
  8. Communication Plan: Develop a clear communication plan to inform stakeholders and authorized personnel about the PAM outage, the emergency access procedure, and any other relevant details.
  9. Continuous Improvement: Regularly review and update the emergency access procedure based on lessons learned from previous drills or incidents. Continuous improvement is vital for maintaining a robust and resilient security posture.

Additional Considerations

Depending on your environment, there are additional actions you can take to ensure you’re prepared for the worst and to increase the security of your break-glass credentials.

On-premises environments: If the majority of your infrastructure is hosted on-premises, you do  have the option to store credentials on a hardware key, such as a Yubikey. You can also store the physical key in a physical vault, providing an additional layer of security.

Cloud environments: In the case that your environment is primarily based in the cloud, there are additional considerations you may want to take. For example, you could:

  • Prevent the use of cloud consoles through organization-wide Service Control Policies (SCPs) for each cloud provider
  • Alert on attempts to use cloud consoles outside of emergency situations
  • In an emergency situation, temporarily remove those SCPs, and use the cloud provider’s console to access the machine 


Regardless of your environment, having and testing a break glass scenario and technology provides options in the case of an emergency should be a core requirement in your IAM and PAM deployments. StrongDM takes these situations seriously and we’re committed to your success even when the worst happens.

See StrongDM in action, book a demo.

About the Author

, Technical Marketing Expert, has held marketing leadership roles for Silicon Valley technology companies specializing in database, data management, and data analytics solutions. As head of content marketing at Splunk, Dominic contributed to boosting the company’s market visibility and its growth from a $100M to a $1.3B company. He brings relentless creativity to the task of connecting people with technical products to improve their lives. Dominic holds a B.S. degree in Public Relations from the University of Texas at Austin. To contact Dominic, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
Water Utilities Cybersecurity Guide: Challenges & Solution
Water Utilities Cybersecurity Guide: Challenges & Solution
StrongDM is working with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) on Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems. This effort provides a means to identify common scenarios among Water and Wastewaters Systems (WWS) sector participants, to develop reference cybersecurity architectures, and propose the utilization of existing commercially available products to mitigate and manage risk.
XZ Utils Backdoor Explained: How to Mitigate Risks
XZ Utils Backdoor Explained: How to Mitigate Risks
Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.