Each safety chief is aware of the request by coronary heart: a gross sales govt must bypass multi-factor authentication for a product demo, or a finance contractor requires broad entry “for month-end solely.” These are cheap folks with pressing wants — but the safety exception that follows erodes extra defenses than any zero-day vulnerability.

Exceptions will not be uncommon occasions. They’re the gravitational pull of organizational life. However when they’re granted casually, they rework a well-architected Zero Belief — or “by no means belief, all the time confirm” Cybersecurity framework right into a coverage that’s full of untracked gaps. That is how “short-term” turns into enterprise as normal — and the way threat migrates from theoretical to inevitable.

Organizations that work with an skilled Managed Providers Supplier (MSP) perceive that, from a safety posture standpoint, an exception is a deliberate gap in entry controls and an express acceptance of extra threat. In Conditional Entry phrases, it bypasses guidelines designed to restrict the harm from compromised credentials and unmanaged units. Every bypass expands the assault floor. Multiplied throughout departments and quarters, even a well-designed coverage set begins to resemble Swiss cheese — layered in look however riddled with exploitable gaps.

“Break-glass accounts” illustrate the issue clearly. Just like the bodily security observe of getting a hearth extinguisher or handbook fireplace alarm lever encased behind a glass pane — simply as you’ll solely “break the glass in case of emergency” to seize the extinguisher — you need to solely use these extremely delicate, extremely privileged digital accounts when completely vital. Their function is particular: to revive administrative entry throughout a real emergency when a major identification supplier or multifactor authentication pathway fails.

However when organizations confuse “break glass” with “bypass safety controls,” these accounts change into the quickest path to persistent privileged entry with out scrutiny.

Past technical threat, exceptions carry operational and cultural prices. They sign to your staff that safety coverage is negotiable beneath stress, which steadily erodes long-term self-discipline. As an alternative, the usual steering must be this: the primary exception is a technical change; the tenth is a program. And applications incur prices.

Each exception additionally introduces a full administrative lifecycle: justification consumption, threat analysis, scoping, approvals, implementation, monitoring, renewal or revocation, and audit proof. Exception teams with out time-boxed eligibility, named homeowners, and renewal prompts change into uncontrolled repositories of amassed entry privilege. Auditors will ask who authorised entry, why, and for the way lengthy, producing findings however not essentially options.

A Sensible Framework for Granting Exceptions

Organizations that handle exception threat successfully will work with their MSP to use a structured resolution course of earlier than granting any entry bypass:

• Outline the emergency. Is the request a real interruption to vital enterprise operations, or is it a matter of comfort? Impacted income, buyer obligations, or authorized necessities could justify an exception. Velocity or desire doesn’t.
• Exhaust compliant options first. Consider managed gadget enrollment, short-term elevation by way of Privileged Id Administration (PIM), step-up MFA, or narrowly scoped software tokens. An exception is a final resort, not a primary response.
• Scope with precision. Restrict exceptions by particular identification, particular useful resource, outlined situations, and a hard and fast time window. Open-ended exceptions are unacceptable from a threat administration standpoint.
• Increase authentication necessities. Exceptions ought to enhance assurance, not decrease it. Implement phishing-resistant MFA reminiscent of FIDO2 authentication passkeys, and require energetic session monitoring.
• Require named possession. Each exception wants a enterprise proprietor who formally attests to the chance and explicitly renews or revokes entry on an outlined schedule.
• Implement just-in-time entry. PIM-based membership ought to activate on demand with cause codes and expire routinely. Persistence is the adversary.
• Log all the things and evaluation it. Route exception sign-in occasions to a SIEM platform and set alerts for anomalous patterns: unfamiliar IPs, off-hours spikes, and weird software consent occasions.

Stopping the Swiss Cheese Impact

Even with a robust framework, some exceptions might be granted. The safety goal is to forestall the holes from aligning. Three practices assist:

Overlapping controls. Stack community, gadget, identification, and software constraints in order that one coverage hole doesn’t create an unobstructed assault pathway.

A centralized exception registry. Preserve a stay catalog documenting identification, useful resource, justification, approval authority, renewal date, and monitoring hyperlinks. If all energetic exceptions can’t be produced in a single report, efficient governance isn’t in place.

Sundown by default. Exceptions should expire routinely. Computerized expiration is essentially the most dependable exception management out there.

A seasoned MSP may have keep away from adopting a typical of claiming “no” to enterprise necessities — as a substitute they are going to say “show it,” “cut back the scope,” and “set an expiration.”

In an setting the place identification is the first safety perimeter, each exception is a calculated threat. Settle for that threat solely when the enterprise justification clearly outweighs the publicity, hedge it with layered controls, and shut it promptly.

When somebody asks to be added to the exclusion group, bear in mind: the simplest entry to grant is essentially the most troublesome to audit. Maintain exceptions uncommon, scoped, and time-bound, and you’ll keep away from a Swiss-cheese safety setting.

Carl Mazzanti is president of eMazzanti Applied sciences in Hoboken, NJ, offering IT Consulting and Cybersecurity Providers for companies starting from residence workplaces to multinational firms.