Question: What is a privileged access workstation? And how does a PAW work?
Tal Zamir, co-founder and CEO of Hysolate: Workstations used by privileged users can easily become an attacker's shortcut into the heart of the enterprise. One best practice for protecting privileged user devices is providing each such user a dedicated operating system that is exclusively used for privileged access — a concept known as privileged access workstations (PAW).
Privileged access workstations are the actual devices people are using when they access those privileged accounts. Microsoft recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.
Privileged access management refers to tools that manage privileged access (password vaults, access controls, privileged access monitoring, etc.). These solutions lock down who has access to privileged accounts, how long they have access, what they can do with that access, etc.
So to bring them together, the best practice is for a user to have a dedicated workstation (privileged access workstation) for privileged use. Upon logging into that workstation, the user would access privileged accounts through a privileged access management platform that would manage all of the access rights.
This dedicated workstation or OS mustn't be used for Web browsing, email, and other risky apps, and it should have strict app whitelisting. It shouldn't connect to risky external Wi-Fi networks or to external USB devices. Privileged servers must not accept connections from a non-privileged OS.
You must also keep the user's experience in mind. To avoid forcing users to use two separate laptops, consider leveraging virtualization technologies (e.g., VirtualBox/Hyper-V) that allow a single laptop to run two isolated operating systems side-by-side, one for productivity and one for privileged access. Also consider solutions dedicated to the concept of PAW.