Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What Is a Privileged Access Workstation (PAW)?

Ask the Experts -- about a technological game of keep-away that protects the most precious resources from the greatest dangers.

Edge Editors, Dark Reading

February 5, 2020

2 Min Read
(image by Tierney, via Adobe Stock)

Question: What is a privileged access workstation? And how does a PAW work?

Tal Zamir, co-founder and CEO of HysolateWorkstations used by privileged users can easily become an attacker's shortcut into the heart of the enterprise. One best practice for protecting privileged user devices is providing each such user a dedicated operating system that is exclusively used for privileged access — a concept known as privileged access workstations (PAW).

Privileged access workstations are the actual devices people are using when they access those privileged accounts. Microsoft recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.

Privileged access management refers to tools that manage privileged access (password vaults, access controls, privileged access monitoring, etc.). These solutions lock down who has access to privileged accounts, how long they have access, what they can do with that access, etc. 

So to bring them together, the best practice is for a user to have a dedicated workstation (privileged access workstation) for privileged use. Upon logging into that workstation, the user would access privileged accounts through a privileged access management platform that would manage all of the access rights.

This dedicated workstation or OS mustn't be used for Web browsing, email, and other risky apps, and it should have strict app whitelisting. It shouldn't connect to risky external Wi-Fi networks or to external USB devices. Privileged servers must not accept connections from a non-privileged OS.

You must also keep the user's experience in mind. To avoid forcing users to use two separate laptops, consider leveraging virtualization technologies (e.g., VirtualBox/Hyper-V) that allow a single laptop to run two isolated operating systems side-by-side, one for productivity and one for privileged access. Also consider solutions dedicated to the concept of PAW.

Related Content:


About the Author(s)

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights