Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
What Is a Privileged Access Workstation (PAW)?What Is a Privileged Access Workstation (PAW)?
Ask the Experts -- about a technological game of keep-away that protects the most precious resources from the greatest dangers.
February 5, 2020
Question: What is a privileged access workstation? And how does a PAW work?
Tal Zamir, co-founder and CEO of Hysolate: Workstations used by privileged users can easily become an attacker's shortcut into the heart of the enterprise. One best practice for protecting privileged user devices is providing each such user a dedicated operating system that is exclusively used for privileged access — a concept known as privileged access workstations (PAW).
Privileged access workstations are the actual devices people are using when they access those privileged accounts. Microsoft recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.
Privileged access management refers to tools that manage privileged access (password vaults, access controls, privileged access monitoring, etc.). These solutions lock down who has access to privileged accounts, how long they have access, what they can do with that access, etc.
So to bring them together, the best practice is for a user to have a dedicated workstation (privileged access workstation) for privileged use. Upon logging into that workstation, the user would access privileged accounts through a privileged access management platform that would manage all of the access rights.
This dedicated workstation or OS mustn't be used for Web browsing, email, and other risky apps, and it should have strict app whitelisting. It shouldn't connect to risky external Wi-Fi networks or to external USB devices. Privileged servers must not accept connections from a non-privileged OS.
You must also keep the user's experience in mind. To avoid forcing users to use two separate laptops, consider leveraging virtualization technologies (e.g., VirtualBox/Hyper-V) that allow a single laptop to run two isolated operating systems side-by-side, one for productivity and one for privileged access. Also consider solutions dedicated to the concept of PAW.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023