Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

03:20 PM
Edge Editors
Edge Editors
Edge Ask The Experts

What Is a Privileged Access Workstation (PAW)?

Ask the Experts -- about a technological game of keep-away that protects the most precious resources from the greatest dangers.

Question: What is a privileged access workstation? And how does a PAW work?

Tal Zamir, co-founder and CEO of HysolateWorkstations used by privileged users can easily become an attacker's shortcut into the heart of the enterprise. One best practice for protecting privileged user devices is providing each such user a dedicated operating system that is exclusively used for privileged access — a concept known as privileged access workstations (PAW).

Privileged access workstations are the actual devices people are using when they access those privileged accounts. Microsoft recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.

Privileged access management refers to tools that manage privileged access (password vaults, access controls, privileged access monitoring, etc.). These solutions lock down who has access to privileged accounts, how long they have access, what they can do with that access, etc. 

So to bring them together, the best practice is for a user to have a dedicated workstation (privileged access workstation) for privileged use. Upon logging into that workstation, the user would access privileged accounts through a privileged access management platform that would manage all of the access rights.

This dedicated workstation or OS mustn't be used for Web browsing, email, and other risky apps, and it should have strict app whitelisting. It shouldn't connect to risky external Wi-Fi networks or to external USB devices. Privileged servers must not accept connections from a non-privileged OS.

You must also keep the user's experience in mind. To avoid forcing users to use two separate laptops, consider leveraging virtualization technologies (e.g., VirtualBox/Hyper-V) that allow a single laptop to run two isolated operating systems side-by-side, one for productivity and one for privileged access. Also consider solutions dedicated to the concept of PAW.

Related Content:


The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: In Tow
Flash Poll