What is a privileged access workstation?

A privileged access workstation (PAW), part of privileged access management (PAM), is a specialized device or environment that is designed to perform privileged tasks, such as managing directory systems, servers, databases, applications, and other critical endpoints. PAWs are designed to be highly secure and to reduce the risk of attackers compromising privileged accounts.

Last updated date : 10 May 2024

Why organizations should use PAWs?

The primary purpose of a PAW is to minimize the risk of security breaches, especially those stemming from credential theft or privilege misuse targeting sensitive accounts. PAWs are often used by IT administrators, security professionals, and other users who need to perform privileged tasks. PAWs can also be used to provide remote access to privileged systems, which can help to reduce the risk of exposure.

Authorized users are allowed to use PAWs to gain administrative access to privileged accounts through a privileged access management tool that manages and governs access to business-critical endpoints.

Configuring a PAW—basic requirements

PAWs are dedicated machines that are hardened using a layered approach to offer the highest security to privileged accounts and resources. They are typically configured with several security controls, including, but not limited to:

  • 01

    Application and command allow-listing

    Only a predefined set of applications and commands are allowed to run on a PAW. This helps to reduce the attack surface by restricting these environments to select users.

  • 02

    Network isolation

    PAWs are typically isolated from the rest of the network, which makes it more difficult for attackers to reach them.

  • 03

    Multi-factor authentication (MFA)

    Users must utilize MFA before gaining access to a PAW.

  • 04

    System hardening

    PAWs are configured with security best practices, such as keeping software up-to-date and disabling unnecessary services.

 

Since PAWs are specifically used for privileged access activities, these endpoints cannot be used for general user activities, such as internet browsing, emails, team collaborations, and other application usage. Further, PAWs incorporate application allow-listing and other forms of administrative restrictions, which means they will not accept connections from external networks or devices. All these aforementioned controls are offered by PAM solutions.

Differences between a jump server and a privileged access workstation

When a machine in a network, such as a client, attempts to establish a connection with another machine, the client will request to verify the machine identity of the device or workload it is attempting to connect to.

The process through which one machine, be it a device or a workload, validates another's identity is called machine-to-machine authentication.

Enforcing strict policies while configuring machine-to-machine authentication is highly recommended while practicing machine identity management.

  • Topic
    Privileged access workstation
    Jump servers
  • What is it?
    A dedicated workstation used by authorized users to perform administrative tasks that require privileged access. It is designed to be highly secure and isolated from potentially risky activities.
    A hardened server specifically configured to act as a gateway or intermediary between client and server endpoints.
  • What is it used for?
    Solely used to perform to privileged tasks and not used for general web browsing, email, or other potentially risky activities.
    Users connect to the jump server first, typically via SSH or RDP, before accessing other endpoints in the network.
  • How are they connected?
    They are not connected to external Wi-Fi networks or external USB devices to minimize potential attack vectors. PAWs are designed to only accept connections from privileged operating systems.
    Typically used to allow administrators to securely access internal network resources from external locations.
  • What are some of the use cases it is utilized for?
    Used for tasks that require the highest level of security, such as managing Active Directory, or to install software on a server.
    Used to access a production server to troubleshoot an issue.

Key features that a PAM software should offer to meet the security needs of PAW users

Following are top controls that a PAM software should provide to enable PAW users.

  • 01

    MFA

    Add an extra layer of security by mandating multiple levels and modes of authentication.

  • 02

    Privileged account governance

    Automatically discover, onboard, manage, and share privileged accounts and credentials pertaining to different types of endpoints, such as operating systems, databases, applications, network devices, hypervisors, and more. Enforce granular access controls, allowing only authorized users to log in and perform specific privileged tasks.

  • 03

    Privileged session management

    Monitor, record, and archive privileged sessions. Audit these sessions in real-time to aid in forensic audits, and terminate sessions automatically as or when users are found to be engaging in malicious activities.

  • 04

    Role-based access control

    Employ the principle of least privilege, where users are granted access to mission-sensitive resources and accounts based on their roles and requirements.

  • 05

    Just-in-time (JIT) access

    Provide users with time-limited, elevated access to privileged endpoints based on their requirements. This a critical module in PAM software, which includes revoking privileges and rotating the passwords of sensitive endpoints after every use.

  • 06

    Secure remote access

    Enable secure, one-click access from PAWs to remote endpoints, thereby ensuring that administrative users can access business-critical systems from external locations without compromising security.

  • 07

    Policy enforcement and compliance reporting

    Enforce password policies based on internal security requirements, and provide reporting capabilities to demonstrate compliance with industry regulations and internal policies.

  • 08

    Application allow-listing and command control

    Enable users to run allow-listed applications and commands with varying levels of privileges to reduce the risk of malicious software execution.

  • 09

    Dynamic risk assessment and anomaly detection

    Continuously monitor users and devices based on numerous security parameters to derive trust scores. Use these scores to automatically generate access policies based on their security posture. Leverage behavioral analytics and ML to identify unusual patterns of behavior, and proactively isolate threat actors.