Below are the attributes that should be present to ensure the optimum security and effectiveness of a PAW:
Uses hardened, dedicated assets (physical or virtual), which are actively monitored for all activity—from keystroke logging to application launches and command line tools
Operates with the concept of least privilege for every operation
Operationalizes application allow and block listing
Installed on modern hardware that supports TPM (Trusted Platform Module)–preferably 2.0 or higher to support the latest biometrics and encryption
Managed for vulnerabilities, and automated for timely patch management to ensure the software itself is not exploited
Requires MFA for authentication into sensitive resources and step-up authentication, or even change control, for the most sensitive operations
Operates on a dedicated or trusted network that is segmented away from networks that may have potentially unsecure devices
Only uses a wired network connection. Wireless communications of any type are unacceptable for PAWs
Is physically secured with tamper cables to prevent device theft (especially a concern if the PAW is a laptop and in a high-traffic area)
While a PAW provides increased security for any cloud administrator, it should never be used for:
Browsing the Internet, regardless of browser
Email and messaging applications
Activity over unsecure network connectivity, such as Wi-Fi or cellular
Use with USB storage media or unauthorized USB peripherals
Remote access into the PAW from any workstation
Used with applications or services in a manner that would unharden security best practices and make it potentially vulnerable in the future
To streamline this approach and avoid use of two physical computers, many organizations leverage virtualization technologies (from VMware, Microsoft, Parallels, Oracle, etc.) that allow a single asset to execute a PAW side-by-side with the base operating system. The primary system is used for daily productivity tasks, and the other serves as the PAW. When using this approach, however, it is preferred that both daily activity and the PAW be virtual on a hardened OS to provide better segmentation. However, segmentation in this manner may not always be practical. The PAW, if nothing else, should be virtualized and isolated from the OS (no clipboard sharing, file transfer, etc.) and not used as the daily productivity machine.
To learn more about Privileged Access Management , contact us at inquiries@serviceitplus.com
Comments